Shorewall users - Jan 2003 - remote site 10.x http traffic rule help!

Hi everyone -

I was wondering how do I setup a rule with the following scenario:

I have a VPN site-2-site connection setup.  Also, on each site I have
squid which redirect all local HTTP traffic on 3128.  But I have problems
when I try to access the other site web server which is 10.50.20.198 from
my network setup which is 10.50.30.0/24.  I have all other traffic flowing
between the two sites but having problems when trying to access the
10.50.20.198 web server as squid does not know what to do.....

What rule should I state which will allow all the HTTPD traffic for
10.50.20.198 from my site (10.50.30.0/24) to be redirected to the remote
site web server?

hallian

--On Monday, January 20, 2003 1:45 PM -0500 smalik@vistawiz.com wrote:
> Hi everyone -
>
> I was wondering how do I setup a rule with the following scenario:
>
> I have a VPN site-2-site connection setup.  Also, on each site I have
> squid which redirect all local HTTP traffic on 3128.  But I have problems
> when I try to access the other site web server which is 10.50.20.198 from
> my network setup which is 10.50.30.0/24.  I have all other traffic flowing
> between the two sites but having problems when trying to access the
> 10.50.20.198 web server as squid does not know what to do.....
>
> What rule should I state which will allow all the HTTPD traffic for
> 10.50.20.198 from my site (10.50.30.0/24) to be redirected to the remote
> site web server?
>
Given the lack of information in your post (you don''t even tell us what
kind of VPN you are using), I can only suggest that you try placing 
"!10.50.20.198" in the "ORIGINAL DEST" column of your
REDIRECT rule. This
will avoid your proxy when your local net is accessing 10.50.20.198.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
AIM: teastep  \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net

Everyone ?

I guess I was not clear on what I was trying to accomplish last time.  I
have two remote sites connected via VPN (site-2-site with freeswan) 
Everything is transparent as far as traffic is concerned. But the one
problem which I have not being able to fix is the following:

Site A: =========== Site B
10.50.10.0/24  ==== 10.50.20.0/24

Each site is running squid with the following rules on each site:
Host A:
REDIRECT        loc     3128    tcp     www     -       !10.50.10.1

Host B:
REDIRECT        loc     3128    tcp     www     -       !10.50.20.1

Everything works fine until I type this on Host A: http://10.50.20.190:80
which is the web server running within Host B segment.  Squid does not
know what to do on Host A and returns 503 error code in the squid log
which means that I cannot reach my web server 10.50.20.190.

How can I resolve this problem? What type of rules sets do I require! I
have tried the REDIRECT but to no avail.  I tried DNAT on HOST B too but
that did not work.  If anyone could help me that would be great. I hope
I?m clear this time.  I need to access 10.50.20.190 web server in Site B
from my Site A? anyone?

Thanks
shazad.

--On Thursday, January 23, 2003 12:43 AM -0500 smalik@vistawiz.com wrote:
> Everyone ?
>
> I guess I was not clear on what I was trying to accomplish last time.  I
> have two remote sites connected via VPN (site-2-site with freeswan)
> Everything is transparent as far as traffic is concerned. But the one
> problem which I have not being able to fix is the following:
>
> Site A: =========== Site B
> 10.50.10.0/24  ==== 10.50.20.0/24
>
> Each site is running squid with the following rules on each site:
> Host A:
> REDIRECT        loc     3128    tcp     www     -       !10.50.10.1
>
> Host B:
> REDIRECT        loc     3128    tcp     www     -       !10.50.20.1
>
> Everything works fine until I type this on Host A: http://10.50.20.190:80
> which is the web server running within Host B segment.  Squid does not
> know what to do on Host A and returns 503 error code in the squid log
> which means that I cannot reach my web server 10.50.20.190.
>
> How can I resolve this problem? What type of rules sets do I require!
> I have tried the REDIRECT but to no avail.  I tried DNAT on HOST B too but
> that did not work.  If anyone could help me that would be great. I hope
> I?m clear this time.  I need to access 10.50.20.190 web server in Site B
> from my Site A? anyone?
Are you also running a web server on your firewall boxes ($DIETY forbid)? 
If not, then my recommendation from my previous post stands; reverse the 
ORIGINAL DEST contents in your redirect rules:

Host A:
REDIRECT        loc     3128    tcp     www     -       !10.50.20.0/24

Host B:
REDIRECT        loc     3128    tcp     www     -       !10.50.10.0/24

That is the ONLY way that you are going to solve this problem unless you 
also define a host-to-subnet tunnel in each direction. That is because with 
a subnet-to-subnet IPSEC tunnel, the remote subnets are inaccessible from 
the gateway systems. You can add rules on the gateways until you become 
blue in the face and you STILL won''t make your squid process in one
gateway
access a web server in the remote network.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
AIM: teastep  \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net