Hi everybody. We are running Shorewall and Squid on Suse on the same box. Each is working fine independently, but we can''t get them to cooperate. The access log in squid shows no requests when Shorewall is on. Here are all the changes we made in the configuration files. Everything else is the same. We have read through the mailing list and the guide, but still haven''t figured it out. Any help would be appreciated. Thank you. And do we need to declare an eth1 for loc? We only have 1 card which is eth0. iptables iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 interfaces net eth0 detect dhcp rules REDIRECT loc 3128 tcp www - ACCEPT $FW net tcp www zones fw firewall net ipv4 loc ipv4 policy fw net ACCEPT net all DROP info all all REJECT info squid.conf httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on cache_effective_user nobody cache_effective_group nobody acl my_firewall src 191.100.100.100/255.255.255.0 http_access allow my_firewall __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
If you have only one interface eth0 on the suse box then you can not declare eth1. What is your setup ? On 3/26/06, Jimmy Chen <jchen1297@yahoo.com> wrote:> Hi everybody. We are running Shorewall and Squid on > Suse on the same box. Each is working fine > independently, but we can''t get them to cooperate. The > access log in squid shows no requests when Shorewall > is on. Here are all the changes we made in the > configuration files. Everything else is the same. We > have read through the mailing list and the guide, but > still haven''t figured it out. Any help would be > appreciated. Thank you. > > And do we need to declare an eth1 for loc? We only > have 1 card which is eth0. > iptables > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport > 80 -j REDIRECT --to-port 3128 > > > interfaces > net eth0 detect dhcp > > rules > REDIRECT loc 3128 tcp www - > ACCEPT $FW net tcp www > > zones > fw firewall > net ipv4 > loc ipv4 > > policy > fw net ACCEPT > net all DROP info > all all REJECT info > > squid.conf > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > cache_effective_user nobody > cache_effective_group nobody > acl my_firewall src 191.100.100.100/255.255.255.0 > http_access allow my_firewall > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- ===========Linux Rocks World''s Best Sites: http://www.tldp.org/ http://www.ibiblio.org/ ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
We have shorewall and squid running on the same box using eth0 with direct access to the Internet through the LAN. We would like to route all www through shorewall, but we haven''t been able to figure out how to connect shorewall to squid. The proxy is on 3128. We do not understand what to do with loc and why $FW does not get sent to 3128. eth0 is for the firewall, so what use is loc if it does not have an interface? Thanks for the quick reply and any help. --- Anuj Singh <anujhere@gmail.com> wrote:> If you have only one interface eth0 on the suse box > then you can not > declare eth1. What is your setup ? > On 3/26/06, Jimmy Chen <jchen1297@yahoo.com> wrote: > > Hi everybody. We are running Shorewall and Squid > on > > Suse on the same box. Each is working fine > > independently, but we can''t get them to cooperate. > The > > access log in squid shows no requests when > Shorewall > > is on. Here are all the changes we made in the > > configuration files. Everything else is the same. > We > > have read through the mailing list and the guide, > but > > still haven''t figured it out. Any help would be > > appreciated. Thank you. > > > > And do we need to declare an eth1 for loc? We only > > have 1 card which is eth0. > > iptables > > iptables -t nat -A PREROUTING -i eth0 -p tcp > --dport > > 80 -j REDIRECT --to-port 3128 > > > > > > interfaces > > net eth0 detect dhcp > > > > rules > > REDIRECT loc 3128 tcp www - > > ACCEPT $FW net tcp www > > > > zones > > fw firewall > > net ipv4 > > loc ipv4 > > > > policy > > fw net ACCEPT > > net all DROP info > > all all REJECT info > > > > squid.conf > > httpd_accel_host virtual > > httpd_accel_port 80 > > httpd_accel_with_proxy on > > httpd_accel_uses_host_header on > > cache_effective_user nobody > > cache_effective_group nobody > > acl my_firewall src 191.100.100.100/255.255.255.0 > > http_access allow my_firewall > > > > > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > > protection around > > http://mail.yahoo.com > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > > > > > >-------------------------------------------------------> > This SF.Net email is sponsored by xPML, a > groundbreaking scripting language > > that extends applications into web and mobile > media. Attend the live webcast > > and join the prime developer group breaking into > this new coding territory! > > >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642> > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > >https://lists.sourceforge.net/lists/listinfo/shorewall-users> > > > > -- > ===========> Linux Rocks > World''s Best Sites: > http://www.tldp.org/ > http://www.ibiblio.org/ > > >-------------------------------------------------------> This SF.Net email is sponsored by xPML, a > groundbreaking scripting language > that extends applications into web and mobile media. > Attend the live webcast > and join the prime developer group breaking into > this new coding territory! >http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Jimmy Chen wrote:> We have shorewall and squid running on the same box > using eth0 with direct access to the Internet through > the LAN. We would like to route all www through > shorewall, but we haven''t been able to figure out how > to connect shorewall to squid. The proxy is on 3128. > We do not understand what to do with loc and why $FW > does not get sent to 3128. eth0 is for the firewall, > so what use is loc if it does not have an interface? > Thanks for the quick reply and any help.I don''t understand how you think this can work if you have only a one-interface box. I''m sure it could be made to work, but you''ll need some routing trickery as well as appropriate default gateways on your PCs. Normally the Shorewall transparent squid setup should be used on a two-or-more-interface firewall. I also don''t understand what you''re trying to do with the iptables rule - where is this defined? In http://www.shorewall.net/Shorewall_Squid_Usage.html it''s expected that this rule is defined on the box running squid, when they are *separate*. In your scenario, you have both running on the same box, and you should follow the first option "Squid (transparent) Running on the Firewall". -- Paul <http://paulgear.webhop.net> -- Did you know? If you receive a virus warning from a friend and not through a virus software vendor, it''s likely to be a hoax. See <http://gear.dyndns.org:81/features/virus_hoaxes> for more info.
Oh I see. We will try what you have suggested by adding a second interface to the box and setting it up appropriately. Thanks. The rule is defined in the link in running squid with transparency mini HOWTO http://www.tldp.org/HOWTO/mini/TransparentProxy.html. Although the link is not working and you have to search for it in the linked site. --- Paul Gear <paul@gear.dyndns.org> wrote:> Jimmy Chen wrote: > > We have shorewall and squid running on the same > box > > using eth0 with direct access to the Internet > through > > the LAN. We would like to route all www through > > shorewall, but we haven''t been able to figure out > how > > to connect shorewall to squid. The proxy is on > 3128. > > We do not understand what to do with loc and why > $FW > > does not get sent to 3128. eth0 is for the > firewall, > > so what use is loc if it does not have an > interface? > > Thanks for the quick reply and any help. > > I don''t understand how you think this can work if > you have only a > one-interface box. I''m sure it could be made to > work, but you''ll need > some routing trickery as well as appropriate default > gateways on your > PCs. Normally the Shorewall transparent squid setup > should be used on a > two-or-more-interface firewall. > > I also don''t understand what you''re trying to do > with the iptables rule > - where is this defined? In > http://www.shorewall.net/Shorewall_Squid_Usage.html > it''s expected that > this rule is defined on the box running squid, when > they are *separate*. > In your scenario, you have both running on the same > box, and you should > follow the first option "Squid (transparent) Running > on the Firewall". > > -- > Paul > <http://paulgear.webhop.net> > -- > Did you know? If you receive a virus warning from a > friend and not > through a virus software vendor, it''s likely to be a > hoax. See > <http://gear.dyndns.org:81/features/virus_hoaxes> > for more info. >__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Saturday 25 March 2006 22:09, Jimmy Chen wrote:> Hi everybody. We are running Shorewall and Squid on > Suse on the same box. Each is working fine > independently, but we can''t get them to cooperate. The > access log in squid shows no requests when Shorewall > is on. Here are all the changes we made in the > configuration files. Everything else is the same. We > have read through the mailing list and the guide, but > still haven''t figured it out. Any help would be > appreciated. Thank you. > > And do we need to declare an eth1 for loc? We only > have 1 card which is eth0. > > iptables > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport > 80 -j REDIRECT --to-port 3128This rule is unnecessary when you are using Shorewall on the same box. It duplicates the REDIRECT rule below.> > > interfaces > net eth0 detect dhcp > > rules > REDIRECT loc 3128 tcp www -Where is ''loc'' if you only have one interface? Don''t you want ''net'' here? I suspect that Shorewall isn''t even starting with this configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sunday 26 March 2006 07:14, Jimmy Chen wrote:> The rule is defined in the link > in running squid with transparency mini HOWTO > http://www.tldp.org/HOWTO/mini/TransparentProxy.html.As I mentioned in my prior post, that rule is not required if you are running Shorewall on the same system.> > Although the link is not working and you have to > search for it in the linked site. >I''ve corrected the link. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key