Shorewall users - Nov 2003 - Shorewall + transparent squid = DMZ web access problem from LAN

Hi, I am in need of help from experts.

I am placing a Mandrake 8.2 with shorewall 1.4.6c. It has 2 interfaces and a 
dialup modem.
I use squid 2.4 as transparent proxy, running in the firewall. I set up simple 
zones:
- LAN (eth1)
- NET (ppp0)
- DMZ (eth0)
Transparent proxy runs okay. (Firewall also run caching DNS).

Problem is: when I want to access the webserver (put in the DMZ zone) from the 
LAN,
I got the (111) connection refuse problem from the transparent proxy.

----------------------------------------------------------
While trying to retrieve the URL: http://139.130.197.29/ 

The following error was encountered: 

Connection Failed 
The system returned: 

    (111) Connection refused
----------------------------------------------------------

I detected the following log:
Nov  7 17:53:36 zulu Shorewall:all2all:DROP: IN=eth1 OUT= MAC=00:40:05:a4:63:c4:
00:02:44:5c:e3:96:08:00  SRC=192.168.3.241 DST=139.130.197.29 LEN=48 TOS=00 PREC
=0x00 TTL=128 ID=42555 DF PROTO=TCP SPT=1733 DPT=80 SEQ=1425012301 ACK=0
WINDOW16384 SYN URGP=0

139.130.197.29 is my dialup static IP.
192.168.3.0 is my LAN network.
192.168.100.0 is my DMZ.

The log confuses me. The packet comes from LAN to the public interface of the 
firewall.
So if I put: ACCEPT  loc   fw:139.130.197.29    tcp   www, in the rule
It should be allowing the packet to go back to the firewall and get redirected 
thru port 80 to
the DMZ.

I have tried the following to solve the problems, but to no avail:
1. put an exclusion original destination in the REDIRECT rule of the transparent
   REDIRECT loc 3128 tcp www - !139.130.197.29 -> fail
2. put: ACCEPT  fw   dmz   tcp     www -> fail
3. put: ACCEPT  fw   net   tcp     net -> fail (although I believe this is 
useless as
   default policy for fw->net is accept).

NOTE: Connection from the net to the web server is okay.

Thanks in advance for your help.

Below are the requested info for troubleshooting:

Ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:bf:20:4a:f8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.254/29 brd 192.168.100.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:40:05:a4:63:c4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.254/28 brd 192.168.3.255 scope global eth1
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 3
    link/ppp
    inet 139.130.197.29 peer 139.130.196.1/32 scope global ppp0

ip route show:
139.130.196.1 dev ppp0  proto kernel  scope link  src 139.130.197.29
192.168.100.248/29 dev eth0  scope link
192.168.3.240/28 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 139.130.196.1 dev ppp0

Here''s the policy:
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT          ULOG
fw              net             ACCEPT          ULOG
fw              loc             ACCEPT          ULOG
net             all             DROP            ULOG
all             all             DROP            ULOG

Here''s the rule:
#DNAT to webserver in DMZ
DNAT            net             dmz:192.168.100.253     tcp     www
#SSH access
ACCEPT          loc             fw              tcp     22
ACCEPT          loc             dmz             tcp     22

ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
#Ping management
DROP            net             fw              icmp    8
ACCEPT          loc             fw              icmp    8
ACCEPT          dmz             fw              icmp    8
ACCEPT          loc             dmz             icmp    8
ACCEPT          dmz             loc             icmp    8
ACCEPT          dmz             net             icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              dmz             icmp    8
DROP            net             dmz             icmp    8
DROP            net             loc             icmp    8
#Transparent proxy
REDIRECT        loc             3128            tcp     www
#Run DNS in firewall
ACCEPT          loc             fw              tcp     53
ACCEPT          loc             fw              udp     53
ACCEPT          dmz             fw              tcp     53
ACCEPT          dmz             fw              udp     53



-- 


-------------------------------------------------
This mail sent through IMP: www-mail.usyd.edu.au

On Fri, 7 Nov 2003, Lito Kusnadi wrote:
> Hi, I am in need of help from experts.
>
> I am placing a Mandrake 8.2 with shorewall 1.4.6c. It has 2 interfaces and
a
> dialup modem.
> I use squid 2.4 as transparent proxy, running in the firewall. I set up
simple
> zones:
> - LAN (eth1)
> - NET (ppp0)
> - DMZ (eth0)
> Transparent proxy runs okay. (Firewall also run caching DNS).
>
> Problem is: when I want to access the webserver (put in the DMZ zone) from
the
> LAN,
> I got the (111) connection refuse problem from the transparent proxy.
>
> ----------------------------------------------------------
> While trying to retrieve the URL: http://139.130.197.29/
>
You have:

DNAT net dmz:192.168.100.253 tcp www

That only works from the ''net'' zone and not from the
''loc'' zone.

If you want to be able to connect to 139.130.197.29 from the local zone
and have the request redirected to the DMZ, you also need:

DNAT loc dmz:192.168.100.253 tcp 80 - 139.130.197.29

AND

You need to exclude 139.130.197.29 from your REDIRECT rule as you have
already tried.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net