I have an internal (10.16.0.0/24) network which is routed out via a proxy on port 80 only, this proxy is then routed to an upstream proxy on port 8080, this then runs through a cluster of caching (squid) proxies and then finally, goes out to the internet. As there are a cluster of squid proxies, the IP of an internet-request from the internal LAN is never the same, it changes to match the proxy you used. I have a shorewall system on the internet and am wondering if I can somehow have it open a specific IP/Port for a connection on port 8080 (which connects to a server on that system), then be able to route it back through the connection so that it creates a ''direct'' link with an internal LAN PC. Sounds difficult, I''ve read about SNAT and DNAT and will try it using them but I just wanted to ask the list for any hints or tips I could try or something that can help me. I am using Shorewall 1.4.9c on RedHat 9.0. Thanking you all in advance. Mr. K. Hawkes
K. Hawkes wrote:> I have an internal (10.16.0.0/24) network which is routed out > via a proxy on port 80 only, this proxy is then routed to an > upstream proxy on port 8080, this then runs through a cluster > of caching (squid) proxies and then finally, goes out to the internet. > > As there are a cluster of squid proxies, the IP of an internet-request > from the internal LAN is never the same, it changes to match the proxy > you used. > > I have a shorewall system on the internet and am wondering if I can > somehow have it open a specific IP/Port for a connection on port > 8080 (which connects to a server on that system), then be able to > route it back through the connection so that it creates a ''direct'' link > with an internal LAN PC. > > Sounds difficult, I''ve read about SNAT and DNAT and will try it using > them but I just wanted to ask the list for any hints or tips I could try or > something that can help me. >Sorry -- from your description, I haven''t a clue what problem you are trying to solve and hence I can''t help you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Yeah, I kinda forgot that part. The problem I have is that no services such as FTP, SSH etc, with the exception of web-services can get through the internet. For example, even if I try to SSH to a remote IP from the LAN, it seems to never get through, even if I specify the proxy IP, type and anything else it needs to route it over port 80. I believe it''s because of the cluster of proxies that all have different IPs, the traffic TO a destination seems to be routed on a ''round-robin'' so you never get the same proxy twice. As a result of that, any services like FTP, SSH would fail. What I''m wondering is, if I was to use a DNAT rule on the shorewall, could I be able to SSH to an IP on port 80 (or 8080) and have the DNAT rule route it back the way it came, so that the cluster of proxies are not an issue with connectivity. I''m not sure if that helps any at all, I believe I know where the problem is but I do not know if I can use shorewall to solve it. Mr. K. Hawkes [snip]> > Sorry -- from your description, I haven''t a clue what problem you are > trying to solve and hence I can''t help you. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
K. Hawkes wrote:> > As a result of that, any services like FTP, SSH would fail. > What I''m wondering is, if I was to use a DNAT rule on the shorewall, > could I be able to SSH to an IP on port 80 (or 8080) and have the DNAT > rule route it back the way it came, so that the cluster of proxies are not > an issue with connectivity. > > I''m not sure if that helps any at all, I believe I know where the problem is > but I do not know if I can use shorewall to solve it. >I suspect that all of these proxies are operating at the HTTP application layer (the Squid ones certainly are) -- the only thing that you are going to be able to use with them is HTTP commands and response streames. There isn''t anything you can do exernally to tunnel arbitrary applications through this setup (especially SSH). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, Jun 06, 2004 at 07:53:30AM -0700, Tom Eastep wrote:> I suspect that all of these proxies are operating at the HTTP > application layer (the Squid ones certainly are) -- the only thing that > you are going to be able to use with them is HTTP commands and response > streames. There isn''t anything you can do exernally to tunnel arbitrary > applications through this setup (especially SSH).In the case of ssh, it may be possible to tunnel outbound connections through a http proxy. I do this regularly with PuTTY, and I understand that OpenSSH supports it as well (I think it requires a helper app, tho). The downside is that many (most?) proxies limit the CONNECT method to port 443, so in practice you need to control the destination server as well.
Greg Norris wrote:> On Sun, Jun 06, 2004 at 07:53:30AM -0700, Tom Eastep wrote: > >>I suspect that all of these proxies are operating at the HTTP >>application layer (the Squid ones certainly are) -- the only thing that >>you are going to be able to use with them is HTTP commands and response >>streames. There isn''t anything you can do exernally to tunnel arbitrary >>applications through this setup (especially SSH). > > > In the case of ssh, it may be possible to tunnel outbound connections > through a http proxy. I do this regularly with PuTTY, and I understand > that OpenSSH supports it as well (I think it requires a helper app, > tho). The downside is that many (most?) proxies limit the CONNECT > method to port 443, so in practice you need to control the destination > server as well.The OP only mentioned 80 and 8080 among the available ports so it''s unclear if HTTPS is supported from the local network. If so, the first-level proxy obviously bypasses the Squid farm for SSL... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net