Shorewall users - Apr 2009 - Shorewall Settings to view internal websites

We are trying to configure shorewall as follows:
1. We have shorewall running at gateway (172.16.1.1) with NAT.
2. We have a number of web servers (172.16.1.x/24). These web servers are
accessed through port forwarding at the gateway (172.16.1.1) and websites
are visible through virtual hosting through a web re-director.
3. Presently the proxy server runs in a transparent mode, i.e., all web
requests goes to the gateway at port 80, they gets redirected to 3128,
content filtering is done there via ufdbguard and acceptable requests are
forwarded.
Now we wish to switch to non-transparent mode as follows:
1. Users of our LAN are authenticated on an LDAP server and they are suppose
to manually setup proxy settings for their browsers for internet access at
port 3128 looking at our gateway (172.16.1.1).

Now the problem we are facing is that with non-transparanet proxy setting
from wthin our Intranet (172.x.y.z/8) we are unable to see our internal
websites which are running on 172.16.1.x/24 !!

The rules we are using in transparanet mode are:

For the gateway:
(The external interface is at 210.212.X.Y (eth0)
The internal interface is at 172.16.1.1 (eth1))

In /etc/shorewall/rules:

# Squid for web access
REDIRECT        loc     3128    tcp     80      -       !210.212.X.Y

DNAT            loc             loc:172.16.1.10         tcp     www
-       210.212.X.Y

In /etc/shorewall/masq:

eth1:172.16.1.10        eth1           172.16.1.1      tcp     www

The routeback option has been set for eth1 as well.


Can someone suggest the revised rules so that we may run this in
non-transparent mode as mentioned above and still be able to view the
internal webservers through port forwarding?
Thanks in advance.
Gaur


------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations 
Conference from O''Reilly Media. Velocity features a full day of 
expert-led, hands-on workshops and two days of sessions from industry 
leaders in dedicated Performance & Operations tracks. Use code vel09scf 
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf

Manoj S Gaur wrote:
> We are trying to configure shorewall as follows:
> 1. We have shorewall running at gateway (172.16.1.1) with NAT.
> 2. We have a number of web servers (172.16.1.x/24). These web servers
> are accessed through port forwarding at the gateway (172.16.1.1) and
> websites are visible through virtual hosting through a web re-director.
> 3. Presently the proxy server runs in a transparent mode, i.e., all web
> requests goes to the gateway at port 80, they gets redirected to 3128,
> content filtering is done there via ufdbguard and acceptable requests
> are forwarded.
> Now we wish to switch to non-transparent mode as follows:
> 1. Users of our LAN are authenticated on an LDAP server and they are
> suppose to manually setup proxy settings for their browsers for internet
> access at port 3128 looking at our gateway (172.16.1.1).
> 
> Now the problem we are facing is that with non-transparanet proxy
> setting from wthin our Intranet (172.x.y.z/8) we are unable to see our
> internal websites which are running on 172.16.1.x/24 !!
> 
> The rules we are using in transparanet mode are:
> 
> For the gateway:
> (The external interface is at 210.212.X.Y (eth0)
> The internal interface is at 172.16.1.1 (eth1))
> 
> In /etc/shorewall/rules:
> 
> # Squid for web access
> REDIRECT        loc     3128    tcp     80      -       !210.212.X.Y
> 
> DNAT            loc             loc:172.16.1.10         tcp     www    
> -       210.212.X.Y
Reverse the order of those two rules.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations 
Conference from O''Reilly Media. Velocity features a full day of 
expert-led, hands-on workshops and two days of sessions from industry 
leaders in dedicated Performance & Operations tracks. Use code vel09scf 
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf

Manoj S Gaur wrote:
> We are trying to configure shorewall as follows:
> 1. We have shorewall running at gateway (172.16.1.1) with NAT.
> 2. We have a number of web servers (172.16.1.x/24). These web servers
> are accessed through port forwarding at the gateway (172.16.1.1) and
> websites are visible through virtual hosting through a web re-director.
> 3. Presently the proxy server runs in a transparent mode, i.e., all web
> requests goes to the gateway at port 80, they gets redirected to 3128,
> content filtering is done there via ufdbguard and acceptable requests
> are forwarded.
> Now we wish to switch to non-transparent mode as follows:
> 1. Users of our LAN are authenticated on an LDAP server and they are
> suppose to manually setup proxy settings for their browsers for internet
> access at port 3128 looking at our gateway (172.16.1.1).
> 
> Now the problem we are facing is that with non-transparanet proxy
> setting from wthin our Intranet (172.x.y.z/8) we are unable to see our
> internal websites which are running on 172.16.1.x/24 !!
Please disregard my last post.

What does ''unable to see'' mean?
What IP address do your internal users attempt to connect to access
these internal servers?
What does the user see when the connection attempt fails?
What ''Shorewall'' messages appear when the user attempts a
connection?
What messages are written to the Squid logs when the user attempts a
connection?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations 
Conference from O''Reilly Media. Velocity features a full day of 
expert-led, hands-on workshops and two days of sessions from industry 
leaders in dedicated Performance & Operations tracks. Use code vel09scf 
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf

>
> 1. We have shorewall running at gateway (172.16.1.1) with NAT.
> 2. We have a number of web servers (172.16.1.x/24). These web servers are
> accessed through port forwarding at the gateway (172.16.1.1) and websites
> are visible through virtual hosting through a web re-director.
> 3. Presently the proxy server runs in a transparent mode, i.e., all web
> requests goes to the gateway at port 80, they gets redirected to 3128,
> content filtering is done there via ufdbguard and acceptable requests are
> forwarded.
> Now we wish to switch to non-transparent mode as follows:
> 1. Users of our LAN are authenticated on an LDAP server and they are
> suppose to manually setup proxy settings for their browsers for internet
> access at port 3128 looking at our gateway (172.16.1.1).
>
> Now the problem we are facing is that with non-transparanet proxy setting
> from wthin our Intranet (172.x.y.z/8) we are unable to see our internal
> websites which are running on 172.16.1.x/24 !!
>
> The rules we are using in transparanet mode are:
>
> For the gateway:
> (The external interface is at 210.212.X.Y (eth0)
> The internal interface is at 172.16.1.1 (eth1))
>
> In /etc/shorewall/rules:
>
> # Squid for web access
> REDIRECT        loc     3128    tcp     80      -       !210.212.X.Y
>
> DNAT            loc             loc:172.16.1.10         tcp     www
> -       210.212.X.Y
>
> In /etc/shorewall/masq:
>
> eth1:172.16.1.10        eth1           172.16.1.1      tcp     www
>
> The routeback option has been set for eth1 as well.
>
>
> Can someone suggest the revised rules so that we may run this in
> non-transparent mode as mentioned above and still be able to view the
> internal webservers through port forwarding?
> Thanks in advance.
> Gaur
>
>
>
What does ''unable to see'' mean?
What IP address do your internal users attempt to connect to access
these internal servers?
What does the user see when the connection attempt fails?
What ''Shorewall'' messages appear when the user attempts a
connection?
What messages are written to the Squid logs when the user attempts a
connection?

-Tom
-- 
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

''unable to see'' means that the proxied and authenticated users
are able to
browse all the sites except our own webserver(s).
As authoratative nameserver is running on the gateway (172.16.1.1), so the
users
are trying to connect to external resolved IPs (210.x.y.z) on which it comes
"connection refused message".
And this message is written onto squid log:
1241001622.284    118 172.17.4.21 TCP_MISS/503 2655 GET
http://www.mnit.ac.in/
username DIRECT/210.x.y.z text/html
-Gaur


------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations 
Conference from O''Reilly Media. Velocity features a full day of 
expert-led, hands-on workshops and two days of sessions from industry 
leaders in dedicated Performance & Operations tracks. Use code vel09scf 
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf

You should try using DNS view''s to separate different DNS records. If 
DNS request comes from 172.16.1.x/24, DNS server will issue them 
172.16.1.x IP instead of 210.212.X.Y one. There are excellent HOWTO''s 
regarding this.

Manoj S Gaur wrote:
>     1. We have shorewall running at gateway (172.16.1.1) with NAT.
>     2. We have a number of web servers (172.16.1.x/24). These web
>     servers are accessed through port forwarding at the gateway
>     (172.16.1.1) and websites are visible through virtual hosting
>     through a web re-director.
>     3. Presently the proxy server runs in a transparent mode, i.e., all
>     web requests goes to the gateway at port 80, they gets redirected to
>     3128, content filtering is done there via ufdbguard and acceptable
>     requests are forwarded.
>     Now we wish to switch to non-transparent mode as follows:
>     1. Users of our LAN are authenticated on an LDAP server and they are
>     suppose to manually setup proxy settings for their browsers for
>     internet access at port 3128 looking at our gateway (172.16.1.1).
> 
>     Now the problem we are facing is that with non-transparanet proxy
>     setting from wthin our Intranet (172.x.y.z/8) we are unable to see
>     our internal websites which are running on 172.16.1.x/24 !!
> 
>     The rules we are using in transparanet mode are:
> 
>     For the gateway:
>     (The external interface is at 210.212.X.Y (eth0)
>     The internal interface is at 172.16.1.1 (eth1))
> 
>     In /etc/shorewall/rules:
> 
>     # Squid for web access
>     REDIRECT        loc     3128    tcp     80      -       !210.212.X.Y
> 
>     DNAT            loc             loc:172.16.1.10         tcp    
>     www     -       210.212.X.Y
> 
>     In /etc/shorewall/masq:
> 
>     eth1:172.16.1.10        eth1           172.16.1.1      tcp     www
> 
>     The routeback option has been set for eth1 as well.
> 
> 
>     Can someone suggest the revised rules so that we may run this in
>     non-transparent mode as mentioned above and still be able to view
>     the internal webservers through port forwarding?
>     Thanks in advance.
>     Gaur
> 
> 
> 
> What does ''unable to see'' mean?
> What IP address do your internal users attempt to connect to access
> these internal servers?
> What does the user see when the connection attempt fails?
> What ''Shorewall'' messages appear when the user attempts a
connection?
> What messages are written to the Squid logs when the user attempts a
> connection?
> 
> -Tom
> -- 
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net <http://shorewall.net/> 
> \________________________________________________
> 
> ''unable to see'' means that the proxied and authenticated
users are able to
> browse all the sites except our own webserver(s).
> As authoratative nameserver is running on the gateway (172.16.1.1), so 
> the users
> are trying to connect to external resolved IPs (210.x.y.z) on which it
comes
> "connection refused message".
> And this message is written onto squid log:
> 1241001622.284    118 172.17.4.21 TCP_MISS/503 2655 GET 
> http://www.mnit.ac.in/
> username DIRECT/210.x.y.z text/html
> -Gaur
> 
> 
> ------------------------------------------------------------------------
> 
>
------------------------------------------------------------------------------
> Register Now & Save for Velocity, the Web Performance & Operations 
> Conference from O''Reilly Media. Velocity features a full day of 
> expert-led, hands-on workshops and two days of sessions from industry 
> leaders in dedicated Performance & Operations tracks. Use code vel09scf
> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations 
Conference from O''Reilly Media. Velocity features a full day of 
expert-led, hands-on workshops and two days of sessions from industry 
leaders in dedicated Performance & Operations tracks. Use code vel09scf 
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf

Manoj S Gaur wrote:
>     1. We have shorewall running at gateway (172.16.1.1) with NAT.
>     2. We have a number of web servers (172.16.1.x/24). These web
>     servers are accessed through port forwarding at the gateway
>     (172.16.1.1) and websites are visible through virtual hosting
>     through a web re-director.
>     3. Presently the proxy server runs in a transparent mode, i.e., all
>     web requests goes to the gateway at port 80, they gets redirected to
>     3128, content filtering is done there via ufdbguard and acceptable
>     requests are forwarded.
>     Now we wish to switch to non-transparent mode as follows:
>     1. Users of our LAN are authenticated on an LDAP server and they are
>     suppose to manually setup proxy settings for their browsers for
>     internet access at port 3128 looking at our gateway (172.16.1.1).
> 
>     Now the problem we are facing is that with non-transparanet proxy
>     setting from wthin our Intranet (172.x.y.z/8) we are unable to see
>     our internal websites which are running on 172.16.1.x/24 !!
> 
>     The rules we are using in transparanet mode are:
> 
>     For the gateway:
>     (The external interface is at 210.212.X.Y (eth0)
>     The internal interface is at 172.16.1.1 (eth1))
> 
>     In /etc/shorewall/rules:
> 
>     # Squid for web access
>     REDIRECT        loc     3128    tcp     80      -       !210.212.X.Y
> 
>     DNAT            loc             loc:172.16.1.10         tcp    
>     www     -       210.212.X.Y
> 
>     In /etc/shorewall/masq:
> 
>     eth1:172.16.1.10        eth1           172.16.1.1      tcp     www
> 
>     The routeback option has been set for eth1 as well.
> 
> 
>     Can someone suggest the revised rules so that we may run this in
>     non-transparent mode as mentioned above and still be able to view
>     the internal webservers through port forwarding?
>     Thanks in advance.
>     Gaur
> 
> 
> 
> What does ''unable to see'' mean?
> What IP address do your internal users attempt to connect to access
> these internal servers?
> What does the user see when the connection attempt fails?
> What ''Shorewall'' messages appear when the user attempts a
connection?
> What messages are written to the Squid logs when the user attempts a
> connection?
> 
> -Tom
> -- 
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net <http://shorewall.net/>
> \________________________________________________
> 
> ''unable to see'' means that the proxied and authenticated
users are able to
> browse all the sites except our own webserver(s).
> As authoratative nameserver is running on the gateway (172.16.1.1), so
> the users
> are trying to connect to external resolved IPs (210.x.y.z) on which it
comes
> "connection refused message".
> And this message is written onto squid log:
> 1241001622.284    118 172.17.4.21 TCP_MISS/503 2655 GET
> http://www.mnit.ac.in/
> username DIRECT/210.x.y.z text/html
You need to add this rule:

DNAT     $FW       loc:p.q.r.s       tcp      80      i.j.k.l

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations 
Conference from O''Reilly Media. Velocity features a full day of 
expert-led, hands-on workshops and two days of sessions from industry 
leaders in dedicated Performance & Operations tracks. Use code vel09scf 
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf