Shorewall users - Aug 2003 - transparent proxy with shorewall

Hi,

I followed the instructions posted on the
shorewall web page for transparent proxy, but I 
still cannot get it to work.

I have almost the same setup as described on the web, running squid on dmz,
eth1, and the loc on eth2.

I can see that packets going out from the fw, they are not sent to the squid
proxy, and if I try to telnet to the squid proxy to port 80, where I should be
directed to port 3128, the connection is refused (as I am not connected to port
80 , not redirected to port 3128 which I can telnet to directly)

Please advise how to test it, and what kind of tools to troubleshoot this
problem.

I any files are requested, please advise, and what format, eg. shorewall show ?
or whatever..

Thanks in advance,



This message was sent through MyMail http://www.mymail.com.au

On Sat, 30 Aug 2003 deya@ozemail.com.au wrote:

PLEASE POST IN PLAIN TEXT AND CONFIGURE YOUR MAILER TO FOLD LONG LINES. 

Do I have to tell that to every single person on this list individually
even though it is plainly asked at http://www.shorewall.net/support.htm?

> I followed the instructions posted on the
> shorewall web page for transparent proxy, but I 
> still cannot get it to work.
> 
Then you didn''t follow the instructions fully.
> I have almost the same setup as described on the web, running squid on
> dmz, eth1, and the loc on eth2.
> 
> I can see that packets going out from the fw, they are not sent to the
> squid proxy, and if I try to telnet to the squid proxy to port 80, where
> I should be directed to port 3128, the connection is refused (as I am
> not connected to port 80 , not redirected to port 3128 which I can
> telnet to directly)
>
Then you have set up the routing incorrectly.
 
> Please advise how to test it, and what kind of tools to troubleshoot
> this problem.
> 
Your /etc/iproute2/rt_tables should have a new entry:

[root@gateway test]# cat /etc/iproute2/rt_tables
#
# reserved values
#
#255    local
#254    main
#253    default
#0      unspec
 
#
# local
#
#1      inr.ruhep
202 www.out <============= Here''s mine
[root@gateway test]#

You should have a rule for directing traffic to this table:

[root@gateway test]# ip rule show
0:      from all lookup local
32765:  from all fwmark 0x1 lookup www.out <==== Here''s Mine
32766:  from all lookup main
32767:  from all lookup 253
[root@gateway test]#

The new table should have a route to your Squid server in the DMZ:

[root@gateway test]# ip route ls table www.out
default via 206.124.146.177 dev eth1
[root@gateway test]#

You should have traffic control rule to mark packets that you want to use 
the new table:

#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT 
PORT(S)
1:P             eth2            !192.168.0.0/16 tcp     80
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Note that it must be a PREROUTING rule (with the :P).

You must have traffic control enabled:

[root@gateway test]# grep TC_ENABLED /etc/shorewall/shorewall.conf
TC_ENABLED=Yes
[root@gateway test]#

One of these things isn''t being done or is being done wrong.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net