Lito Kusnadi
2003-Nov-07 02:54 UTC
[Shorewall-users] Shorewall + transparent squid = DMZ web access problem from LAN
Hi, I am in need of help from experts. I am placing a Mandrake 8.2 with shorewall 1.4.6c. It has 2 interfaces and a dialup modem. I use squid 2.4 as transparent proxy, running in the firewall. I set up simple zones: - LAN (eth1) - NET (ppp0) - DMZ (eth0) Transparent proxy runs okay. (Firewall also run caching DNS). Problem is: when I want to access the webserver (put in the DMZ zone) from the LAN, I got the (111) connection refuse problem from the transparent proxy. ---------------------------------------------------------- While trying to retrieve the URL: http://139.130.197.29/ The following error was encountered: Connection Failed The system returned: (111) Connection refused ---------------------------------------------------------- I detected the following log: Nov 7 17:53:36 zulu Shorewall:all2all:DROP: IN=eth1 OUT= MAC=00:40:05:a4:63:c4: 00:02:44:5c:e3:96:08:00 SRC=192.168.3.241 DST=139.130.197.29 LEN=48 TOS=00 PREC =0x00 TTL=128 ID=42555 DF PROTO=TCP SPT=1733 DPT=80 SEQ=1425012301 ACK=0 WINDOW16384 SYN URGP=0 139.130.197.29 is my dialup static IP. 192.168.3.0 is my LAN network. 192.168.100.0 is my DMZ. The log confuses me. The packet comes from LAN to the public interface of the firewall. So if I put: ACCEPT loc fw:139.130.197.29 tcp www, in the rule It should be allowing the packet to go back to the firewall and get redirected thru port 80 to the DMZ. I have tried the following to solve the problems, but to no avail: 1. put an exclusion original destination in the REDIRECT rule of the transparent REDIRECT loc 3128 tcp www - !139.130.197.29 -> fail 2. put: ACCEPT fw dmz tcp www -> fail 3. put: ACCEPT fw net tcp net -> fail (although I believe this is useless as default policy for fw->net is accept). NOTE: Connection from the net to the web server is okay. Thanks in advance for your help. Below are the requested info for troubleshooting: Ip addr show: 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:bf:20:4a:f8 brd ff:ff:ff:ff:ff:ff inet 192.168.100.254/29 brd 192.168.100.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:05:a4:63:c4 brd ff:ff:ff:ff:ff:ff inet 192.168.3.254/28 brd 192.168.3.255 scope global eth1 4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 3 link/ppp inet 139.130.197.29 peer 139.130.196.1/32 scope global ppp0 ip route show: 139.130.196.1 dev ppp0 proto kernel scope link src 139.130.197.29 192.168.100.248/29 dev eth0 scope link 192.168.3.240/28 dev eth1 scope link 127.0.0.0/8 dev lo scope link default via 139.130.196.1 dev ppp0 Here''s the policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT ULOG fw net ACCEPT ULOG fw loc ACCEPT ULOG net all DROP ULOG all all DROP ULOG Here''s the rule: #DNAT to webserver in DMZ DNAT net dmz:192.168.100.253 tcp www #SSH access ACCEPT loc fw tcp 22 ACCEPT loc dmz tcp 22 ACCEPT fw net tcp 53 ACCEPT fw net udp 53 #Ping management DROP net fw icmp 8 ACCEPT loc fw icmp 8 ACCEPT dmz fw icmp 8 ACCEPT loc dmz icmp 8 ACCEPT dmz loc icmp 8 ACCEPT dmz net icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw dmz icmp 8 DROP net dmz icmp 8 DROP net loc icmp 8 #Transparent proxy REDIRECT loc 3128 tcp www #Run DNS in firewall ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 ACCEPT dmz fw tcp 53 ACCEPT dmz fw udp 53 -- ------------------------------------------------- This mail sent through IMP: www-mail.usyd.edu.au
Tom Eastep
2003-Nov-07 03:59 UTC
[Shorewall-users] Shorewall + transparent squid = DMZ web access problem from LAN
On Fri, 7 Nov 2003, Lito Kusnadi wrote:> Hi, I am in need of help from experts. > > I am placing a Mandrake 8.2 with shorewall 1.4.6c. It has 2 interfaces and a > dialup modem. > I use squid 2.4 as transparent proxy, running in the firewall. I set up simple > zones: > - LAN (eth1) > - NET (ppp0) > - DMZ (eth0) > Transparent proxy runs okay. (Firewall also run caching DNS). > > Problem is: when I want to access the webserver (put in the DMZ zone) from the > LAN, > I got the (111) connection refuse problem from the transparent proxy. > > ---------------------------------------------------------- > While trying to retrieve the URL: http://139.130.197.29/ >You have: DNAT net dmz:192.168.100.253 tcp www That only works from the ''net'' zone and not from the ''loc'' zone. If you want to be able to connect to 139.130.197.29 from the local zone and have the request redirected to the DMZ, you also need: DNAT loc dmz:192.168.100.253 tcp 80 - 139.130.197.29 AND You need to exclude 139.130.197.29 from your REDIRECT rule as you have already tried. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net