grharry@freemail.gr
2004-Apr-15 15:54 UTC
transparent proxy server ( squid ) in the dmz zone
Hi to all .... After going through the squid - transparent proxy page - in the DMZ zone and after a lot of search I have not succeded yet to route a single packet to the DMZ zone that goes out to the www port 80. Even though the packets are marked ( iptables -t mangle -L -n -v ) shows marking of packets after succesfull web surfing in the PREROUTING - MARK section. ip rule show is correct ip route show table www.out is correct How ever I am sure that packets are not routed to the DMZ zone. No activity when tcpdumping eth1 ( nic to the DMZ ) no packets after ( iptables -t nat -L -v -n ) on the proxy server in the DMZ zone. At this point I have to say that default routing is initialized from the ppp options script ( pppoe to be exact ). That is default gw shows in the ip route show [main]. Is there one who succeded in doing this?? Shorewall is a great script-program to manipulate iptables rules. I do not consider this being a direct shorewall problem ( it is rather an iproute2 matter ) but since Tom generously indicated a way of doing this -- and my setup is the exact as the one Tom indicates in the section http://www.shorewall.net/Shorewall_Squid_Usage.html#DMZ even the nics and interfaces are the same ( eth2-loc, eth1-DMZ ) only the ip''s change -- I come to this list with a lot of respect to ask for some help. I have no clue to determine what is wrong. Any hints will be helpfull and appreciated. Thanks in Advance. Best regards Harry. ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking.
grharry@freemail.gr wrote:> After going through the squid - transparent proxy page - in the DMZ zone and after a lot of search I have not succeded yet to route a single packet to the > DMZ zone that goes out to the www port 80. > > Even though the packets are marked ( iptables -t mangle -L -n -v ) shows marking of packets after succesfull web surfing in the PREROUTING - MARK section. > ip rule show is correct > ip route show table www.out is correct > > How ever I am sure that packets are not routed to the DMZ zone. > No activity when tcpdumping eth1 ( nic to the DMZ ) > no packets after ( iptables -t nat -L -v -n ) on the proxy server in the DMZ zone. > > At this point I have to say that default routing is initialized from the ppp options script ( pppoe to be exact ). That is default gw shows in the ip route show [main]. > > Is there one who succeded in doing this?? > > Shorewall is a great script-program to manipulate iptables rules. > > I do not consider this being a direct shorewall problem ( it is rather an iproute2 matter ) but since Tom generously indicated a way of doing this -- and my setup is the exact as the one Tom indicates in the section > http://www.shorewall.net/Shorewall_Squid_Usage.html#DMZ > even the nics and interfaces are the same ( eth2-loc, eth1-DMZ ) only the ip''s change -- I come to this list with a lot of respect to ask for some help. > > I have no clue to determine what is wrong. > > Any hints will be helpfull and appreciated. >With this stuff, the devil is in the details. Please forward us: a) The output of "shorewall show mangle" b) The output of "ip route ls table www.out" c) The output of "ip rule ls" d) The output of "cat /etc/iproute2/rt_tables" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
grharry@freemail.gr wrote:> Is there one who succeded in doing this??I ran that way for months until I moved Squid to my bridge/firewall that sits behind my router/firewall (see http://shorewall.net/myfiles.htm). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Harry Lachanas wrote:> Above all I must thank you for you immediate responce... > Attached are the files that you have mentioned.That all looks ok. Please: a) stop the browser that you are using to test with b) start the browser and confirm that it has no Proxy setting. c) shorewall reset d) try to access an external web site e) shorewall status > /tmp/status f) post the /tmp/status file. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net