zerbat@gmx.net wrote: .> > I did some tests running netcat in listen mode on the DMZ machine (netcat -l > -p 80) and tried to connect to some external webserver from a local net > machine (netcat 217.6.21.23 80). I had expected that I could see my typing > on the DMZ machine, but netcat tells me that no packets could be received or > sent. The same setup works fine when I just open the firewall for loc->DMZ > connections on port 80 (no fw marking, ip routes or tc rules). > > The problem occurs no matter if I redirect port 80 to 3128 on the DMZ > machine (and then listen there) or not.It will NEVER work without the REDIRECT rule on 192.168.200.10 because the packets aren''t addressed to that system!!!> > I even tried to figure out something using ethereal on the firewall.Why don''t you run ethereal on 192.168.2..10???> > Attached you''ll find the shortend output of ''shorewall status''. One can see > that there had been some packets sent in the tcpre chain. Thomas is surely > the one who can judge whether that reveals any hints.It means that you are marking packets. I assume that you have the proper rules in place since you decided that we only get to see a part of your status output. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > > It means that you are marking packets. I assume that you have the proper > rules in place since you decided that we only get to see a part of your > status output. >Also, the way that you defined the DMZ zone can be a factor but we can''t see how you did that either... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> zerbat@gmx.net wrote: > . > >>I did some tests running netcat in listen mode on the DMZ machine (netcat -l >>-p 80) and tried to connect to some external webserver from a local net >>machine (netcat 217.6.21.23 80). I had expected that I could see my typing >>on the DMZ machine, but netcat tells me that no packets could be received or >>sent. The same setup works fine when I just open the firewall for loc->DMZ >>connections on port 80 (no fw marking, ip routes or tc rules). >> >>The problem occurs no matter if I redirect port 80 to 3128 on the DMZ >>machine (and then listen there) or not. > > > It will NEVER work without the REDIRECT rule on 192.168.200.10 because > the packets aren''t addressed to that system!!!And now that I think about it some more, it will NEVER work because the client is expecting a reply from the original destination (which Squid determines using a special getsockopt() call). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>> >> >>It will NEVER work without the REDIRECT rule on 192.168.200.10 because >>the packets aren''t addressed to that system!!! > > > And now that I think about it some more, it will NEVER work because the > client is expecting a reply from the original destination (which Squid > determines using a special getsockopt() call). >Never mind -- I suffered a brain cramp. The getsockopt(...SO_ORIGINAL_DST...) that I mention above can be used by Squid to determine the site to connect to, but Netfilter will rewrite the source IP address in the reply correctly. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
zerbat@gmx.net wrote:> > Here is the other setup with squid in the DMZ (ethereal running on the DMZ > machine): > > No. Time Source Destination Protocol Info > 7 0.004587 192.168.100.11 195.71.11.67 TCP 39748 > http [SYN] > Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=7029046 > 8 3.003745 192.168.100.11 195.71.11.67 TCP 39748 > http [SYN] > Seq=0 Ack=0 Win=23360 Len=0 MSS=1460 TSV=702907 > 19 9.003026 192.168.100.11 195.71.11.67 TCP 39748 > http [SYN] > Seq=0 Ack=0 Win=23360 Len=0 MSS=1460 TSV=702913 > > As one can see, there is no ACK packet sent back, the client just tries to > connect over and over again. >Ok -- so fix the configuration on the DMZ machine. This cannot possibly be a problem with your firewall. 1) What does "iptables -t nat -L -n -v" show on the DMZ machine (are http connections being redirected correctly)? 2) What does "netstat -tnap" show on the DMZ machine (e.g., is Squid listening on the port that you think it is?) 3) What do the Squid logs show? -Tom -- Tom Eastep \ Off-list replies are cheerfully ignored Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key