Shorewall users - May 2012 - Shorewall, TPROXY, Transparent Squid and Multiples ISP

Hello,

    I wonder if someone could use the TPROXY with Shorewall and
    transparent Squid  with using the routing rules on shorewall
    (tcrules) for hosts / networks (LAN) with multiples providers (WANs)
    directly from the internal network on port 80 (with TPROXY
    transparent squid or REDIRECT).

    On this issue, the routing rules is not work propertly because the
    source is the firewall ($FW) not the hosts or networks (LAN).

    My guess is the TPRoxy interception (spoofing) is not working..

    Thank you...


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 05/08/2012 07:52 AM, Vinicius R. Baenas wrote:
>
> Hello,
>
> I wonder if someone could use the TPROXY with Shorewall and transparent
> Squid with using the routing rules on shorewall (tcrules) for hosts /
> networks (LAN) with multiples providers (WANs) directly from the
> internal network on port 80 (with TPROXY transparent squid or REDIRECT).
>
> On this issue, the routing rules is not work propertly because the
> source is the firewall ($FW) not the hosts or networks (LAN).
>
> My guess is the TPRoxy interception (spoofing) is not working..
I use REDIRECT with multiple ISPs and it works fine.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Yes, it working, but is balancing the providers on the Firewall 
Output... I need to apply routing rules depending on the source packets 
(like LAN address or IP)...

For this reason we are trying to use TPROXY, because according to the 
documentation of the SQUID and the Shorewall TROXY keeps the original 
packet headers (spoofing), which in theory would allow me to use the 
shorewall routing rules on tcrules according to source ...

It''s possible to create this police using shorewall and redirect
without
tcp_out_going into squid.conf, using only the shorewall routing 
configuration (tcrules)?

Thank you...

Em 08-05-2012 12:04, Tom Eastep escreveu:
> On 05/08/2012 07:52 AM, Vinicius R. Baenas wrote:
>>
>> Hello,
>>
>> I wonder if someone could use the TPROXY with Shorewall and transparent
>> Squid with using the routing rules on shorewall (tcrules) for hosts /
>> networks (LAN) with multiples providers (WANs) directly from the
>> internal network on port 80 (with TPROXY transparent squid or
REDIRECT).
>>
>> On this issue, the routing rules is not work propertly because the
>> source is the firewall ($FW) not the hosts or networks (LAN).
>>
>> My guess is the TPRoxy interception (spoofing) is not working..
>
> I use REDIRECT with multiple ISPs and it works fine.
>
> -Tom

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Sorry for HTML on the first message...

Em 08-05-2012 12:04, Tom Eastep escreveu:
> On 05/08/2012 07:52 AM, Vinicius R. Baenas wrote:
>>
>> Hello,
>>
>> I wonder if someone could use the TPROXY with Shorewall and transparent
>> Squid with using the routing rules on shorewall (tcrules) for hosts /
>> networks (LAN) with multiples providers (WANs) directly from the
>> internal network on port 80 (with TPROXY transparent squid or
REDIRECT).
>>
>> On this issue, the routing rules is not work propertly because the
>> source is the firewall ($FW) not the hosts or networks (LAN).
>>
>> My guess is the TPRoxy interception (spoofing) is not working..
>
> I use REDIRECT with multiple ISPs and it works fine.
>
> -Tom

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 05/08/2012 07:52 AM, Vinicius R. Baenas wrote:
>
> Hello,
>
> I wonder if someone could use the TPROXY with Shorewall and transparent
> Squid with using the routing rules on shorewall (tcrules) for hosts /
> networks (LAN) with multiples providers (WANs) directly from the
> internal network on port 80 (with TPROXY transparent squid or REDIRECT).
>
> On this issue, the routing rules is not work propertly because the
> source is the firewall ($FW) not the hosts or networks (LAN).
I don''t understand what you are trying to say there. It would probably 
be helpful if you would send me the output of ''shorewall dump''
as an
attachment and I''ll take a look.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 05/08/2012 08:18 AM, Vinicius R. Baenas wrote:
> Yes, it working, but is balancing the providers on the Firewall
> Output... I need to apply routing rules depending on the source packets
> (like LAN address or IP)...
>
> For this reason we are trying to use TPROXY, because according to the
> documentation of the SQUID and the Shorewall TROXY keeps the original
> packet headers (spoofing), which in theory would allow me to use the
> shorewall routing rules on tcrules according to source ...
>
> It''s possible to create this police using shorewall and redirect
without
> tcp_out_going into squid.conf, using only the shorewall routing
> configuration (tcrules)?
I don''t see how. The original IP header is kept on the
client<->Squid
connection, but the outgoing connection from Squid to the net will have 
tcp_out_going as the source IP address.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

El 08/05/2012 12:36, Tom Eastep escribió:
> On 05/08/2012 08:18 AM, Vinicius R. Baenas wrote:
>> Yes, it working, but is balancing the providers on the Firewall
>> Output... I need to apply routing rules depending on the source packets
>> (like LAN address or IP)...
>>
>> For this reason we are trying to use TPROXY, because according to the
>> documentation of the SQUID and the Shorewall TROXY keeps the original
>> packet headers (spoofing), which in theory would allow me to use the
>> shorewall routing rules on tcrules according to source ...
>>
>> It''s possible to create this police using shorewall and
redirect without
>> tcp_out_going into squid.conf, using only the shorewall routing
>> configuration (tcrules)?
> I don''t see how. The original IP header is kept on the
client<->Squid
> connection, but the outgoing connection from Squid to the net will have
> tcp_out_going as the source IP address.
>
> -Tom
Since the idea of tproxy is keeping original ip address, it should work 
without tcp_outgoing in squid.
Here''s what I add to my shorewall/started to add tproxy.
/sbin/ip rule del fwmark 0x1 lookup 100 2>/dev/null
if [ -z "$SKIPSQUID" ];then
         /sbin/ip rule add fwmark 0x1 lookup 100 2>/dev/null
         /sbin/ip route add local 0.0.0.0/0 dev lo table 100 2>/dev/null
         run_iptables -t mangle -N DIVERT
         run_iptables -t mangle -A DIVERT -j MARK --set-mark 1
         run_iptables -t mangle -A DIVERT -j ACCEPT
         run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 ! 
--tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
         run_iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 ! 
--tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
         run_iptables -t mangle -N excltproxy
         #destination addresses to skip
         run_iptables -t mangle -A excltproxy -d x.x.x.x -j RETURN
         #source addresses to skip
         run_iptables -t mangle -A excltproxy -s y.y.y.y -j RETURN
         #skip local addresses as destination
         run_iptables -t mangle -A excltproxy -d x.x.x.x/24 -j RETURN
         #tproxy
         run_iptables -t mangle -A excltproxy -p tcp -j TPROXY --on-port 
3128 --tproxy-mark 0x1/0x1
         #send port 80 to tproxy
         run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 
-j excltproxy
fi;

the SKIPSQUID shell variable is to test things with or without tproxy, 
but without touching the config
SKIPSQUID=1 shorewall restart will give you the standard config, without 
tproxy.

Hope it helps.

Pablo.




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Thank you Tom...

It''s only method? (using tcp_outgoing_address)

Abrex

Em 08-05-2012 12:36, Tom Eastep escreveu:
> On 05/08/2012 08:18 AM, Vinicius R. Baenas wrote:
>> Yes, it working, but is balancing the providers on the Firewall
>> Output... I need to apply routing rules depending on the source packets
>> (like LAN address or IP)...
>>
>> For this reason we are trying to use TPROXY, because according to the
>> documentation of the SQUID and the Shorewall TROXY keeps the original
>> packet headers (spoofing), which in theory would allow me to use the
>> shorewall routing rules on tcrules according to source ...
>>
>> It''s possible to create this police using shorewall and
redirect without
>> tcp_out_going into squid.conf, using only the shorewall routing
>> configuration (tcrules)?
>
> I don''t see how. The original IP header is kept on the
client<->Squid
> connection, but the outgoing connection from Squid to the net will have
> tcp_out_going as the source IP address.
>
> -Tom

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Hello Pablo.

I need to tell shorewall in which mark/ISP (in /etc/shorewall/providers) 
the package will go, depending on the source host or network or 
destination (i will make rules for them and apply on the shorewall).

The problem is the transparent squid running on the firewall ($FW) host. 
The squid is indispensable because the lab has access restricions and 
policy.

In this way, if I make any rule on the firewall from a host and specify 
a destination on port 80 to make it go trough a determined outgoing IP 
(using shorewall''s tcrules file and marks), it doesn''t work
since all
packages on port 80 are redirected to SQUID and the source is always the 
firewall ($FW) and not the host in the lab acessing the websites.

I tried to mark outgoing packages to providers marks (in 
/etc/shorewall/providers) on firewall host ($FW) in the tcout chain, but 
also doesn''t works.

I would like to centralize all the routes configuration on the 
shorewall, doing with marks and providers.

In your example, the package mark ( -j MARK --set mark ) is "1"  and
the
tproxy mark ( -j TPROXY --on port 3128 --tproxy-mark 0x1/0x1 ) is also
"1".

I also tried to create a DIVERT chain to create rules and set mark to a 
provider (from /etc/shorewall/providers)  according to source and 
destination IP on the package and to set the tproxy-mark to TPROXY. 
Doesn''t worked.


Thank you in advance...


Em 08-05-2012 13:05, Pablo Sebastian Greco escreveu:
> El 08/05/2012 12:36, Tom Eastep escribió:
>> On 05/08/2012 08:18 AM, Vinicius R. Baenas wrote:
>>> Yes, it working, but is balancing the providers on the Firewall
>>> Output... I need to apply routing rules depending on the source
packets
>>> (like LAN address or IP)...
>>>
>>> For this reason we are trying to use TPROXY, because according to
the
>>> documentation of the SQUID and the Shorewall TROXY keeps the
original
>>> packet headers (spoofing), which in theory would allow me to use
the
>>> shorewall routing rules on tcrules according to source ...
>>>
>>> It''s possible to create this police using shorewall and
redirect without
>>> tcp_out_going into squid.conf, using only the shorewall routing
>>> configuration (tcrules)?
>> I don''t see how. The original IP header is kept on the
client<->Squid
>> connection, but the outgoing connection from Squid to the net will have
>> tcp_out_going as the source IP address.
>>
>> -Tom
> Since the idea of tproxy is keeping original ip address, it should work
> without tcp_outgoing in squid.
> Here''s what I add to my shorewall/started to add tproxy.
> /sbin/ip rule del fwmark 0x1 lookup 100 2>/dev/null
> if [ -z "$SKIPSQUID" ];then
>           /sbin/ip rule add fwmark 0x1 lookup 100 2>/dev/null
>           /sbin/ip route add local 0.0.0.0/0 dev lo table 100
2>/dev/null
>           run_iptables -t mangle -N DIVERT
>           run_iptables -t mangle -A DIVERT -j MARK --set-mark 1
>           run_iptables -t mangle -A DIVERT -j ACCEPT
>           run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 !
> --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
>           run_iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 !
> --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
>           run_iptables -t mangle -N excltproxy
>           #destination addresses to skip
>           run_iptables -t mangle -A excltproxy -d x.x.x.x -j RETURN
>           #source addresses to skip
>           run_iptables -t mangle -A excltproxy -s y.y.y.y -j RETURN
>           #skip local addresses as destination
>           run_iptables -t mangle -A excltproxy -d x.x.x.x/24 -j RETURN
>           #tproxy
>           run_iptables -t mangle -A excltproxy -p tcp -j TPROXY --on-port
> 3128 --tproxy-mark 0x1/0x1
>           #send port 80 to tproxy
>           run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80
> -j excltproxy
> fi;
>
> the SKIPSQUID shell variable is to test things with or without tproxy,
> but without touching the config
> SKIPSQUID=1 shorewall restart will give you the standard config, without
> tproxy.
>
> Hope it helps.
>
> Pablo.
>
>
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today''s security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

El 09/05/2012 10:17, Vinicius R. Baenas escribió:
> Hello Pablo.
>
> I need to tell shorewall in which mark/ISP (in /etc/shorewall/providers)
> the package will go, depending on the source host or network or
> destination (i will make rules for them and apply on the shorewall).
>
> The problem is the transparent squid running on the firewall ($FW) host.
> The squid is indispensable because the lab has access restricions and
> policy.
> In this way, if I make any rule on the firewall from a host and specify
> a destination on port 80 to make it go trough a determined outgoing IP
> (using shorewall''s tcrules file and marks), it doesn''t
work since all
> packages on port 80 are redirected to SQUID and the source is always the
> firewall ($FW) and not the host in the lab acessing the websites.
That is correct for redirect, but in tproxy case, the source address 
coming out of squid is the client''s ip, so rules should still
apply.
>
> I tried to mark outgoing packages to providers marks (in
> /etc/shorewall/providers) on firewall host ($FW) in the tcout chain, but
> also doesn''t works.
> I would like to centralize all the routes configuration on the
> shorewall, doing with marks and providers.
>
> In your example, the package mark ( -j MARK --set mark ) is "1" 
and the
> tproxy mark ( -j TPROXY --on port 3128 --tproxy-mark 0x1/0x1 ) is also
"1".
Exactly, both should be the same mark, I guess you could use a mask mark 
so it doesn''t interfere with shorewall''s providers marks, but
I''ve never
tested it.
>
> I also tried to create a DIVERT chain to create rules and set mark to a
> provider (from /etc/shorewall/providers)  according to source and
> destination IP on the package and to set the tproxy-mark to TPROXY.
> Doesn''t worked.
The divert chain is mandatory according to tproxy documentation, and it 
doesn''t need anything else than a mark matching the
tproxy-mark
>
> Thank you in advance...
>
>
> Em 08-05-2012 13:05, Pablo Sebastian Greco escreveu:
>> El 08/05/2012 12:36, Tom Eastep escribió:
>>> On 05/08/2012 08:18 AM, Vinicius R. Baenas wrote:
>>>> Yes, it working, but is balancing the providers on the Firewall
>>>> Output... I need to apply routing rules depending on the source
packets
>>>> (like LAN address or IP)...
>>>>
>>>> For this reason we are trying to use TPROXY, because according
to the
>>>> documentation of the SQUID and the Shorewall TROXY keeps the
original
>>>> packet headers (spoofing), which in theory would allow me to
use the
>>>> shorewall routing rules on tcrules according to source ...
>>>>
>>>> It''s possible to create this police using shorewall
and redirect without
>>>> tcp_out_going into squid.conf, using only the shorewall routing
>>>> configuration (tcrules)?
>>> I don''t see how. The original IP header is kept on the
client<->Squid
>>> connection, but the outgoing connection from Squid to the net will
have
>>> tcp_out_going as the source IP address.
>>>
>>> -Tom
>> Since the idea of tproxy is keeping original ip address, it should work
>> without tcp_outgoing in squid.
>> Here''s what I add to my shorewall/started to add tproxy.
>> /sbin/ip rule del fwmark 0x1 lookup 100 2>/dev/null
>> if [ -z "$SKIPSQUID" ];then
>>            /sbin/ip rule add fwmark 0x1 lookup 100 2>/dev/null
>>            /sbin/ip route add local 0.0.0.0/0 dev lo table 100
2>/dev/null
>>            run_iptables -t mangle -N DIVERT
>>            run_iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>            run_iptables -t mangle -A DIVERT -j ACCEPT
>>            run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
80 !
>> --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
>>            run_iptables -t mangle -A PREROUTING -p tcp -m tcp --sport
80 !
>> --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
>>            run_iptables -t mangle -N excltproxy
>>            #destination addresses to skip
>>            run_iptables -t mangle -A excltproxy -d x.x.x.x -j RETURN
>>            #source addresses to skip
>>            run_iptables -t mangle -A excltproxy -s y.y.y.y -j RETURN
>>            #skip local addresses as destination
>>            run_iptables -t mangle -A excltproxy -d x.x.x.x/24 -j RETURN
>>            #tproxy
>>            run_iptables -t mangle -A excltproxy -p tcp -j TPROXY
--on-port
>> 3128 --tproxy-mark 0x1/0x1
>>            #send port 80 to tproxy
>>            run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
80
>> -j excltproxy
>> fi;
>>
>> the SKIPSQUID shell variable is to test things with or without tproxy,
>> but without touching the config
>> SKIPSQUID=1 shorewall restart will give you the standard config,
without
>> tproxy.
>>
>> Hope it helps.
>>
>> Pablo.
>>
>>
>>
>>
>>
------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today''s security
and
>> threat landscape has changed and how IT managers can respond.
Discussions
>> will include endpoint security, mobile security and the latest in
malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today''s security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 05/09/2012 06:17 AM, Vinicius R. Baenas wrote:
> Hello Pablo.
>
> I need to tell shorewall in which mark/ISP (in /etc/shorewall/providers)
> the package will go, depending on the source host or network or
> destination (i will make rules for them and apply on the shorewall).
>
> The problem is the transparent squid running on the firewall ($FW) host.
> The squid is indispensable because the lab has access restricions and
> policy.
>
> In this way, if I make any rule on the firewall from a host and specify
> a destination on port 80 to make it go trough a determined outgoing IP
> (using shorewall''s tcrules file and marks), it doesn''t
work since all
> packages on port 80 are redirected to SQUID and the source is always the
> firewall ($FW) and not the host in the lab acessing the websites.
>
> I tried to mark outgoing packages to providers marks (in
> /etc/shorewall/providers) on firewall host ($FW) in the tcout chain, but
> also doesn''t works.
>
> I would like to centralize all the routes configuration on the
> shorewall, doing with marks and providers.
>
> In your example, the package mark ( -j MARK --set mark ) is "1" 
and the
> tproxy mark ( -j TPROXY --on port 3128 --tproxy-mark 0x1/0x1 ) is also
"1".
>
> I also tried to create a DIVERT chain to create rules and set mark to a
> provider (from /etc/shorewall/providers)  according to source and
> destination IP on the package and to set the tproxy-mark to TPROXY.
> Doesn''t worked.
If you are running Squid 3.2 or later, you can:

- set clientside_mark=Yes in squid.conf
- Use REDIRECT rather than TPROXY
- Mark TCP port 80 packets in the PREROUTING chain
- The outgoing packets from Squid->net will have the same mark value
   as the incoming loc->fw packets.

I haven''t personally tried that as I am running Squid 2.y so YMMV.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

2012-05-08 13:05:14 -0300, Pablo Sebastian Greco:
[...]
> Since the idea of tproxy is keeping original ip address, it should work 
> without tcp_outgoing in squid.
> Here''s what I add to my shorewall/started to add tproxy.
> /sbin/ip rule del fwmark 0x1 lookup 100 2>/dev/null
> if [ -z "$SKIPSQUID" ];then
>          /sbin/ip rule add fwmark 0x1 lookup 100 2>/dev/null
>          /sbin/ip route add local 0.0.0.0/0 dev lo table 100 2>/dev/null
>          run_iptables -t mangle -N DIVERT
>          run_iptables -t mangle -A DIVERT -j MARK --set-mark 1
>          run_iptables -t mangle -A DIVERT -j ACCEPT
>          run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 ! 
> --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
>          run_iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 ! 
> --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
>          run_iptables -t mangle -N excltproxy
>          #destination addresses to skip
>          run_iptables -t mangle -A excltproxy -d x.x.x.x -j RETURN
>          #source addresses to skip
>          run_iptables -t mangle -A excltproxy -s y.y.y.y -j RETURN
>          #skip local addresses as destination
>          run_iptables -t mangle -A excltproxy -d x.x.x.x/24 -j RETURN
>          #tproxy
>          run_iptables -t mangle -A excltproxy -p tcp -j TPROXY --on-port 
> 3128 --tproxy-mark 0x1/0x1
>          #send port 80 to tproxy
>          run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 
> -j excltproxy
> fi;
[...]

Hi Pablo,

this seems to answer a few of the questions I asked in the other
thread I just started (confustions over TPROXY).

A few questions though:
  - why the !SYN check above? if "socket" matches on a SYN
  packet (retransmission?), where''s the harm in marking it for
  local delivery?
  - as in the other thread, what about packets with a 80 dport
  where 80 is the /client/ port (OK, client ports are generally
  not <1024, but let''s say we want a transparent proxy for port
  8080 now)?
  - wouldn''t the "-j ACCEPT" above potentially bypass some
other
  shorewall rules?

Thanks for helping lifting some of my confusion here,
Stephane


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

El 09/05/2012 12:07, Stephane Chazelas escribió:
> 2012-05-08 13:05:14 -0300, Pablo Sebastian Greco:
> [...]
>> Since the idea of tproxy is keeping original ip address, it should work
>> without tcp_outgoing in squid.
>> Here''s what I add to my shorewall/started to add tproxy.
>> /sbin/ip rule del fwmark 0x1 lookup 100 2>/dev/null
>> if [ -z "$SKIPSQUID" ];then
>>           /sbin/ip rule add fwmark 0x1 lookup 100 2>/dev/null
>>           /sbin/ip route add local 0.0.0.0/0 dev lo table 100
2>/dev/null
>>           run_iptables -t mangle -N DIVERT
>>           run_iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>           run_iptables -t mangle -A DIVERT -j ACCEPT
>>           run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80
!
>> --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
>>           run_iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80
!
>> --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
>>           run_iptables -t mangle -N excltproxy
>>           #destination addresses to skip
>>           run_iptables -t mangle -A excltproxy -d x.x.x.x -j RETURN
>>           #source addresses to skip
>>           run_iptables -t mangle -A excltproxy -s y.y.y.y -j RETURN
>>           #skip local addresses as destination
>>           run_iptables -t mangle -A excltproxy -d x.x.x.x/24 -j RETURN
>>           #tproxy
>>           run_iptables -t mangle -A excltproxy -p tcp -j TPROXY
--on-port
>> 3128 --tproxy-mark 0x1/0x1
>>           #send port 80 to tproxy
>>           run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80
>> -j excltproxy
>> fi;
> [...]
>
> Hi Pablo,
>
> this seems to answer a few of the questions I asked in the other
> thread I just started (confustions over TPROXY).
>
> A few questions though:
>    - why the !SYN check above? if "socket" matches on a SYN
>    packet (retransmission?), where''s the harm in marking it for
>    local delivery?
I''m trying to find where I got that "optimization" from, and
I can''t ,
so I don''t really have an explanation. Just that I got it from an 
example from someone o either tproxy or squid lists.
>    - as in the other thread, what about packets with a 80 dport
>    where 80 is the /client/ port (OK, client ports are generally
>    not <1024, but let''s say we want a transparent proxy for
port
>    8080 now)?
>    - wouldn''t the "-j ACCEPT" above potentially bypass
some other
>    shorewall rules?
I don''t think so, since only tproxy packets should match socket check. 
The original rule was iptables -A PREROUTING -m socket -j DIVERT, I just 
added the port check to lower the amount of socket checks, in order to 
improve performance.
> Thanks for helping lifting some of my confusion here,
> Stephane
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today''s security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

2012-05-09 16:07:44 +0100, Stephane Chazelas:
[...]
> >          /sbin/ip rule add fwmark 0x1 lookup 100 2>/dev/null
Here, you''re checking the mark value to be 1, not only the first
bit to be one.
> >          /sbin/ip route add local 0.0.0.0/0 dev lo table 100
2>/dev/null
> >          run_iptables -t mangle -N DIVERT
> >          run_iptables -t mangle -A DIVERT -j MARK --set-mark 1
Here you''re clearing all the mark bits and setting the first
one.
> >          run_iptables -t mangle -A DIVERT -j ACCEPT
> >          run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80
!
> > --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
> >          run_iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80
!
> > --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
> >          run_iptables -t mangle -N excltproxy
> >          #destination addresses to skip
> >          run_iptables -t mangle -A excltproxy -d x.x.x.x -j RETURN
> >          #source addresses to skip
> >          run_iptables -t mangle -A excltproxy -s y.y.y.y -j RETURN
> >          #skip local addresses as destination
> >          run_iptables -t mangle -A excltproxy -d x.x.x.x/24 -j RETURN
> >          #tproxy
> >          run_iptables -t mangle -A excltproxy -p tcp -j TPROXY
--on-port
> > 3128 --tproxy-mark 0x1/0x1
Here, you''re only setting the first mark bit.
> >          #send port 80 to tproxy
> >          run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80
> > -j excltproxy
> > fi;
> [...]
[...]
>   - as in the other thread, what about packets with a 80 dport
>   where 80 is the /client/ port (OK, client ports are generally
>   not <1024, but let''s say we want a transparent proxy for port
>   8080 now)?
[...]

Hi,

I did some tests this morning and indeed it can be a problem,
though probably not in most cases where you don''t expect
connections through the firewall to clients behind the proxy.

Here is what I''ve I come up to here. Please let me know what you
think.

We''re switching from REDIRECT to TPROXY, in order to have more
useful ULOG output where the client IP headers are preserved to
forward to an IDS.

In my setup here, I''ve got a few zones where transparent
proxying (with antivirus) is enabled for HTTP requests to the
internet on ports 80 and 8080.

Here is the "started" file based on Pablo''s one and with my
modifications to address some of the issues I was refering to.

################################################################
/sbin/ip rule del fwmark 1/1 lookup 100 2>/dev/null
/sbin/ip table flush table 100 2> /dev/null
if [ -z "$SKIPSQUID" ];then
  /sbin/ip rule add fwmark 1/1 lookup 100
  /sbin/ip route add local 0.0.0.0/0 dev lo table 100

  run_iptables -t mangle -A PREROUTING -i "$IF_WAN" -m socket
--transparent -j MARK --set-mark 1/1

  run_iptables -t mangle -N excltproxy
  #skip local addresses as destination
  run_iptables -t mangle -A excltproxy -d x.x.x.x/y -j RETURN
  #tproxy
  run_iptables -t mangle -A excltproxy -p tcp -j TPROXY --on-port 3129
--tproxy-mark 1/1

  #send port 80,8080 to tproxy
  for zone in "$IF_ZONE1" "$IF_ZONE2"; do
    run_iptables -t mangle -A PREROUTING -i "$zone" -p tcp -m
conntrack --ctstate NEW -m multiport --dports 80,8080 -j CONNMARK --set-mark 1/1
    run_iptables -t mangle -A PREROUTING -i "$zone" -m connmark --mark
1/1 -j excltproxy
  done
fi
################################################################

And in the rules file, I have:

################################################################
${ACCEPT_IF_PROXYING}    ZONE1  $FW     tcp     80      -       -       -      
-       1/1
${ACCEPT_IF_PROXYING}    ZONE2  $FW     tcp     80      -       -       -      
-       1/1
COMMENT
################################################################

And in the params files:

################################################################
if [ -z "$SKIPSQUID" ]; then
  ACCEPT_IF_PROXYING=ACCEPT
else
  ACCEPT_IF_PROXYING=COMMENT
fi
################################################################

Important notes:
  - I''m only modifying and checking the bit 1 of the fwmark and
connmark
  - Only TCP connections initiated as an HTTP request are tproxied (using
conntrack)
  - only packets from the client zones are potentially tproxied
  - only packets from the WAN zone are checked agains a local *transparent*
socket
  - in "rules", only accept connections if marked (as otherwise,
    you would end up accepting non-tproxied ones.

There''s still one bit I''m not clear on:

Shorewall clears the marks in mangle/FORWARD (FORWARD_CLEAR_MARK
setting), and according to
http://www.faqs.org/docs/iptables/traversingoftables.html#TABLE.FORWARDEDPACKETS
this happens *before* filter/FORWARD, so my rule in "rules"
shouldn''t match. But still it does, otherwise it wouldn''t work
at all. Anybody has any insight on that? (I''m on Linux 2.6.32).

-- 
Stephane


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 05/10/2012 05:59 AM, Stephane Chazelas wrote:
>
> There''s still one bit I''m not clear on:
>
> Shorewall clears the marks in mangle/FORWARD (FORWARD_CLEAR_MARK
> setting), and according to
>
http://www.faqs.org/docs/iptables/traversingoftables.html#TABLE.FORWARDEDPACKETS
> this happens *before* filter/FORWARD, so my rule in "rules"
> shouldn''t match. But still it does, otherwise it wouldn''t
work
> at all. Anybody has any insight on that? (I''m on Linux 2.6.32).
>
FORWARD_CLEAR_MARK only clears the routing part of the mark. So if you 
have HIGH_ROUTE_MARKS=Yes (PROVIDER_OFFSET > 0 in later Shorewall 
versions), then the low-order bit will not be cleared.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

2012-05-10 06:43:18 -0700, Tom Eastep:
> On 05/10/2012 05:59 AM, Stephane Chazelas wrote:
> 
> >
> > There''s still one bit I''m not clear on:
> >
> > Shorewall clears the marks in mangle/FORWARD (FORWARD_CLEAR_MARK
> > setting), and according to
> >
http://www.faqs.org/docs/iptables/traversingoftables.html#TABLE.FORWARDEDPACKETS
> > this happens *before* filter/FORWARD, so my rule in "rules"
> > shouldn''t match. But still it does, otherwise it
wouldn''t work
> > at all. Anybody has any insight on that? (I''m on Linux
2.6.32).
> >
> 
> FORWARD_CLEAR_MARK only clears the routing part of the mark. So if you 
> have HIGH_ROUTE_MARKS=Yes (PROVIDER_OFFSET > 0 in later Shorewall 
> versions), then the low-order bit will not be cleared.
[...]

Thanks,

but I do see:

*mangle
[...]
-A FORWARD -j MARK --set-xmark 0x0/0xff
-A FORWARD -j tcfor
[...]

in iptables-save output, so that would mean clearing lower marks.

# grep HIGH shorewall.conf
HIGH_ROUTE_MARKS=No

And yet, it still works.

-- 
Stephane (confused)


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 05/10/2012 08:22 AM, Stephane Chazelas wrote:
> 2012-05-10 06:43:18 -0700, Tom Eastep:
>> On 05/10/2012 05:59 AM, Stephane Chazelas wrote:
>>
>>>
>>> There''s still one bit I''m not clear on:
>>>
>>> Shorewall clears the marks in mangle/FORWARD (FORWARD_CLEAR_MARK
>>> setting), and according to
>>>
http://www.faqs.org/docs/iptables/traversingoftables.html#TABLE.FORWARDEDPACKETS
>>> this happens *before* filter/FORWARD, so my rule in
"rules"
>>> shouldn''t match. But still it does, otherwise it
wouldn''t work
>>> at all. Anybody has any insight on that? (I''m on Linux
2.6.32).
>>>
>>
>> FORWARD_CLEAR_MARK only clears the routing part of the mark. So if you
>> have HIGH_ROUTE_MARKS=Yes (PROVIDER_OFFSET>  0 in later Shorewall
>> versions), then the low-order bit will not be cleared.
> [...]
>
> Thanks,
>
> but I do see:
>
> *mangle
> [...]
> -A FORWARD -j MARK --set-xmark 0x0/0xff
> -A FORWARD -j tcfor
> [...]
>
> in iptables-save output, so that would mean clearing lower marks.
>
> # grep HIGH shorewall.conf
> HIGH_ROUTE_MARKS=No
>
> And yet, it still works.
I can''t comment further without seeing the output of
''shorewall dump''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 05/10/2012 10:16 AM, Tom Eastep wrote:
> On 05/10/2012 08:22 AM, Stephane Chazelas wrote:
>> 2012-05-10 06:43:18 -0700, Tom Eastep:
>>> On 05/10/2012 05:59 AM, Stephane Chazelas wrote:
>>>
>>>>
>>>> There''s still one bit I''m not clear on:
>>>>
>>>> Shorewall clears the marks in mangle/FORWARD
(FORWARD_CLEAR_MARK
>>>> setting), and according to
>>>>
http://www.faqs.org/docs/iptables/traversingoftables.html#TABLE.FORWARDEDPACKETS
>>>> this happens *before* filter/FORWARD, so my rule in
"rules"
>>>> shouldn''t match. But still it does, otherwise it
wouldn''t work
>>>> at all. Anybody has any insight on that? (I''m on Linux
2.6.32).
>>>>
>>>
>>> FORWARD_CLEAR_MARK only clears the routing part of the mark. So if
you
>>> have HIGH_ROUTE_MARKS=Yes (PROVIDER_OFFSET>   0 in later
Shorewall
>>> versions), then the low-order bit will not be cleared.
>> [...]
>>
>> Thanks,
>>
>> but I do see:
>>
>> *mangle
>> [...]
>> -A FORWARD -j MARK --set-xmark 0x0/0xff
>> -A FORWARD -j tcfor
>> [...]
>>
>> in iptables-save output, so that would mean clearing lower marks.
>>
>> # grep HIGH shorewall.conf
>> HIGH_ROUTE_MARKS=No
>>
>> And yet, it still works.
>
> I can''t comment further without seeing the output of
''shorewall dump''.
Ah -- your rules are in INPUT and OUTPUT, not in FORWARD.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

2012-05-10 16:22:33 +0100, Stephane Chazelas:
[...]
> > > Shorewall clears the marks in mangle/FORWARD (FORWARD_CLEAR_MARK
> > > setting), and according to
> > >
http://www.faqs.org/docs/iptables/traversingoftables.html#TABLE.FORWARDEDPACKETS
> > > this happens *before* filter/FORWARD, so my rule in
"rules"
> > > shouldn''t match. But still it does, otherwise it
wouldn''t work
> > > at all. Anybody has any insight on that? (I''m on Linux
2.6.32).
[...]

OK,

I see what''s going on.

The packets that are TPROXYd never enter the mangle/FORWARD
chain, so the mark is never cleared which explains why it works.

I just added a 

-t mangle -I FORWARD -m mark --mark 1/1

rule and it doesn''t get any hit.

-- 
Stephane


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

2012-05-10 11:22:56 -0700, Tom Eastep:
[...]
> >>>> There''s still one bit I''m not clear on:
> >>>>
> >>>> Shorewall clears the marks in mangle/FORWARD
(FORWARD_CLEAR_MARK
> >>>> setting), and according to
> >>>>
http://www.faqs.org/docs/iptables/traversingoftables.html#TABLE.FORWARDEDPACKETS
> >>>> this happens *before* filter/FORWARD, so my rule in
"rules"
> >>>> shouldn''t match. But still it does, otherwise it
wouldn''t work
> >>>> at all. Anybody has any insight on that? (I''m on
Linux 2.6.32).
[...]
> Ah -- your rules are in INPUT and OUTPUT, not in FORWARD.
[...]

Thanks.

Of course, what was I thinking. Those packets are not forwarded
and the filter rule I was looking at wasn''t in FORWARD at all
(dest zone $FW). Not sure what got into my head.

Sorry about that.
Stephane


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/