Shorewall users - Apr 2010 - Redirecting trafic to another host

Actually, i have a server (Which is the router and firewall, it has
two ips 192.168.1.1 and 192.168.0.1), but we have another server which
we want to use as Proxy (Its ip is 192.168.1.10) .

Problem is that when i come with:

REDIRECT loc:192.168.1.0/16 192.168.1.10:3128     tcp   3128

but Shorewall always replies with:
ERROR: REDIRECT rules cannot  specify a server IP; rule: "REDIRECT
loc:192.168.1.0/16 192.168.1.10:3128 tcp 3128"

Anyone can give me a hint? i havent found anything on google neither
the mailing list''s archives nor the official docs... tough i have
another solution which involves changing ips (We dont use transparent
proxy here)... i would really like to solve this...

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Santiago Zarate wrote:
> Actually, i have a server (Which is the router and firewall, it has
> two ips 192.168.1.1 and 192.168.0.1), but we have another server which
> we want to use as Proxy (Its ip is 192.168.1.10) .
> 
> Problem is that when i come with:
> 
> REDIRECT loc:192.168.1.0/16 192.168.1.10:3128     tcp   3128
> 
> but Shorewall always replies with:
> ERROR: REDIRECT rules cannot  specify a server IP; rule: "REDIRECT
> loc:192.168.1.0/16 192.168.1.10:3128 tcp 3128"
> 
> Anyone can give me a hint?
Shorewall FAQ #1.

You want to do DNAT, not REDIRECT.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

I guess the way you have choosen is the way for using a squid on the same
machine on the firewall - I believe that shorewall expets only a port rather
than a server ip where you specified 192.168.1.10

I have the same scenario as you described in my local network. 

What will bring you to your tarket is

http://www.shorewall.net/Shorewall_Squid_Usage.html

Use the section where the server is in the local network. 


Cheers
Mike

-----Ursprüngliche Nachricht-----
Von: Santiago Zarate [mailto:santiago@zarate.net.ve] 
Gesendet: Freitag, 16. April 2010 22:41
An: shorewall-users@lists.sourceforge.net
Betreff: [Shorewall-users] Redirecting trafic to another host

Actually, i have a server (Which is the router and firewall, it has
two ips 192.168.1.1 and 192.168.0.1), but we have another server which
we want to use as Proxy (Its ip is 192.168.1.10) .

Problem is that when i come with:

REDIRECT loc:192.168.1.0/16 192.168.1.10:3128     tcp   3128

but Shorewall always replies with:
ERROR: REDIRECT rules cannot  specify a server IP; rule: "REDIRECT
loc:192.168.1.0/16 192.168.1.10:3128 tcp 3128"

Anyone can give me a hint? i havent found anything on google neither
the mailing list''s archives nor the official docs... tough i have
another solution which involves changing ips (We dont use transparent
proxy here)... i would really like to solve this...

----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Michael Weickel - iQom Business Services GmbH wrote:
> I guess the way you have choosen is the way for using a squid on the same
> machine on the firewall - I believe that shorewall expets only a port
rather
> than a server ip where you specified 192.168.1.10
> 
> I have the same scenario as you described in my local network. 
> 
> What will bring you to your tarket is
> 
> http://www.shorewall.net/Shorewall_Squid_Usage.html
> 
> Use the section where the server is in the local network. 
I''m totally confused.

Santiago ended with a statement that he is not using Transparent Proxy
so I assumed that he wanted to do port forwarding. Michael is correct
if, indeed, the server at 192.168.1.10 is doing transparent proxy or if,
for any other reason, Santiago wants to route traffic to that box
without rewriting the original destination IP address.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

BTW. I believe using squid as non transparent is not want you want to do. Of
course non transparent gives you some great benefits such as authentication
and using squid for https as well but the disadvantage is that you have to
provide proxy information manually to each client or maybe by GPO. 

You should visit squid-cache.org - there is a great compare sheet between
transparent and non-transparent. 

We have two scenarios up and running in our company. One with shorewall and
transparent proxy and another one with non-transparent proxy but this time
clients mapped again squid directly, without shorewall. 


-----Ursprüngliche Nachricht-----
Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] 
Gesendet: Freitag, 16. April 2010 22:53
An: ''Shorewall Users''
Betreff: Re: [Shorewall-users] Redirecting trafic to another host


I guess the way you have choosen is the way for using a squid on the same
machine on the firewall - I believe that shorewall expets only a port rather
than a server ip where you specified 192.168.1.10

I have the same scenario as you described in my local network. 

What will bring you to your tarket is

http://www.shorewall.net/Shorewall_Squid_Usage.html

Use the section where the server is in the local network. 


Cheers
Mike

-----Ursprüngliche Nachricht-----
Von: Santiago Zarate [mailto:santiago@zarate.net.ve] 
Gesendet: Freitag, 16. April 2010 22:41
An: shorewall-users@lists.sourceforge.net
Betreff: [Shorewall-users] Redirecting trafic to another host

Actually, i have a server (Which is the router and firewall, it has
two ips 192.168.1.1 and 192.168.0.1), but we have another server which
we want to use as Proxy (Its ip is 192.168.1.10) .

Problem is that when i come with:

REDIRECT loc:192.168.1.0/16 192.168.1.10:3128     tcp   3128

but Shorewall always replies with:
ERROR: REDIRECT rules cannot  specify a server IP; rule: "REDIRECT
loc:192.168.1.0/16 192.168.1.10:3128 tcp 3128"

Anyone can give me a hint? i havent found anything on google neither
the mailing list''s archives nor the official docs... tough i have
another solution which involves changing ips (We dont use transparent
proxy here)... i would really like to solve this...

----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Well... Sorry for not answering earlier...

Few things:

1.- We're not using squid in transparent mode (That's an order from
high above... can't do anything).
2.- We have a brand new server which is going to be used for squid.
Which is the 192.168.1.10.
3.- The firewall is 192.168.1.1
4.- I have to redirect all incomming traffic to host 192.168.1.1:3128
to 192.168.1.10:3128

I've tried the Dnat thingie but so far, no luck, any ideas?
This is the rule i'm using (Actually 192.168.20.244 is my own
laptop... but it should be only loc and not loc:192.168.20.244)

DNAT loc:192.168.20.244 loc:192.168.1.10 tcp 3128 #what i have

Any hints?

2010/4/16 Michael Weickel - iQom Business Services GmbH
<mw@iqom.de>:
>
> BTW. I believe using squid as non transparent is not want you want to do.
Of
> course non transparent gives you some great benefits such as authentication
> and using squid for https as well but the disadvantage is that you have to
> provide proxy information manually to each client or maybe by GPO.
>
> You should visit squid-cache.org - there is a great compare sheet between
> transparent and non-transparent.
>
> We have two scenarios up and running in our company. One with shorewall and
> transparent proxy and another one with non-transparent proxy but this time
> clients mapped again squid directly, without shorewall.
>
>
> -----Ursprüngliche Nachricht-----
> Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de]
> Gesendet: Freitag, 16. April 2010 22:53
> An: 'Shorewall Users'
> Betreff: Re: [Shorewall-users] Redirecting trafic to another host
>
>
> I guess the way you have choosen is the way for using a squid on the same
> machine on the firewall - I believe that shorewall expets only a port
rather
> than a server ip where you specified 192.168.1.10
>
> I have the same scenario as you described in my local network.
>
> What will bring you to your tarket is
>
> http://www.shorewall.net/Shorewall_Squid_Usage.html
>
> Use the section where the server is in the local network.
>
>
> Cheers
> Mike
>
> -----Ursprüngliche Nachricht-----
> Von: Santiago Zarate [mailto:santiago@zarate.net.ve]
> Gesendet: Freitag, 16. April 2010 22:41
> An: shorewall-users@lists.sourceforge.net
> Betreff: [Shorewall-users] Redirecting trafic to another host
>
> Actually, i have a server (Which is the router and firewall, it has
> two ips 192.168.1.1 and 192.168.0.1), but we have another server which
> we want to use as Proxy (Its ip is 192.168.1.10) .
>
> Problem is that when i come with:
>
> REDIRECT loc:192.168.1.0/16 192.168.1.10:3128     tcp   3128
>
> but Shorewall always replies with:
> ERROR: REDIRECT rules cannot  specify a server IP; rule: "REDIRECT
> loc:192.168.1.0/16 192.168.1.10:3128 tcp 3128"
>
> Anyone can give me a hint? i havent found anything on google neither
> the mailing list's archives nor the official docs... tough i have
> another solution which involves changing ips (We dont use transparent
> proxy here)... i would really like to solve this...
>
>
----------------------------------------------------------------------------
> --
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
----------------------------------------------------------------------------
> --
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Santiago Zarate wrote:
> Well... Sorry for not answering earlier...
> 
> Few things:
> 
> 1.- We''re not using squid in transparent mode (That''s an
order from
> high above... can''t do anything).
> 2.- We have a brand new server which is going to be used for squid.
> Which is the 192.168.1.10.
> 3.- The firewall is 192.168.1.1
> 4.- I have to redirect all incomming traffic to host 192.168.1.1:3128
> to 192.168.1.10:3128
> 
> I''ve tried the Dnat thingie but so far, no luck, any ideas?
> This is the rule i''m using (Actually 192.168.20.244 is my own
> laptop... but it should be only loc and not loc:192.168.20.244)
> 
> DNAT loc:192.168.20.244 loc:192.168.1.10 tcp 3128 #what i have
> 
> Any hints?
Sounds like Shorewall FAQ 2.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Well i've read quite few times the faq... tried few... none worked

in http://www.shorewall.net/Shorewall_Squid_Usage.html

Squid (transparent) Running in the local network

this one seems to be what i need...  the only thing i'm not doing is
the port redirection, since we're not using squid as transparent
proxy... and it should work anyways.. but it doesnt

2010/4/20 Tom Eastep <teastep@shorewall.net>:
> Santiago Zarate wrote:
>> Well... Sorry for not answering earlier...
>>
>> Few things:
>>
>> 1.- We're not using squid in transparent mode (That's an order
from
>> high above... can't do anything).
>> 2.- We have a brand new server which is going to be used for squid.
>> Which is the 192.168.1.10.
>> 3.- The firewall is 192.168.1.1
>> 4.- I have to redirect all incomming traffic to host 192.168.1.1:3128
>> to 192.168.1.10:3128
>>
>> I've tried the Dnat thingie but so far, no luck, any ideas?
>> This is the rule i'm using (Actually 192.168.20.244 is my own
>> laptop... but it should be only loc and not loc:192.168.20.244)
>>
>> DNAT loc:192.168.20.244 loc:192.168.1.10 tcp 3128 #what i have
>>
>> Any hints?
>
> Sounds like Shorewall FAQ 2.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Santiago Zarate wrote:
> Well i''ve read quite few times the faq... tried few... none worked
> 
> in http://www.shorewall.net/Shorewall_Squid_Usage.html
> 
> Squid (transparent) Running in the local network
> 
> this one seems to be what i need...  the only thing i''m not doing
is
> the port redirection, since we''re not using squid as transparent
> proxy... and it should work anyways.. 
No it should not! That approach preserves the original destination
address so unless the server redirects these requests, it will turn them
around and route them back out through the gateway.

I think we need to understand *exactly* what you are trying to do.
Otherwise, we will be pointing you at inappropriate solutions.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------

I just want traffic to 192.168.1.1:3128 be forwarded/redirected to
192.168.1.10:3128



2010/4/20 Tom Eastep <teastep@shorewall.net>:
> Santiago Zarate wrote:
>> Well i've read quite few times the faq... tried few... none worked
>>
>> in http://www.shorewall.net/Shorewall_Squid_Usage.html
>>
>> Squid (transparent) Running in the local network
>>
>> this one seems to be what i need...  the only thing i'm not doing
is
>> the port redirection, since we're not using squid as transparent
>> proxy... and it should work anyways..
>
> No it should not! That approach preserves the original destination
> address so unless the server redirects these requests, it will turn them
> around and route them back out through the gateway.
>
> I think we need to understand *exactly* what you are trying to do.
> Otherwise, we will be pointing you at inappropriate solutions.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
------------------------------------------------------------------------------
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Santiago Zarate wrote:
> I just want traffic to 192.168.1.1:3128 be forwarded/redirected to
> 192.168.1.10:3128
And that is Shorewall FAQ 2!

In /etc/shorewall/rules:

DNAT	loc	loc:192.168.1.10   tcp	3128	-	192.168.1.1

In /etc/shorewall/interfaces:

loc	ethX	-	routeback,...

In /etc/shorewall/masq:

ethX:192.168.1.10	192.168.1.0/24	192.168.1.1	tcp	3128

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------

Hmm at one point i was using:
DNAT    loc     loc:192.168.1.10   tcp  3128    -       !192.168.1.1


Gonna try tomorrow as soon as i can.. thanks...


2010/4/20 Tom Eastep <teastep@shorewall.net>:
> Santiago Zarate wrote:
>> I just want traffic to 192.168.1.1:3128 be forwarded/redirected to
>> 192.168.1.10:3128
>
> And that is Shorewall FAQ 2!
>
> In /etc/shorewall/rules:
>
> DNAT    loc     loc:192.168.1.10   tcp  3128    -       192.168.1.1
>
> In /etc/shorewall/interfaces:
>
> loc     ethX    -       routeback,...
>
> In /etc/shorewall/masq:
>
> ethX:192.168.1.10       192.168.1.0/24  192.168.1.1     tcp     3128
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
------------------------------------------------------------------------------
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Redirection works, now the problem is that all requests come from 192.168.1.1

1271846322.812      0 192.168.1.1 TCP_DENIED/403 3059 GET
http://www.facebook.com/ - NONE/- text/html

but we do have access levels, for example, sam can browse facebook
freely but manuel can't. So this is unnaceptable for us.

Since i have to get this done... ill just change the ip addresses,
since i cant order every user here to change the proxy settings.

But... can you help me to finish this? ill set up a test environment...

<
2010/4/20 Santiago Zarate
<santiago@zarate.net.ve>:
> Hmm at one point i was using:
> DNAT    loc     loc:192.168.1.10   tcp  3128    -       !192.168.1.1
>
>
> Gonna try tomorrow as soon as i can.. thanks...
>
>
> 2010/4/20 Tom Eastep <teastep@shorewall.net>:
>> Santiago Zarate wrote:
>>> I just want traffic to 192.168.1.1:3128 be forwarded/redirected to
>>> 192.168.1.10:3128
>>
>> And that is Shorewall FAQ 2!
>>
>> In /etc/shorewall/rules:
>>
>> DNAT    loc     loc:192.168.1.10   tcp  3128    -       192.168.1.1
>>
>> In /etc/shorewall/interfaces:
>>
>> loc     ethX    -       routeback,...
>>
>> In /etc/shorewall/masq:
>>
>> ethX:192.168.1.10       192.168.1.0/24  192.168.1.1     tcp     3128
>>
>> -Tom
>> --
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
------------------------------------------------------------------------------
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Santiago Zarate wrote:
> Redirection works, now the problem is that all requests come from
192.168.1.1
> 
> 1271846322.812      0 192.168.1.1 TCP_DENIED/403 3059 GET
> http://www.facebook.com/ - NONE/- text/html
> 
> but we do have access levels, for example, sam can browse facebook
> freely but manuel can''t. So this is unnaceptable for us.
> 
> Since i have to get this done... ill just change the ip addresses,
> since i cant order every user here to change the proxy settings.
> 
> But... can you help me to finish this? ill set up a test environment...
There is no way to do what you are trying to do!

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------

Yea... i guessed... well thanks for the help anyways... ill try to
write a blog post just in case anyone else needs a solution like this.

2010/4/21 Tom Eastep <teastep@shorewall.net>:
> Santiago Zarate wrote:
>> Redirection works, now the problem is that all requests come from
192.168.1.1
>>
>> 1271846322.812      0 192.168.1.1 TCP_DENIED/403 3059 GET
>> http://www.facebook.com/ - NONE/- text/html
>>
>> but we do have access levels, for example, sam can browse facebook
>> freely but manuel can't. So this is unnaceptable for us.
>>
>> Since i have to get this done... ill just change the ip addresses,
>> since i cant order every user here to change the proxy settings.
>>
>> But... can you help me to finish this? ill set up a test environment...
>
> There is no way to do what you are trying to do!
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
------------------------------------------------------------------------------
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

El 21/04/2010 13:38, Santiago Zarate escribió:
> Yea... i guessed... well thanks for the help anyways... ill try to
> write a blog post just in case anyone else needs a solution like this.
>
>    
Actually, if you set the proxy with ip 192.168.2.10 and add 192.168.2.1 
to the shorewall box, you could just dnat (without masquerade) and 
everything should just work

Am I missing something here?
> 2010/4/21 Tom Eastep<teastep@shorewall.net>:
>    
>> Santiago Zarate wrote:
>>      
>>> Redirection works, now the problem is that all requests come from
192.168.1.1
>>>
>>> 1271846322.812      0 192.168.1.1 TCP_DENIED/403 3059 GET
>>> http://www.facebook.com/ - NONE/- text/html
>>>
>>> but we do have access levels, for example, sam can browse facebook
>>> freely but manuel can't. So this is unnaceptable for us.
>>>
>>> Since i have to get this done... ill just change the ip addresses,
>>> since i cant order every user here to change the proxy settings.
>>>
>>> But... can you help me to finish this? ill set up a test
environment...
>>>        
>> There is no way to do what you are trying to do!
>>
>> -Tom
>> --
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
------------------------------------------------------------------------------
>> _______________________________________________
>>      
Pablo.


------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Pablo Sebastian Greco wrote:
> El 21/04/2010 13:38, Santiago Zarate escribió:
>> Yea... i guessed... well thanks for the help anyways... ill try to
>> write a blog post just in case anyone else needs a solution like this.
>>
>>    
> Actually, if you set the proxy with ip 192.168.2.10 and add 192.168.2.1 
> to the shorewall box, you could just dnat (without masquerade) and 
> everything should just work
> 
> Am I missing something here?
Yes. Responses from 192.168.2.10 back to the client have the wrong
source IP since they don't go through the shorewall box.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

El 21/04/2010 15:10, Tom Eastep escribió:
> Pablo Sebastian Greco wrote:
>    
>> El 21/04/2010 13:38, Santiago Zarate escribió:
>>      
>>> Yea... i guessed... well thanks for the help anyways... ill try to
>>> write a blog post just in case anyone else needs a solution like
this.
>>>
>>>
>>>        
>> Actually, if you set the proxy with ip 192.168.2.10 and add 192.168.2.1
>> to the shorewall box, you could just dnat (without masquerade) and
>> everything should just work
>>
>> Am I missing something here?
>>      
> Yes. Responses from 192.168.2.10 back to the client have the wrong
> source IP since they don't go through the shorewall box.
>
> -Tom
>    
If 192.168.1.x don't known about 192.168.2.x, they are forced to go 
through 192.168.1.1 (shorewall box), and since 192.168.2.10 only knows 
192.168.2.1 (shorewall box), so everything should go through the 
shorewall box and still maintain it's original IP

Pablo.

------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Pablo Sebastian Greco wrote:
> If 192.168.1.x don''t known about 192.168.2.x, they are forced to
go
> through 192.168.1.1 (shorewall box), and since 192.168.2.10 only knows
> 192.168.2.1 (shorewall box), so everything should go through the
> shorewall box and still maintain it''s original IP
Ah -- the ''2'' wasn''t just a typo :-)

Given that Santiago is moaning about changing the IP address of the
server *within the 192.168.1.0 network*, moving it to another separate
network would undoubtedly make him really howl.

I think a better approach would be to simply move 192.168.1.1 from the
shorewall box to the server while leaving 192.168.1.10 as its primary
address. If course, that address might be used for other purposes
besides the (wrong) proxy address, which would prevent that approach.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------

Yes, indeed.. the problem is... That its kind of impossible to go to
each pc and change the proxy IP from 192.168.1.1 to 192.168.2.1. Or
did i understood worng?

2010/4/21 Pablo Sebastian Greco
<shorewall@fliagreco.com.ar>:
> El 21/04/2010 15:10, Tom Eastep escribió:
>> Pablo Sebastian Greco wrote:
>>
>>> El 21/04/2010 13:38, Santiago Zarate escribió:
>>>
>>>> Yea... i guessed... well thanks for the help anyways... ill try
to
>>>> write a blog post just in case anyone else needs a solution
like this.
>>>>
>>>>
>>>>
>>> Actually, if you set the proxy with ip 192.168.2.10 and add
192.168.2.1
>>> to the shorewall box, you could just dnat (without masquerade) and
>>> everything should just work
>>>
>>> Am I missing something here?
>>>
>> Yes. Responses from 192.168.2.10 back to the client have the wrong
>> source IP since they don't go through the shorewall box.
>>
>> -Tom
>>
> If 192.168.1.x don't known about 192.168.2.x, they are forced to go
> through 192.168.1.1 (shorewall box), and since 192.168.2.10 only knows
> 192.168.2.1 (shorewall box), so everything should go through the
> shorewall box and still maintain it's original IP
>
> Pablo.
>
>
------------------------------------------------------------------------------
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

GPO or SAMBA can help to distribute new proxy ip in a second to all proxy
clients (if you have such an environment) if not, manually is the only way. 


Cheers
Mike

-----Ursprüngliche Nachricht-----
Von: Santiago Zarate [mailto:santiago@zarate.net.ve] 
Gesendet: Mittwoch, 21. April 2010 20:39
An: Shorewall Users
Betreff: Re: [Shorewall-users] Redirecting trafic to another host

Yes, indeed.. the problem is... That its kind of impossible to go to
each pc and change the proxy IP from 192.168.1.1 to 192.168.2.1. Or
did i understood worng?

2010/4/21 Pablo Sebastian Greco
<shorewall@fliagreco.com.ar>:
> El 21/04/2010 15:10, Tom Eastep escribió:
>> Pablo Sebastian Greco wrote:
>>
>>> El 21/04/2010 13:38, Santiago Zarate escribió:
>>>
>>>> Yea... i guessed... well thanks for the help anyways... ill try
to
>>>> write a blog post just in case anyone else needs a solution
like this.
>>>>
>>>>
>>>>
>>> Actually, if you set the proxy with ip 192.168.2.10 and add
192.168.2.1
>>> to the shorewall box, you could just dnat (without masquerade) and
>>> everything should just work
>>>
>>> Am I missing something here?
>>>
>> Yes. Responses from 192.168.2.10 back to the client have the wrong
>> source IP since they don''t go through the shorewall box.
>>
>> -Tom
>>
> If 192.168.1.x don''t known about 192.168.2.x, they are forced to
go
> through 192.168.1.1 (shorewall box), and since 192.168.2.10 only knows
> 192.168.2.1 (shorewall box), so everything should go through the
> shorewall box and still maintain it''s original IP
>
> Pablo.
>
>
----------------------------------------------------------------------------
--
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
----------------------------------------------------------------------------
--
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------

2010/4/21 Tom Eastep <teastep@shorewall.net>:
> Pablo Sebastian Greco wrote:
>
>> If 192.168.1.x don't known about 192.168.2.x, they are forced to go
>> through 192.168.1.1 (shorewall box), and since 192.168.2.10 only knows
>> 192.168.2.1 (shorewall box), so everything should go through the
>> shorewall box and still maintain it's original IP
>
> Ah -- the '2' wasn't just a typo :-)
>
> Given that Santiago is moaning about changing the IP address of the
> server *within the 192.168.1.0 network*, moving it to another separate
> network would undoubtedly make him really howl.
>
> I think a better approach would be to simply move 192.168.1.1 from the
> shorewall box to the server while leaving 192.168.1.10 as its primary
> address. If course, that address might be used for other purposes
> besides the (wrong) proxy address, which would prevent that approach.
Its what actually i'm doing. :)
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
------------------------------------------------------------------------------
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

El 21/04/2010 15:38, Santiago Zarate escribió:
> Yes, indeed.. the problem is... That its kind of impossible to go to
> each pc and change the proxy IP from 192.168.1.1 to 192.168.2.1. Or
> did i understood worng?
>    
If you do what I said, you don't have to change the configuration on 
each pc, DNAT is just enough.

Pablo.

------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users