Shorewall users - Nov 2002 - Accessing transparent squid proxy

--On Friday, November 08, 2002 3:11 PM +0000 Daniel McAllansmith 
<daniel@spinsoftware.co.nz> wrote:
> Hello,
>
> I''m not certain that my problem is caused by my shorewall config,
but at
> the  very least someone can, hopefully, tell me my problem lies elsewhere.
>
> I''m running shorewall on my firewall.  The firewall has three
nics, eth0
> is  the internal net, eth1 is the external net and eth2 is the dmz.
> In the dmz there is a server (192.168.1.2) running squid in transparent
> proxy  mode on port 3128.
>
> My shorewall rules include:
>#
># Let hosts on the local network use squid as a proxy.
>#
> ACCEPT loc dmz tcp 3128
>
> With that rule browsers can successful use squid by setting their proxy.
>
> If I remove that rule and use the following:
>#
># All www requests by the local, dmz and firewall subnets should be
># redirected through squid running on the server in the dmz.  The exception
># being that any request to the www server in the dmz goes straight to it.
>#
> DNAT loc dmz:192.168.1.2:3128 tcp www - !192.168.1.2:192.168.1.1
> DNAT dmz dmz:192.168.1.2:3128 tcp www - !192.168.1.2:192.168.1.1
> DNAT fw dmz:192.168.1.2:3128 tcp www - !192.168.1.2:192.168.1.1
> ACCEPT fw dmz:192.168.1.2 tcp 3128
>
> then browsers get the ''access denied'' error page from
squid.
> I beleive I have squid correctly configured, i.e.
> httpd_accel_host virtual
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
> and
> http_access allow all as the first http_access line
>
>
> I''m a little suspicious of my shorewall rules because I translated
them
> from  these recommendations:
> iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j
> DNAT  --to squid-box:3128
>
> iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j
> SNAT  --to iptables-box
>
> iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp
> --dport 3128 -j ACCEPT
>
> and I''m as good at iptables syntax as I am at running
sub-four-minute
> miles.
>
> Also when I have both sets of rules defined browsers get the
''access
> denied''  error whether using squid transparently or explicitly.  I
would
> have thought  that would till work?
>
> Do the rules look right for my situation?
No. Section 15.5 of the Linux Advanced Routing and Traffic Control HOWTO 
describes in detail how to set this up.

The "Packet Marking" step described in the HOWTO can be replaced by an
entry in the /etc/shorewall/tcrules file (be sure to enable traffic control 
in /etc/shorewall/shorewall.conf):

2	eth0	0.0.0.0/0	tcp	80

There is a link to the LARTC site from the Shorewall "Useful Links"
page.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

--On Saturday, November 09, 2002 2:44 AM +0000 Daniel McAllansmith 
<daniel@spinsoftware.co.nz> wrote:
> On Fri, 08 Nov 2002 05:46, Tom Eastep wrote:
>> --On Friday, November 08, 2002 3:11 PM +0000 Daniel McAllansmith
>>
>> <daniel@spinsoftware.co.nz> wrote:
> [snip]
>
>> > Do the rules look right for my situation?
>>
>> No. Section 15.5 of the Linux Advanced Routing and Traffic Control
HOWTO
>> describes in detail how to set this up.
>>
>> The "Packet Marking" step described in the HOWTO can be
replaced by an
>> entry in the /etc/shorewall/tcrules file (be sure to enable traffic
>> control in /etc/shorewall/shorewall.conf):
>>
>> 2	eth0	0.0.0.0/0	tcp	80
>>
>> There is a link to the LARTC site from the Shorewall "Useful
Links" page.
>>
>> -Tom
>
> Ok, if I understand correctly each packet which should go through squid
> rather  than straight to a webserver needs to be marked.
> So I set
>
> TC_Enabled Yes
>
> and add
>
> 2               loc             0.0.0.0/0       tcp     80
Better read the definition of column 2 again (and I should add an edit).

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Hello,

I''m not certain that my problem is caused by my shorewall config, but
at the
very least someone can, hopefully, tell me my problem lies elsewhere.

I''m running shorewall on my firewall.  The firewall has three nics,
eth0 is
the internal net, eth1 is the external net and eth2 is the dmz.
In the dmz there is a server (192.168.1.2) running squid in transparent proxy 
mode on port 3128.

My shorewall rules include:
#
# Let hosts on the local network use squid as a proxy.
#
ACCEPT loc dmz tcp 3128

With that rule browsers can successful use squid by setting their proxy.

If I remove that rule and use the following:
#
# All www requests by the local, dmz and firewall subnets should be
# redirected through squid running on the server in the dmz.  The exception
# being that any request to the www server in the dmz goes straight to it.
#
DNAT loc dmz:192.168.1.2:3128 tcp www - !192.168.1.2:192.168.1.1
DNAT dmz dmz:192.168.1.2:3128 tcp www - !192.168.1.2:192.168.1.1
DNAT fw dmz:192.168.1.2:3128 tcp www - !192.168.1.2:192.168.1.1
ACCEPT fw dmz:192.168.1.2 tcp 3128

then browsers get the ''access denied'' error page from squid.
I beleive I have squid correctly configured, i.e. 
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
and 
http_access allow all as the first http_access line


I''m a little suspicious of my shorewall rules because I translated them
from
these recommendations:
iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT 
--to squid-box:3128

iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT 
--to iptables-box

iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp 
--dport 3128 -j ACCEPT

and I''m as good at iptables syntax as I am at running sub-four-minute
miles.

Also when I have both sets of rules defined browsers get the ''access
denied''
error whether using squid transparently or explicitly.  I would have thought 
that would till work?

Do the rules look right for my situation?

Thanks
Daniel

On Fri, 08 Nov 2002 05:46, Tom Eastep wrote:
> --On Friday, November 08, 2002 3:11 PM +0000 Daniel McAllansmith
>
> <daniel@spinsoftware.co.nz> wrote:
[snip]
> > Do the rules look right for my situation?
>
> No. Section 15.5 of the Linux Advanced Routing and Traffic Control HOWTO
> describes in detail how to set this up.
>
> The "Packet Marking" step described in the HOWTO can be replaced
by an
> entry in the /etc/shorewall/tcrules file (be sure to enable traffic control
> in /etc/shorewall/shorewall.conf):
>
> 2	eth0	0.0.0.0/0	tcp	80
>
> There is a link to the LARTC site from the Shorewall "Useful
Links" page.
>
> -Tom
Ok, if I understand correctly each packet which should go through squid rather 
than straight to a webserver needs to be marked.
So I set 

TC_Enabled Yes

and add

2               loc             0.0.0.0/0       tcp     80

to tcrules.
Now each marked packet needs to be routed to the squid machine rather than 
it''s original destination, so I add

2       www.out

to rt_tables and

ip rule add fwmark 2 table www.out
ip route add default via 192.168.1.2 dev eth2 table www.out
ip route flush cache

to tcstart.  And set squid up to listen on port 80 so a redirect to 3128 is 
not needed.
If I list the rules and show the routes it looks like everything has been 
entered properly but I get no activity in either the shorewall/kernel logs or 
in squids logs, and http requests go through to the external site.
How do I go about logging what the firewall is actually doing when these 
request are made?
What have I messed up?

Thanks a lot
Daniel

--On Saturday, November 09, 2002 12:29:34 PM +0000 Daniel McAllansmith 
<daniel@spinsoftware.co.nz> wrote:
>
> I take it you''re referring to not being able to use loc?  Ok, I
tried
> with  eth0, it seems to be doing something at least, seeing as http
> requests no  longer succeed, but still nothing in the logs.
> I''m stumped, what am I doing wrong?
I never saw where you set up the second routing table but I may have missed 
it in your string of posts.

-Tom
PS -- I''ve never set this up & you can read the LARTC as well as I
can...
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Fri, 08 Nov 2002 14:29, Tom Eastep wrote:
> --On Saturday, November 09, 2002 2:44 AM +0000 Daniel McAllansmith
>
> <daniel@spinsoftware.co.nz> wrote:
> > On Fri, 08 Nov 2002 05:46, Tom Eastep wrote:
> >> --On Friday, November 08, 2002 3:11 PM +0000 Daniel McAllansmith
> >>
> >> <daniel@spinsoftware.co.nz> wrote:
> >
> > [snip]
> >
> >> > Do the rules look right for my situation?
> >>
> >> No. Section 15.5 of the Linux Advanced Routing and Traffic Control
HOWTO
> >> describes in detail how to set this up.
> >>
> >> The "Packet Marking" step described in the HOWTO can be
replaced by an
> >> entry in the /etc/shorewall/tcrules file (be sure to enable
traffic
> >> control in /etc/shorewall/shorewall.conf):
> >>
> >> 2	eth0	0.0.0.0/0	tcp	80
> >>
> >> There is a link to the LARTC site from the Shorewall "Useful
Links"
> >> page.
> >>
> >> -Tom
> >
> > Ok, if I understand correctly each packet which should go through
squid
> > rather  than straight to a webserver needs to be marked.
> > So I set
> >
> > TC_Enabled Yes
> >
> > and add
> >
> > 2               loc             0.0.0.0/0       tcp     80
>
> Better read the definition of column 2 again (and I should add an edit).
>
> -Tom
I take it you''re referring to not being able to use loc?  Ok, I tried
with
eth0, it seems to be doing something at least, seeing as http requests no 
longer succeed, but still nothing in the logs.
I''m stumped, what am I doing wrong?

Daniel