I have been setting up a router for ipv6 using Hurricane as my provider.
Ultimately I want to use dansguardian on this but my first step has been to
set up squid3 as a transparent tproxy.
This is working for ipv4 using shorewall and redirect.
Of course, shorewall6 doesn''t use redirect and I''ve followed
the
documentation to set up the transparent proxy using tproxy in shorewall6
This test network does have a lot of interfaces on it, it''s a
development
system. Virtually everything is working smoothly with respect to ipv6; all
the networks route to the internet and to each other fine. The only problem
I have now is that the tproxy settings in shorewall6 seem to be completely
ignored.
I am seeing some things in the squid logs which make me think that something
is happening eg when the test VM goes to www.google.com:
1356083809.137 670 10.0.0.100 TCP_MISS/204 301 GET
http://clients1.google.com/generate_204 - DIRECT/2607:f8b0:4007:801::1001
text/html
Where 10.0.0.100 is the ipv4 address of the test VM. But there aren''t
nearly
enough hits to reflect real proxying and when I observe with tcpdump theres
a lot more. Also a ping to google.com does go to the ipv6 address.
When I go to http://test-ipv6.com I get 10/10 but I only see ipv4 traffic in
the squid logs.
Tcpdump on port 80 shows all the ipv6 traffic shooting straight through to
the internet from the test VM.
Here are the relevant file contents:
interfaces:
- lo - -
dmz eth3 detect tcpflags,forward=1,nosmurfs
lan eth0 detect tcpflags,forward=1,nosmurfs
out he-ipv6 detect tcpflags,forward=1,nosmurfs
virt eth1 detect tcpflags,forward=1,nosmurfs
virt2 eth4 detect tcpflags,forward=1,nosmurfs
zones:
fw firewall
dmz ipv6
lan ipv6
out ipv6
virt ipv6
virt2 ipv6
tcrules:
FORMAT 2
DIVERT he-ipv6 :: tcp - 80
TPROXY(3128,::1) eth1 :: tcp 80
#TPROXY(3128) eth1 :: tcp 80
# Neither of the above lines work
rules:
ACCEPT any out
ACCEPT virt $FW tcp 80
ACCEPT virt2 $FW tcp 80
ACCEPT lan $FW tcp 80
ACCEPT $FW out tcp 80
ACCEPT any $FW 41
ACCEPT any any ipv6-icmp
Ping(ACCEPT) any any
ACCEPT dmz any
ACCEPT lan any
ACCEPT virt any
ACCEPT virt2 any
ACCEPT lan any
ACCEPT virt:<2001:470:f06b:1::1> out
ACCEPT virt2:<2001:470:f06b:4::4> out
ACCEPT lan:<2001:470:f06b:F::F> out
policy:
dmz fw ACCEPT
dmz lan REJECT info
dmz out ACCEPT
dmz virt REJECT info
dmz virt2 REJECT info
lan dmz REJECT info
lan fw ACCEPT
lan out ACCEPT
lan virt ACCEPT
lan virt2 ACCEPT
virt dmz REJECT info
virt fw ACCEPT
virt lan ACCEPT
virt out ACCEPT
virt virt2 ACCEPT
virt2 dmz REJECT info
virt2 fw ACCEPT
virt2 lan ACCEPT
virt2 out ACCEPT
virt2 virt ACCEPT
fw all ACCEPT
out all REJECT info
tunnels:
generic:41 out 2001:470:c:1fd::2
Here is info requested on the shorewall help page:
# /sbin/shorewall version
4.5.10
# ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:470:f06b:f::f/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe19:428e/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:470:f06b:1::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe19:4298/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 fe80::20c:29ff:fe19:42a2/64 scope link
valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:470:f06b:3::3/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:feb7:4057/64 scope link
valid_lft forever preferred_lft forever
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:470:f06b:4::4/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:feb7:3925/64 scope link
valid_lft forever preferred_lft forever
8: he-ipv6: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480
inet6 2001:470:c:1fd::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a04:1/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::ac10:63/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::7965:b226/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::a00:1/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::c0a8:163/64 scope link
valid_lft forever preferred_lft forever
# ip -6 route show
2001:470:c:1fd::/64 via :: dev he-ipv6 proto kernel metric 256
2001:470:f06b:1::/64 dev eth1 proto kernel metric 256
2001:470:f06b:3::/64 dev eth3 proto kernel metric 256
2001:470:f06b:4::/64 dev eth4 proto kernel metric 256
2001:470:f06b:f::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth1 proto kernel metric 256
fe80::/64 dev eth4 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth2 proto kernel metric 256
fe80::/64 dev eth3 proto kernel metric 256
fe80::/64 via :: dev he-ipv6 proto kernel metric 256
default dev he-ipv6 metric 1024
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
On 12/21/2012 02:04 AM, Steve Wray wrote:> > interfaces: > > - lo - - > > dmz eth3 detect tcpflags,forward=1,nosmurfs > lan eth0 detect tcpflags,forward=1,nosmurfs > out he-ipv6 detect tcpflags,forward=1,nosmurfs > virt eth1 detect tcpflags,forward=1,nosmurfs > virt2 eth4 detect tcpflags,forward=1,nosmurfs > > zones: > > fw firewall > dmz ipv6 > lan ipv6 > out ipv6 > virt ipv6 > virt2 ipv6 > > tcrules: > > FORMAT 2 > DIVERT he-ipv6 :: tcp - 80 > TPROXY(3128,::1) eth1 :: tcp 80 > #TPROXY(3128) eth1 :: tcp 80 > > # Neither of the above lines workIs Squid really listining on port 3128 for IPv6 TPROXY? That''s normally the intercept port (for REDIRECT) and 3129 is used for TPROXY. If that isn''t the issue, please forward the output of ''shorewall6 dump'' as a compressed attachment. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
Thanks for getting back to me. The squid config has: http_port 3128 tproxy http_port 3129 transparent netstat shows: tcp 0 0 0.0.0.0:3129 0.0.0.0:* LISTEN - tcp6 0 0 :::3128 :::* LISTEN - I didn''t realise there was a convention regarding which ports squid listens on for what. Also, if squid wasn''t listening on the port I''d set in the Shorewall config, wouldn''t the web pages just completely fail to load instead of passing through to the sites? I also notice some other odd things; When I go to test-ipv6.com it says I''m going through a proxy "Your IPv6 address on the public internet appears to be 2001:xxx:x:xxx::x Proxied via: 1.1 router1.xxxx (squid/3.1.19)" Where the IP address is correct for our ipv6 tunnel . When I go to v6.testmyipv6.com it gives my IP address as the address of the test VM (windows 7, chrome). When I go to ds.testmyipv6.com it gives my IP address as the address of my router. In the case of the pure ipv6 test there is nothing in the squid log. In the case of the dual stack test there are entries in the squid log. I''m guessing that test-ipv6.com is doing a dual stack test. Shorewall6 dump output attached. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, 21 December 2012 11:36 p.m. To: Shorewall Users Subject: Re: [Shorewall-users] shorewall6 seems to be ignoring tproxy On 12/21/2012 02:04 AM, Steve Wray wrote:> > interfaces: > > - lo - - > > dmz eth3 detect tcpflags,forward=1,nosmurfs > lan eth0 detect tcpflags,forward=1,nosmurfs > out he-ipv6 detect tcpflags,forward=1,nosmurfs > virt eth1 detect tcpflags,forward=1,nosmurfs > virt2 eth4 detect tcpflags,forward=1,nosmurfs > > zones: > > fw firewall > dmz ipv6 > lan ipv6 > out ipv6 > virt ipv6 > virt2 ipv6 > > tcrules: > > FORMAT 2 > DIVERT he-ipv6 :: tcp - 80 > TPROXY(3128,::1) eth1 :: tcp 80 > #TPROXY(3128) eth1 :: tcp 80 > > # Neither of the above lines workIs Squid really listining on port 3128 for IPv6 TPROXY? That''s normally the intercept port (for REDIRECT) and 3129 is used for TPROXY. If that isn''t the issue, please forward the output of ''shorewall6 dump'' as a compressed attachment. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/23/2012 06:02 PM, Steve Wray wrote:> Thanks for getting back to me. > > The squid config has: > > http_port 3128 tproxy > http_port 3129 transparent > > netstat shows: > tcp 0 0 0.0.0.0:3129 0.0.0.0:* LISTEN > - > tcp6 0 0 :::3128 :::* LISTEN > - > > I didn''t realise there was a convention regarding which ports squid listens > on for what. > > Also, if squid wasn''t listening on the port I''d set in the Shorewall config, > wouldn''t the web pages just completely fail to load instead of passing > through to the sites? > > I also notice some other odd things; > > When I go to test-ipv6.com it says I''m going through a proxy > "Your IPv6 address on the public internet appears to be 2001:xxx:x:xxx::x > Proxied via: 1.1 router1.xxxx (squid/3.1.19)" > Where the IP address is correct for our ipv6 tunnel . > > When I go to v6.testmyipv6.com it gives my IP address as the address of the > test VM (windows 7, chrome). > When I go to ds.testmyipv6.com it gives my IP address as the address of my > router. > > In the case of the pure ipv6 test there is nothing in the squid log. In the > case of the dual stack test there are entries in the squid log. > > I''m guessing that test-ipv6.com is doing a dual stack test. > > Shorewall6 dump output attached. > > > -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Friday, 21 December 2012 11:36 p.m. > To: Shorewall Users > Subject: Re: [Shorewall-users] shorewall6 seems to be ignoring tproxy > > On 12/21/2012 02:04 AM, Steve Wray wrote: > >> >> interfaces: >> >> - lo - - >> >> dmz eth3 detect tcpflags,forward=1,nosmurfs >> lan eth0 detect tcpflags,forward=1,nosmurfs >> out he-ipv6 detect tcpflags,forward=1,nosmurfs >> virt eth1 detect tcpflags,forward=1,nosmurfs >> virt2 eth4 detect tcpflags,forward=1,nosmurfs >> >> zones: >> >> fw firewall >> dmz ipv6 >> lan ipv6 >> out ipv6 >> virt ipv6 >> virt2 ipv6 >> >> tcrules: >> >> FORMAT 2 >> DIVERT he-ipv6 :: tcp - 80 >> TPROXY(3128,::1) eth1 :: tcp 80 >> #TPROXY(3128) eth1 :: tcp 80 >> >> # Neither of the above lines work > > Is Squid really listining on port 3128 for IPv6 TPROXY? That''s normally the > intercept port (for REDIRECT) and 3129 is used for TPROXY. > > If that isn''t the issue, please forward the output of ''shorewall6 dump'' > as a compressed attachment.Do you see the obvious problem with this rule from your dump output? Chain PREROUTING (policy ACCEPT 1361 packets, 464K bytes) pkts bytes target prot opt in out source destination 1361 464K tcpre all * * ::/0 ::/0 0 0 divert tcp he-ipv6 * ::/0 ::/128 tcp spt:80flags:! 0x17/0x02 socket --transparent 0 0 TPROXY tcp eth1 * ::/0 ::/128 tcp dpt:80 TPROXY redirect :::3128 mark 0x200/0x200 Look at the destination column. That is the all-zero address. That goes back to your tcrules: TPROXY(3128,::1) eth1 :: tcp 80 -- -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
> -----Original Message-----> From: Tom Eastep [mailto:teastep@shorewall.net]> Sent: Monday, 24 December 2012 11:59 a.m.> To: shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] shorewall6 seems to be ignoring tproxy>> On 12/23/2012 06:02 PM, Steve Wray wrote:> > Thanks for getting back to me.[snip]> Do you see the obvious problem with this rule from your dump output?>> Chain PREROUTING (policy ACCEPT 1361 packets, 464K bytes)> pkts bytes target prot opt in out source> destination> 1361 464K tcpre all * * ::/0 ::/0>> 0 0 divert tcp he-ipv6 * ::/0> ::/128 tcp spt:80flags:! 0x17/0x02 socket --transparent> 0 0 TPROXY tcp eth1 * ::/0> ::/128 tcp dpt:80 TPROXY redirect :::3128 mark 0x200/0x200>> Look at the destination column. That is the all-zero address.>> That goes back to your tcrules:>> TPROXY(3128,::1) eth1 :: tcp 80Yes I see this. But I don''t know how this tcpre rule gets there. I don''t think that I explicitly request it in my shorewall6 configuration. My tcrules file contains only FORMAT 2 DIVERT he-ipv6 :: tcp - 80 TPROXY(3128) eth1 :: tcp 80 Which is exactly as suggested in the documentation. http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY and so far as I can tell I''m following this very closely. So Shorewall6 must be inferring that I want this rule. I wondered if it might be settings in shorewall6.conf and checked: I did have TC_ENABLED=Internal But I''ve set that to No, and get the same tcpre rule created. I had CLEAR_TC=YES and I''ve set that to no, restarted Shorewall, and I get the same tcpre rule. Do I need to explicitly tell Shorewall6 to not create this rule?> -->> -Tom> --> Tom Eastep \ When I die, I want to go like my Grandfather who> Shoreline, \ died peacefully in his sleep. Not screaming like> Washington, USA \ all of the passengers in his car> <http://shorewall.net> http://shorewall.net> \________________________________________________------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/23/2012 08:42 PM, Steve Wray wrote:>> Do you see the obvious problem with this rule from your dump output? >> Chain PREROUTING (policy ACCEPT 1361 packets, 464K bytes) >> pkts bytes target prot opt in out source >> destination >> 1361 464K tcpre all * * ::/0 ::/0 >> 0 0 divert tcp he-ipv6 * ::/0 >> ::/128 tcp spt:80flags:! 0x17/0x02 socket --transparent >> 0 0 TPROXY tcp eth1 * ::/0 >> ::/128 tcp dpt:80 TPROXY redirect :::3128 mark 0x200/0x200 > >> Look at the destination column. That is the all-zero address. > >> That goes back to your tcrules: > >> TPROXY(3128,::1) eth1 :: tcp 80 > > Yes I see this. > > But I don’t know how this tcpre rule gets there. I don’t think that I > explicitly request it in my shorewall6 configuration. > > My tcrules file contains only > > FORMAT 2 > > DIVERT he-ipv6 :: tcp - 80 > > TPROXY(3128) eth1 :: tcp 80 >And that is WRONG!> > Which is exactly as suggested in the documentation. > > http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY > > and so far as I can tell I’m following this very closely. >No! That documentation uses 0.0.0.0/0 in the DEST column. The IPv6 equivalent is ::/0 -- you have coded :: which is ::/128.> > > So Shorewall6 must be inferring that I want this rule. >No -- Shorewall6 is doing exactly what you are asking it to do. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
Keeping this on the list -------- Original Message -------- Subject: Re: [Shorewall-users] shorewall6 seems to be ignoring tproxy Date: Sun, 23 Dec 2012 20:54:33 -0800 From: Tom Eastep <teastep@shorewall.net> To: shorewall-users@lists.sourceforge.net On 12/23/2012 08:42 PM, Steve Wray wrote:>> Do you see the obvious problem with this rule from your dump output? >> Chain PREROUTING (policy ACCEPT 1361 packets, 464K bytes) >> pkts bytes target prot opt in out source >> destination >> 1361 464K tcpre all * * ::/0 ::/0 >> 0 0 divert tcp he-ipv6 * ::/0 >> ::/128 tcp spt:80flags:! 0x17/0x02 socket --transparent >> 0 0 TPROXY tcp eth1 * ::/0 >> ::/128 tcp dpt:80 TPROXY redirect :::3128 mark 0x200/0x200 > >> Look at the destination column. That is the all-zero address. > >> That goes back to your tcrules: > >> TPROXY(3128,::1) eth1 :: tcp 80 > > Yes I see this. > > But I don’t know how this tcpre rule gets there. I don’t think that I > explicitly request it in my shorewall6 configuration. > > My tcrules file contains only > > FORMAT 2 > > DIVERT he-ipv6 :: tcp - 80 > > TPROXY(3128) eth1 :: tcp 80 >And that is WRONG!> > Which is exactly as suggested in the documentation. > > http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY > > and so far as I can tell I’m following this very closely. >No! That documentation uses 0.0.0.0/0 in the DEST column. The IPv6 equivalent is ::/0 -- you have coded :: which is ::/128.> > > So Shorewall6 must be inferring that I want this rule. >No -- Shorewall6 is doing exactly what you are asking it to do. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Monday, 24 December 2012 12:55 p.m. > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] shorewall6 seems to be ignoring tproxy > > On 12/23/2012 08:42 PM, Steve Wray wrote: > > >> Do you see the obvious problem with this rule from your dump output? > >> Chain PREROUTING (policy ACCEPT 1361 packets, 464K bytes) > >> pkts bytes target prot opt in out source > >> destination > >> 1361 464K tcpre all * * ::/0::/0> >> 0 0 divert tcp he-ipv6 * ::/0 > >> ::/128 tcp spt:80flags:! 0x17/0x02 socket --transparent > >> 0 0 TPROXY tcp eth1 * ::/0 > >> ::/128 tcp dpt:80 TPROXY redirect :::3128 mark0x200/0x200> > > >> Look at the destination column. That is the all-zero address. > > > >> That goes back to your tcrules: > > > >> TPROXY(3128,::1) eth1 :: tcp 80 > > > > Yes I see this. > > > > But I don''t know how this tcpre rule gets there. I don''t think that I > > explicitly request it in my shorewall6 configuration. > > > > My tcrules file contains only > > > > FORMAT 2 > > > > DIVERT he-ipv6 :: tcp - 80 > > > > TPROXY(3128) eth1 :: tcp 80 > > > > And that is WRONG! > > > > > Which is exactly as suggested in the documentation. > > > > http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY > > > > and so far as I can tell I''m following this very closely. > > > > No! That documentation uses 0.0.0.0/0 in the DEST column. The IPv6 > equivalent is ::/0 -- you have coded :: which is ::/128.aahhhhh You have helped me better understand Shorewall AND ipv6 :) I''d assumed that :: was the equivalent of 0.0.0.0/0 Awesome, thank you so much!> > So Shorewall6 must be inferring that I want this rule. > > > > No -- Shorewall6 is doing exactly what you are asking it to do. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net > \________________________________________________------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d