I''ve installed a bering box acting as a firewall for a lan; the lan is 192.168.1.0/24 the bering box is 192.168.1.254 I''ve installed a squid server 192.168.1.1 It is possible to configure shorewall for a transparent proxy to the squid server? I''ve tryed with REDIRECT loc loc:192.168.1.1:3128 tcp www - !192.168.1.1 in the rules file I get this error: Error: REDIRECT rules cannot specify a server IP; rule: "REDIRECT loc loc:192.168.1.1:3128 tcp www - !192.168.1.1" Terminated any suggestion? -- Tomaso Scarsi Centro di Ateneo per le Biblioteche Universita'' degli Studi di Padova Via Anghinoni, 3 35100 PADOVA tel. +39 049 8273690 fax. +39 049 8273651
rather use REDIRECT loc loc:3128 tcp www - !192.168.1.1 -----Original Message----- From: shorewall-users-bounces@shorewall.net [mailto:shorewall-users-bounces@shorewall.net]On Behalf Of Tomaso Scarsi Sent: Thursday, January 09, 2003 11:18 AM To: shorewall-users@shorewall.net Subject: [Shorewall-users] transparent proxy I''ve installed a bering box acting as a firewall for a lan; the lan is 192.168.1.0/24 the bering box is 192.168.1.254 I''ve installed a squid server 192.168.1.1 It is possible to configure shorewall for a transparent proxy to the squid server? I''ve tryed with REDIRECT loc loc:192.168.1.1:3128 tcp www - !192.168.1.1 in the rules file I get this error: Error: REDIRECT rules cannot specify a server IP; rule: "REDIRECT loc loc:192.168.1.1:3128 tcp www - !192.168.1.1" Terminated any suggestion? -- Tomaso Scarsi Centro di Ateneo per le Biblioteche Universita'' degli Studi di Padova Via Anghinoni, 3 35100 PADOVA tel. +39 049 8273690 fax. +39 049 8273651 _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users
On Thu, Jan 09, 2003 at 11:44:11AM +0200, Kim White wrote:> rather use REDIRECT loc loc:3128 tcp www - !192.168.1.1I get this messages iptables v1.2.7a: Port `loc:3128'' not valid also the squid server is on a different machine: the bering/shorewall box is 192.168.1.254 the squid server is 192.168.1.1> > -----Original Message----- > From: shorewall-users-bounces@shorewall.net > [mailto:shorewall-users-bounces@shorewall.net]On Behalf Of Tomaso Scarsi > Sent: Thursday, January 09, 2003 11:18 AM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] transparent proxy > > > I''ve installed a bering box acting as a firewall for a lan; > > the lan is 192.168.1.0/24 > the bering box is 192.168.1.254 > > I''ve installed a squid server 192.168.1.1 > > It is possible to configure shorewall for a transparent proxy to the > squid server? > > I''ve tryed with > REDIRECT loc loc:192.168.1.1:3128 tcp www - !192.168.1.1 > in the rules file > > I get this error: > Error: REDIRECT rules cannot specify a server IP; rule: "REDIRECT > loc loc:192.168.1.1:3128 tcp www - !192.168.1.1" Terminated > > > > any suggestion? > > -- > > Tomaso Scarsi > > Centro di Ateneo per le Biblioteche > Universita'' degli Studi di Padova > Via Anghinoni, 3 35100 PADOVA > tel. +39 049 8273690 > fax. +39 049 8273651 > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users-- Tomaso Scarsi Centro di Ateneo per le Biblioteche Universita'' degli Studi di Padova Via Anghinoni, 3 35100 PADOVA tel. +39 049 8273690 fax. +39 049 8273651 tomaso@cab.unipd.it
> From: Tomaso Scarsi [mailto:tomaso@cab.unipd.it] > > also the squid server is on a different machine: > the bering/shorewall box is 192.168.1.254 > the squid server is 192.168.1.1 > > > > > the lan is 192.168.1.0/24 > > the bering box is 192.168.1.254 > > > > I''ve installed a squid server 192.168.1.1 > > > > It is possible to configure shorewall for a transparent > proxy to the > > squid server? > > > > I''ve tryed with > > REDIRECT loc loc:192.168.1.1:3128 tcp www - !192.168.1.1 > > in the rules file > > > > I get this error: > > Error: REDIRECT rules cannot specify a server IP; rule: > "REDIRECT loc > > loc:192.168.1.1:3128 tcp www - !192.168.1.1" Terminatedredirect is only usable for redirecting specific ports on the _local_ machine (eg if squid runs on the same machine as shorewall). DNAT is what you need if you want to change the destination address as well. try: DNAT loc loc:192.168.1.1:3128 tcp 80 - !192.168.1.1 Andreas
The rule is: REDIRECT loc 3128 tcp www - !192.168.1.0 You can then make the squid server send it''s packets elsewhere if you need. On Thu, 9 Jan 2003 10:17:51 +0100 tomaso@cab.unipd.it (Tomaso Scarsi) opened up to us and said:> I''ve installed a bering box acting as a firewall for a lan; > > the lan is 192.168.1.0/24 > the bering box is 192.168.1.254 > > I''ve installed a squid server 192.168.1.1 > > It is possible to configure shorewall for a transparent proxy to the > squid server? > > I''ve tryed with > REDIRECT loc loc:192.168.1.1:3128 tcp www - !192.168.1.1 > in the rules file > > I get this error: > Error: REDIRECT rules cannot specify a server IP; rule: "REDIRECT > loc loc:192.168.1.1:3128 tcp www - !192.168.1.1" Terminated > > > > any suggestion? > > -- > > Tomaso Scarsi > > Centro di Ateneo per le Biblioteche > Universita'' degli Studi di Padova > Via Anghinoni, 3 35100 PADOVA > tel. +39 049 8273690 > fax. +39 049 8273651 > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users-- Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pauls@globaliqx.com
On Thu, Jan 09, 2003 at 12:41:51PM +0100, Andreas Marbet wrote:> > From: Tomaso Scarsi [mailto:tomaso@cab.unipd.it] > > > > also the squid server is on a different machine: > > the bering/shorewall box is 192.168.1.254 > > the squid server is 192.168.1.1 > > > > > > > > the lan is 192.168.1.0/24 > > > the bering box is 192.168.1.254 > > > > > > I''ve installed a squid server 192.168.1.1 > > > > > > It is possible to configure shorewall for a transparent > > proxy to the > > > squid server? > > > > > > I''ve tryed with > > > REDIRECT loc loc:192.168.1.1:3128 tcp www - !192.168.1.1 > > > in the rules file > > > > > > I get this error: > > > Error: REDIRECT rules cannot specify a server IP; rule: > > "REDIRECT loc > > > loc:192.168.1.1:3128 tcp www - !192.168.1.1" Terminated > > redirect is only usable for redirecting specific ports on the _local_ > machine (eg if squid runs on the same machine as shorewall). > > DNAT is what you need if you want to change the destination address as > well. > > try: DNAT loc loc:192.168.1.1:3128 tcp 80 - !192.168.1.1 >works only partially: when I open a page on the browser the packet is sent to 192.168.1.1 but there is something wrong because in the connection list of the shorewall box I see [UNREPLIED] SYN_SENT information produced by weblet (a filtered view of /proc/net/ip_conntrack) tomaso -- Tomaso Scarsi Centro di Ateneo per le Biblioteche Universita'' degli Studi di Padova Via Anghinoni, 3 35100 PADOVA tel. +39 049 8273690 fax. +39 049 8273651 tomaso@cab.unipd.it
Squid needs to be set up to act in a transparent manner before this can be done. On Thu, 9 Jan 2003 16:17:08 +0100 tomaso@cab.unipd.it (Tomaso Scarsi) opened up to us and said:> On Thu, Jan 09, 2003 at 12:41:51PM +0100, Andreas Marbet wrote: > > > From: Tomaso Scarsi [mailto:tomaso@cab.unipd.it] > > > > > > also the squid server is on a different machine: > > > the bering/shorewall box is 192.168.1.254 > > > the squid server is 192.168.1.1 > > > > > > > > > > > the lan is 192.168.1.0/24 > > > > the bering box is 192.168.1.254 > > > > > > > > I''ve installed a squid server 192.168.1.1 > > > > > > > > It is possible to configure shorewall for a transparent > > > proxy to the > > > > squid server? > > > > > > > > I''ve tryed with > > > > REDIRECT loc loc:192.168.1.1:3128 tcp www - !192.168.1.1 > > > > in the rules file > > > > > > > > I get this error: > > > > Error: REDIRECT rules cannot specify a server IP; rule: > > > "REDIRECT loc > > > > loc:192.168.1.1:3128 tcp www - !192.168.1.1" Terminated > > > > redirect is only usable for redirecting specific ports on the > > _local_ machine (eg if squid runs on the same machine as shorewall). > > > > DNAT is what you need if you want to change the destination address > > as well. > > > > try: DNAT loc loc:192.168.1.1:3128 tcp 80 - !192.168.1.1 > > > > > works only partially: > when I open a page on the browser the packet is sent to 192.168.1.1 > > but there is something wrong because in the connection list of the > shorewall box I see > [UNREPLIED] SYN_SENT > > information produced by weblet (a filtered view of > /proc/net/ip_conntrack) > > > > tomaso > -- > > Tomaso Scarsi > > Centro di Ateneo per le Biblioteche > Universita'' degli Studi di Padova > Via Anghinoni, 3 35100 PADOVA > tel. +39 049 8273690 > fax. +39 049 8273651 > > tomaso@cab.unipd.it > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users-- Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pauls@globaliqx.com
> From: Tomaso Scarsi [mailto:tomaso@cab.unipd.it] > > works only partially: > when I open a page on the browser the packet is sent to 192.168.1.1but what does the browser on the client display? nothing? the correct page? squid error message?> but there is something wrong because in the connection list > of the shorewall box I see [UNREPLIED] SYN_SENT > > information produced by weblet (a filtered view of > /proc/net/ip_conntrack)That sounds reasonable to me. Try to think as a packet.. ;-) the request from Client A goes from the browser to the shorewall machine. There the destination is changed to the squid box. It arrives at the squid box, but still has the original sender address, so squid sends back the answer to A. The shorewall machine never sees the answer from squid to A. Andreas
Could it be that the firewall is not allowed to access the net? ACCEPT loc fw tcp www,https ACCEPT fw net tcp www,https On Thu, 9 Jan 2003 16:47:25 +0100 "Andreas Marbet" <andreas.marbet@bluefire.ch> opened up to us and said:> > From: Tomaso Scarsi [mailto:tomaso@cab.unipd.it] > > > > works only partially: > > when I open a page on the browser the packet is sent to 192.168.1.1 > > but what does the browser on the client display? nothing? the correct > page? squid error message? > > > but there is something wrong because in the connection list > > of the shorewall box I see [UNREPLIED] SYN_SENT > > > > information produced by weblet (a filtered view of > > /proc/net/ip_conntrack) > > That sounds reasonable to me. Try to think as a packet.. ;-) > > the request from Client A goes from the browser to the shorewall > machine. There the destination is changed to the squid box. It arrives > at the squid box, but still has the original sender address, so squid > sends back the answer to A. The shorewall machine never sees the > answer from squid to A. > > Andreas > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users-- Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pauls@globaliqx.com
----- Original Message ----- From: "Tomaso Scarsi" <tomaso@cab.unipd.it>> I''ve installed a bering box acting as a firewall for a lan; > > the lan is 192.168.1.0/24 > the bering box is 192.168.1.254 > > I''ve installed a squid server 192.168.1.1 > > It is possible to configure shorewall for a transparent proxy to the > squid server? > > I''ve tryed with > REDIRECT loc loc:192.168.1.1:3128 tcp www - !192.168.1.1 > in the rules file > > I get this error: > Error: REDIRECT rules cannot specify a server IP; rule: "REDIRECT > loc loc:192.168.1.1:3128 tcp www - !192.168.1.1" Terminated > > > > any suggestion?Hi, this e'' the answer that Tom had sended for the same question some day ago: --On Thursday, December 12, 2002 09:20:59 PM +0100 Dario Lesca <d.lesca@ivrea.osra.it> wrote:> > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Dario Lesca" <d.lesca@ivrea.osra.it>; <shorewall-users@shorewall.net> > Sent: Thursday, December 12, 2002 7:32 PM > Subject: Re: [Shorewall-users] Force Users to use Proxy? >> > >> >> Hmmm -- why don''t you tell us EXACTLY what you are trying to do and then >> we''ll tell you how to do it (assuming that it is possible). > > ok, ok, it is possible ... > > eth1 of fw (loc zone) = 10.1.1.254 > proxy is in loc zone = 10.1.1.154 > > REDIRECT loc 10.1.1.154:3128 tcp 80 - !10.1.1.154 > REDIRECT loc 10.1.1.154:3128 tcp 443 - !10.1.1.154 >> is correct?No. You want: DNAT loc!10.1.1.154 loc:10.1.1.154:3128 tcp 80 - all:10.1.1.254 DNAT loc!10.1.1.154 loc:10.1.1.154:3128 tcp 443 - all:10.1.1.254 Warning: From the Proxy''s viewpoint, this make ALL requests look like they are coming from 10.1.1.254!!! To solve that problem, you need to use policy routing. I haven''t tried it but there are instructions in the Linux Advanced Routing and Traffic Control Howto (http://www.lartc.org). Bye ------- Dario Lesca (d.lesca@ivrea.osra.it)
That response seems odd since I did not need to do any of that to make it work on my lan and it works 100% Hmm. On Thu, 9 Jan 2003 17:51:11 +0100 "Dario Lesca" <d.lesca@ivrea.osra.it> opened up to us and said:> ----- Original Message ----- > From: "Tomaso Scarsi" <tomaso@cab.unipd.it> > > > > I''ve installed a bering box acting as a firewall for a lan; > > > > the lan is 192.168.1.0/24 > > the bering box is 192.168.1.254 > > > > I''ve installed a squid server 192.168.1.1 > > > > It is possible to configure shorewall for a transparent proxy to the > > squid server? > > > > I''ve tryed with > > REDIRECT loc loc:192.168.1.1:3128 tcp www - !192.168.1.1 > > in the rules file > > > > I get this error: > > Error: REDIRECT rules cannot specify a server IP; rule: "REDIRECT > > loc loc:192.168.1.1:3128 tcp www - !192.168.1.1" Terminated > > > > > > > > any suggestion? > > Hi, this e'' the answer that Tom had sended for the same question some > day ago: > > > --On Thursday, December 12, 2002 09:20:59 PM +0100 Dario Lesca > <d.lesca@ivrea.osra.it> wrote: > > > > > ----- Original Message ----- > > From: "Tom Eastep" <teastep@shorewall.net> > > To: "Dario Lesca" <d.lesca@ivrea.osra.it>; > > <shorewall-users@shorewall.net> Sent: Thursday, December 12, 2002 > > 7:32 PM Subject: Re: [Shorewall-users] Force Users to use Proxy? > >> > > >> > >> Hmmm -- why don''t you tell us EXACTLY what you are trying to do and > >then> we''ll tell you how to do it (assuming that it is possible). > > > > ok, ok, it is possible ... > > > > eth1 of fw (loc zone) = 10.1.1.254 > > proxy is in loc zone = 10.1.1.154 > > > > REDIRECT loc 10.1.1.154:3128 tcp 80 - !10.1.1.154 > > REDIRECT loc 10.1.1.154:3128 tcp 443 - !10.1.1.154 > > > > > is correct? > > No. > > You want: > > DNAT loc!10.1.1.154 loc:10.1.1.154:3128 tcp 80 - all:10.1.1.254 > DNAT loc!10.1.1.154 loc:10.1.1.154:3128 tcp 443 - all:10.1.1.254 > > Warning: From the Proxy''s viewpoint, this make ALL requests look like > they are coming from 10.1.1.254!!! > > To solve that problem, you need to use policy routing. I haven''t tried > it but there are instructions in the Linux Advanced Routing and > Traffic Control Howto (http://www.lartc.org). > > Bye > > ------- > Dario Lesca (d.lesca@ivrea.osra.it) > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users-- Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pauls@globaliqx.com