Shorewall users - Oct 2006 - Re: Tc rules Help with multiISP + squid& squidguard...

I have delete "lo" Zones And Interface and rebuild all the
firewall
>From Local I ping www.google.fr with DNS resolution
DNSMASK installed on the firewall.
POSTFIX and Squid+SquidGuard Installed on firewall
All clients machines have the IP of Firewall for Dns resolution
 
New Dump joint

Without Squid : I surf and all works perfectly
With Squid And REDIRECT rule : surf Is VERY TOO LONG and they no image on web
...( 12 minutes for one Page !!!! without images ) or I have this reponce

Connection Failed 
The system returned: 

    (110) Connection timed out

PLEASE HELP ! I don''t understand !!!




Configuration :

**********************
Zones

Local   ipv4
DMZ     ipv4
Net     ipv4
Maint   ipv4
**********************
Interfaces

DMZ     eth2    detect  dhcp
Local   eth1    detect  dhcp,routeback
Net     eth0    detect
Net     ppp0    -       dhcp
Maint   tun0    detect
**********************
Policy

Local   $FW     ACCEPT
Local   Net     ACCEPT  info
DMZ     $FW     ACCEPT
Maint   $FW     ACCEPT
Maint   DMZ     ACCEPT
Maint   Local   ACCEPT
$FW     Net     ACCEPT
$FW     Maint   ACCEPT
$FW     DMZ     ACCEPT
Local   DMZ     ACCEPT
Net     Net     DROP    info
Net     all     DROP    info
all     all     REJECT  info
**********************
Rules

Rsync/ACCEPT    Local   Net
Rsync/ACCEPT    DMZ     Net

DNS/ACCEPT      Local   Net
DNS/ACCEPT      DMZ     Net
DNS/ACCEPT      $FW     Net
DNS/ACCEPT      DMZ     $FW
DNS/ACCEPT      Local   $FW

Ping/ACCEPT     Local   Net
Ping/ACCEPT     DMZ     Net

Trcrt/ACCEPT    DMZ     Net
Trcrt/ACCEPT    Local   Net
Trcrt/ACCEPT    $FW     Net

ACCEPT          Net     DMZ:192.168.100.1,192.168.100.2 tcp    
20,21,80,81,8080,443,21,554,5902,5901

DNAT            Net     DMZ:192.168.100.1               tcp     20,21   -

ACCEPT          $FW     DMZ:192.168.100.1               tcp     25,22,389
ACCEPT          $FW     DMZ:192.168.100.2               tcp     25,22,389
ACCEPT          $FW     Local:192.168.1.1               tcp     22
ACCEPT          $FW     Local:192.168.1.2               tcp     3389
ACCEPT          $FW     Local:192.168.1.49              tcp     137,139

ACCEPT          $FW     Net                             tcp     80,53
ACCEPT          $FW     Net                             udp     53


REDIRECT        Local   3128    tcp     80      -      
!192.168.1.254,192.168.100.0/24
REDIRECT        DMZ     3128    tcp     80      -      
!192.168.1.254,192.168.100.0/24
REDIRECT        Local   8110    tcp     110     -      
!192.168.1.254,192.168.100.0/24

ACCEPT          Net     $FW     udp     1194
ACCEPT          Net     $FW     tcp     20,21,22,25,3000,10000,5902,5901

ACCEPT          DMZ     Net     tcp     20,21,80,443
ACCEPT          Local   Net     tcp    
8,20,21,22,25,80,110,443,3389,5900,5901,8081

ACCEPT          Local   Net:213.xxx.xx.40,195.xxx.xxx.13        tcp     5432
ACCEPT          Local   Net:213.xxx.xx.40,195.xxx.xxx.12        udp     5432
************************
Providers :

sdsl    200     200     main    eth0    80.xxx.xxx.161  track,balance  
eth1,eth2
adsl    201     201     main    ppp0    detect          track,balance  
eth1,eth2
************************
TcRules :

200     eth2            0.0.0.0/0       all
200     eth2            0.0.0.0/0       tcp     25
200     $FW             0.0.0.0/0       tcp     25
# Tous les paquets sortant sur le web passe par le lien ADSL
201     eth1            0.0.0.0/0       tcp     80
201     eth1            0.0.0.0/0       tcp     443
201     eth1            0.0.0.0/0       tcp     3128
*************************
Masq :

ppp0    eth2    
ppp0    eth1    
eth0    eth2    
eth0    eth1    
eth0    $PPP0_IP        80.xxx.xxx.161
ppp0    80.xxx.xxx.161  $PPP0_IP
*************************
Nat :

80.xxx.xxx.163  eth0    192.168.100.1   yes     yes
80.xxx.xxx.164  eth0    192.168.100.2   yes     yes
*************************




-----Message d''origine-----
De : shorewall-users-bounces@lists.sourceforge.net
[mailto:shorewall-users-bounces@lists.sourceforge.net] De la part de Tom Eastep
Envoyé : vendredi 13 octobre 2006 23:15
À : Shorewall Users
Objet : Re: [Shorewall-users] Tc rules Help with multiISP + squid&
squidguard...

Joffrey FLEURICE wrote:
> 
> DMZ	eth2	detect	dhcp
> Local	eth1	detect	dhcp,routeback
> Net	eth0	detect
> Net	ppp0	-		dhcp
> Maint	tun0	detect
> Lo	lo
>
>
>Defining a zone for the ''lo'' device is silly and
unnecessary; it shouldn''t >hurt
>anything but it won''t do anything positive either.
Ok I delete lo device
>If you actually want to control loopback traffic for some reason, simply
>create
>fw->fw rules and policies. 
>The only case of this that I can think of is where
>you want to redirect locally-generated HTTP traffic from users other than
>''squid'' to a local Squid server.
>REDIRECT	fw	3128	tcp	80	-	-	-	!squid
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Joffrey FLEURICE wrote:
> I have delete "lo" Zones And Interface and rebuild all the
firewall
>>From Local I ping www.google.fr with DNS resolution
> DNSMASK installed on the firewall.
> POSTFIX and Squid+SquidGuard Installed on firewall
> All clients machines have the IP of Firewall for Dns resolution
>  
> New Dump joint
> 
> Without Squid : I surf and all works perfectly
> With Squid And REDIRECT rule : surf Is VERY TOO LONG and they no image on
web ...( 12 minutes for one Page !!!! without images ) or I have this reponce
> 
> Connection Failed 
> The system returned: 
> 
>     (110) Connection timed out
> 
> PLEASE HELP ! I don''t understand !!!
Joffrey,

My advice to you is still the same -- you are going to have to use tcpdump or
ethereal to see what is happening. You have the computer there in front of you
-- we don''t. So only you are going to be able to solve this. We are
not.

From the dump you sent, it looks like many SYN packets are being sent on ppp0
and never replied to. So you need to confirm that they are actually being sent
on ppp0 and not on eth0.

Does ppp0 work if you configure it as your only Internet connection?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642