Dear my friends... I am building a transparent proxy with squid (proxy server) and shorewall. All package from "loc" zone to fw (my firewall machine) should be forwarded from port number 80 and 8080 to 3128. So all request to port number 80 and 8080 will be forwarded to 3128 (the port of squid). I did like this : ACCEPT loc fw tcp 3128 80 ACCEPT loc fw udp 3128 80 ACCEPT loc fw tcp 3128 8080 ACCEPT loc fw udp 3128 8080 But it doesn''t work as I expect. Could any body so nice to me a solution for that? Thank you very much in advance. __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover
Prabu Subroto wrote:> > Could any body so nice to me a solution for that?a) Go to the Shorewall Website. b) In the left hand frame is an index -- click on "Documentation". c) You are now looking at an alphabetical index of articles; go down to the "S" entries. d) Click on the link titled "Squid with Shorewall". e) Read the Cautions at the top of the article. f) Read the section entitled "Squid Running on the Firewall" and follow the instructions that you find there. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi, Funnily enough I have just setup exactly the same thing today, you have to use the redirect rule rather than accept. I have my squid running on port 8080 on the firewall, and the following works a treat, I havent yet tested it for other www related protocols so it may not be 100% , but it''s a start. REDIRECT 8080 tcp www,https On a separate note, I am trying to get it so it doesn''t redirect a couple of ips thru the proxy, and have used the following REDIRECT loc:!10.1.1.12,loc:!10.1.1.199 8080 tcp www,https But it is only accepting the first ip address, the 2nd still goes thru the proxy, any ideas? Cheers Ray -----Original Message----- From: Prabu Subroto [mailto:prabusubroto@yahoo.com] Sent: 05 May 2004 15:44 To: shorewall-users@lists.shorewall.net Subject: [Shorewall-users] transparent proxy with shorewall and squid Dear my friends... I am building a transparent proxy with squid (proxy server) and shorewall. All package from "loc" zone to fw (my firewall machine) should be forwarded from port number 80 and 8080 to 3128. So all request to port number 80 and 8080 will be forwarded to 3128 (the port of squid). I did like this : ACCEPT loc fw tcp 3128 80 ACCEPT loc fw udp 3128 80 ACCEPT loc fw tcp 3128 8080 ACCEPT loc fw udp 3128 8080 But it doesn''t work as I expect. Could any body so nice to me a solution for that? Thank you very much in advance. __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
raymond breen wrote:> Hi, > > Funnily enough I have just setup exactly the same thing today, you have > to use the redirect rule rather than accept. > > I have my squid running on port 8080 on the firewall, and the following > works a treat, I havent yet tested it for other www related protocols so > it may not be 100% , but it''s a start. > > REDIRECT 8080 tcp www,httpsThe https part certainly won''t work. If it was possible to transparently redirect HTTPS then HTTPS would be trivially vulnerable to "man in the middle" attacks.> > On a separate note, I am trying to get it so it doesn''t redirect a > couple of ips thru the proxy, and have used the following > > REDIRECT loc:!10.1.1.12,loc:!10.1.1.199 8080 tcp > www,https > > But it is only accepting the first ip address, the 2nd still goes thru > the proxy, any ideas?Yes -- you have to use an extension script and insert your own rules to do that. Shorewall can only exclude a single IP address or network. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom, Indeed you are correct, hence my putting in that I havent tested it yet :) Regarding the extra rules I take it adding individual accept rules above the redirect rule will do the trick? Ray> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: 05 May 2004 15:56 > To: Mailing List for Shorewall Users > Subject: Re: [Shorewall-users] transparent proxy with > shorewall and squid > > > raymond breen wrote: > > > Hi, > > > > Funnily enough I have just setup exactly the same thing today, you > > have to use the redirect rule rather than accept. > > > > I have my squid running on port 8080 on the firewall, and the > > following works a treat, I havent yet tested it for other > www related > > protocols so it may not be 100% , but it''s a start. > > > > REDIRECT 8080 tcp www,https > > The https part certainly won''t work. If it was possible to > transparently > redirect HTTPS then HTTPS would be trivially vulnerable to > "man in the > middle" attacks. > > > > > On a separate note, I am trying to get it so it doesn''t redirect a > > couple of ips thru the proxy, and have used the following > > > > REDIRECT loc:!10.1.1.12,loc:!10.1.1.199 8080 tcp > > www,https > > > > But it is only accepting the first ip address, the 2nd > still goes thru > > the proxy, any ideas? > > Yes -- you have to use an extension script and insert your > own rules to > do that. Shorewall can only exclude a single IP address or network. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
raymond breen wrote:> Hi Tom, > > Indeed you are correct, hence my putting in that I havent tested it yet > :) > > Regarding the extra rules I take it adding individual accept rules above > the redirect rule will do the trick? >No -- you have to add explicit RETURN rules at the top of the ''loc_dnat'' chain which causes the REDIRECT rule at the end of that chain to be bypassed. This is in the ''nat'' table which you can display using the command "shorewall show nat". So, in /etc/shorewall/start you would have something like: run_iptables -t nat -I loc_dnat -p tcp --dport 80 -d 10.1.1.12 -j RETURN run_iptables -t nat -I loc_dnat -p tcp --dport 80 -d 10.1.1.199 -j RETURN -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > So, in /etc/shorewall/start you would have something like: > > run_iptables -t nat -I loc_dnat -p tcp --dport 80 -d 10.1.1.12 -j RETURN > run_iptables -t nat -I loc_dnat -p tcp --dport 80 -d 10.1.1.199 -j RETURN >Sorry -- the above should have been "-s" rather than "-d". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom, Thanks for that mate, I will have a play around and see if I get anywhere. Ray> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: 05 May 2004 16:31 > To: Mailing List for Shorewall Users > Subject: Re: [Shorewall-users] transparent proxy with > shorewall and squid > > > Tom Eastep wrote: > > > > > > So, in /etc/shorewall/start you would have something like: > > > > run_iptables -t nat -I loc_dnat -p tcp --dport 80 -d 10.1.1.12 -j > > RETURN run_iptables -t nat -I loc_dnat -p tcp --dport 80 -d > 10.1.1.199 > > -j RETURN > > > > Sorry -- the above should have been "-s" rather than "-d". > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
I did as the documentation said. But the redirection (port forwarding) does not work. my /etc/squid/squid.conf has : " httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on " My /etc/shorewall/rules : " REDIRECT loc 3128 tcp www ACCEPT fw net tcp www " My 2 NIC on my internet gateway (squid+shorewall) has : eth1 (facing to my internal LAN) with 192.168.23.21 eth0 (to the internet) with 192.168.23.20 . Please tell me. --- Tom Eastep <teastep@shorewall.net> wrote:> Prabu Subroto wrote: > > > > > > Could any body so nice to me a solution for that? > > a) Go to the Shorewall Website. > b) In the left hand frame is an index -- click on > "Documentation". > c) You are now looking at an alphabetical index of > articles; go down to > the "S" entries. > d) Click on the link titled "Squid with Shorewall". > e) Read the Cautions at the top of the article. > f) Read the section entitled "Squid Running on the > Firewall" and follow > the instructions that you find there. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm__________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover
Prabu Subroto
2004-May-05 17:44 UTC
Re: transparent proxy with shorewall and squid (revised)
I use shorewall 2.0.1 . please tell me why the redirection does not work. --- Prabu Subroto <prabusubroto@yahoo.com> wrote:> I did as the documentation said. But the redirection > (port forwarding) does not work. > > my /etc/squid/squid.conf has : > " > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > " > > My /etc/shorewall/rules : > " > REDIRECT loc 3128 tcp > > www > ACCEPT fw net tcp > > www > " > > My 2 NIC on my internet gateway (squid+shorewall) > has > : > eth1 (facing to my internal LAN) with 192.168.23.21 > eth0 (to the internet) with 192.168.23.20 . > > Please tell me. > --- Tom Eastep <teastep@shorewall.net> wrote: > > Prabu Subroto wrote: > > > > > > > > > > Could any body so nice to me a solution for > that? > > > > a) Go to the Shorewall Website. > > b) In the left hand frame is an index -- click on > > "Documentation". > > c) You are now looking at an alphabetical index of > > articles; go down to > > the "S" entries. > > d) Click on the link titled "Squid with > Shorewall". > > e) Read the Cautions at the top of the article. > > f) Read the section entitled "Squid Running on the > > Firewall" and follow > > the instructions that you find there. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a > > sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > >https://lists.shorewall.net/mailman/listinfo/shorewall-users> > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > > > > __________________________________ > Do you Yahoo!? > Win a $20,000 Career Makeover at Yahoo! HotJobs > http://hotjobs.sweepstakes.yahoo.com/careermakeover > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm__________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover
anybody would be so nice to tell me the solution of my problem please.... I am stuck guys... --- Prabu Subroto <prabusubroto@yahoo.com> wrote:> I did as the documentation said. But the redirection > (port forwarding) does not work. > > my /etc/squid/squid.conf has : > " > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > " > > My /etc/shorewall/rules : > " > REDIRECT loc 3128 tcp > > www > ACCEPT fw net tcp > > www > " > > My 2 NIC on my internet gateway (squid+shorewall) > has > : > eth1 (facing to my internal LAN) with 192.168.23.21 > eth0 (to the internet) with 192.168.23.20 . > > Please tell me. > --- Tom Eastep <teastep@shorewall.net> wrote: > > Prabu Subroto wrote: > > > > > > > > > > Could any body so nice to me a solution for > that? > > > > a) Go to the Shorewall Website. > > b) In the left hand frame is an index -- click on > > "Documentation". > > c) You are now looking at an alphabetical index of > > articles; go down to > > the "S" entries. > > d) Click on the link titled "Squid with > Shorewall". > > e) Read the Cautions at the top of the article. > > f) Read the section entitled "Squid Running on the > > Firewall" and follow > > the instructions that you find there. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a > > sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > >https://lists.shorewall.net/mailman/listinfo/shorewall-users> > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > > > > __________________________________ > Do you Yahoo!? > Win a $20,000 Career Makeover at Yahoo! HotJobs > http://hotjobs.sweepstakes.yahoo.com/careermakeover > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm__________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover
Prabu Subroto wrote:> anybody would be so nice to tell me the solution of my > problem please.... > > I am stuck guys..> --- Prabu Subroto <prabusubroto@yahoo.com> wrote: > >>I did as the documentation said. But the redirection >>(port forwarding) does not work. >> >>my /etc/squid/squid.conf has : >>" >>httpd_accel_host virtual >>httpd_accel_port 80If you are going to redirect to port 3128 then httpd_accel_port should be 3128. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net