I really appreciate the clear directions on how to use TPROXY with Squid3. I''ve previously used a REDIRECT/intercept proxy, and switching to using TPROXY took only a couple of minutes. (even with IPv6!) I do have a question, though: I run an Apache server on my router as well. It''s only visible internally, and is useful as it lets me use some of the squid log tools, like SARG, to view proxy usage. Similarly, I use the apache server to serve a "access denied" page from squidGuard. This presents a problem, though: Computers inside the firewall can''t see the $FW machine''s apache server. Is there something that''s part of the TPROXY setup that doesn''t really allow for this? When I look at the rule: ACCEPT loc $FW tcp 80 I think it''s straighforward enough; however when I want to access the Apache server, I really do need ot use port 80. So is there a way to get around this in shorewall, or would I be forced to use port 8080 (or similar) for the apache server? Thanks! -- Troy Telford ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 4/25/13 11:31 PM, "Troy Telford" <ttelford.groups@gmail.com> wrote:>I really appreciate the clear directions on how to use TPROXY with Squid3. > >I''ve previously used a REDIRECT/intercept proxy, and switching to using >TPROXY took only a couple of minutes. (even with IPv6!) > >I do have a question, though: > >I run an Apache server on my router as well. It''s only visible >internally, and is useful as it lets me use some of the squid log >tools, like SARG, to view proxy usage. Similarly, I use the apache >server to serve a "access denied" page from squidGuard. > >This presents a problem, though: Computers inside the firewall can''t >see the $FW machine''s apache server. > >Is there something that''s part of the TPROXY setup that doesn''t really >allow for this? > >When I look at the rule: >ACCEPT loc $FW tcp 80 > >I think it''s straighforward enough; however when I want to access the >Apache server, I really do need ot use port 80. > >So is there a way to get around this in shorewall, or would I be forced >to use port 8080 (or similar) for the apache server?You need to exclude connections to your gateway''s local IP address from TPROXY: TPROXY(3129) ethX:!<ethX ip addr> 0.0.0.0/0 tcp 80 -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 2013-04-26 13:57:00 +0000, Tom Eastep said:> On 4/25/13 11:31 PM, "Troy Telford" <ttelford.groups@gmail.com> wrote: > >> I really appreciate the clear directions on how to use TPROXY with Squid3. >> >> I''ve previously used a REDIRECT/intercept proxy, and switching to using >> TPROXY took only a couple of minutes. (even with IPv6!) >> >> I do have a question, though: >> >> I run an Apache server on my router as well. It''s only visible >> internally, and is useful as it lets me use some of the squid log >> tools, like SARG, to view proxy usage. Similarly, I use the apache >> server to serve a "access denied" page from squidGuard. >> >> So is there a way to get around this in shorewall, or would I be forced >> to use port 8080 (or similar) for the apache server? > > You need to exclude connections to your gateway''s local IP address from > TPROXY: > > TPROXY(3129) ethX:!<ethX ip addr> 0.0.0.0/0 tcp 8<facepalm>Yup, that''ll do it.</facepalm> I did notice something on my network, and I think I''m missing a option: I have several zones, and all but one are working wonderfully. The configuration for the different zones is identical... The zone that''s not working well is the zone I''ve created for my LXC containers. They''re all bridged across a br0 interface, and my config is pretty simple: TPROXY(3129) br0:!192.168.2.1 0.0.0.0/0 tcp 80 and the rule: ACCEPT lxc $FW tcp www The LXC containers are running on the router Thanks! -- Troy Telford ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 04/26/2013 09:32 AM, Troy Telford wrote:> > I did notice something on my network, and I think I''m missing a option: > > I have several zones, and all but one are working wonderfully. The > configuration for the different zones is identical... > > The zone that''s not working well is the zone I''ve created for my LXC > containers. They''re all bridged across a br0 interface, and my config > is pretty simple: > TPROXY(3129) br0:!192.168.2.1 0.0.0.0/0 tcp 80 > > and the rule: > ACCEPT lxc $FW tcp www > > The LXC containers are running on the routerWe''re going to need something more than two entries from your configuration and a lament that ''it doesn''t work''. See http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 2013-04-26 16:39:18 +0000, Tom Eastep said:> On 04/26/2013 09:32 AM, Troy Telford wrote: > >> >> I did notice something on my network, and I think I''m missing a option: >> >> I have several zones, and all but one are working wonderfully. The >> configuration for the different zones is identical... >> >> The zone that''s not working well is the zone I''ve created for my LXC >> containers. They''re all bridged across a br0 interface, and my config >> is pretty simple: >> TPROXY(3129) br0:!192.168.2.1 0.0.0.0/0 tcp 80 >> >> and the rule: >> ACCEPT lxc $FW tcp www >> >> The LXC containers are running on the router > > We''re going to need something more than two entries from your > configuration and a lament that ''it doesn''t work''.I apologize. I deserve the reprimand. Hopefully I''ve attached the bzip2 shorewall dumps. I typically use gmane for my mailing lists, so it may not pass through the attachments. If they aren''t, I''ll re-send via a normal mail client. While you''re looking: I applied the suggested change: TPROXY(3129) ethX:!<ethX ip addr> 0.0.0.0/0 tcp 80 However, I am still unable to connect to the apache server on the shorewall box... -- Troy Telford ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 2013-04-26 16:39:18 +0000, Tom Eastep said:> I did notice something on my network, and I think I''m missing a option: > >> I have several zones, and all but one are working wonderfully. The >> configuration for the different zones is identical... >> >> The zone that''s not working well is the zone I''ve created for my LXC >> containers. They''re all bridged across a br0 interface, and my config >> is pretty simple: >> TPROXY(3129) br0:!192.168.2.1 0.0.0.0/0 tcp 80 >> >> and the rule: >> ACCEPT lxc $FW tcp www >> >> The LXC containers are running on the router > > We''re going to need something more than two entries from your > configuration and a lament that ''it doesn''t work''.I apologize. I deserve the reprimand. I''m re-sending, hopefully with the attachments this time. While you''re looking: I applied the suggested change: TPROXY(3129) ethX:!<ethX ip addr> 0.0.0.0/0 tcp 80 However, I am still unable to connect to the apache server on the shorewall box... -- Troy Telford ttelford.groups@gmail.com ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 04/26/2013 02:51 PM, Troy Telford wrote:> On 2013-04-26 17:36:22 +0000, Troy Telford said: > > > While you''re looking: I applied the suggested change: > > TPROXY(3129) ethX:!<ethX ip addr> 0.0.0.0/0 tcp 80 > > However, I am still unable to connect to the apache server on the > > shorewall box... > > > I found the problem I was having with: > > TPROXY(3129) ethX:!<ethX ip addr> 0.0.0.0/0 tcp 80 > > > As I have a dual-stack system, I didn''t have it setup correctly for > shorewall6. > > > After adding the following in shorewall6/tcrules, it''s working: > > TPROXY(3129) eth0:[!(local_ipv6_addr)/64] ::/0 tcp 80 > > > And now it appears to work correctly for IPv6 as well as IPv4-only systemsThat''s fascinating, given that I gave you a bad rule. What I wanted you to do was: TPROXY(3129) eth0 !<address of eth0> tcp 80 Same with br0: TPROXY(3129) br0 !<address of br0> tcp 80 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 2013-04-26 23:18:11 +0000, Tom Eastep said:> That''s fascinating, given that I gave you a bad rule. What I wanted you > to do was: > > TPROXY(3129) eth0 !<address of eth0> tcp 80 > > Same with br0: > > TPROXY(3129) br0 !<address of br0> tcp 80After a bit of playing, it seems that IPv4 wasn''t forwarding with the broken rule; however IPv6 did work with: TPROXY(3129) eth2:[!2001:1931:313::1/64] ::/0 tcp 8 I switched to use: TCPROXY(3129) eth0 !192.168.1.1 tcp 80 IPv4 works just fine now, and I imagine the rule being correct can''t hurt for IPv6. Still, I have no idea why it was working the way it did. If you''re interested, I can collect a shorewall dump for you, but otherwise, I''m fine with just leaving it... That said: I''m still not able to get TPROXY to work with my LXC containers. I''m seeing this in the log, when I try to connect from inside an LXC container: Apr 26 21:09:43 lxc2fw:ACCEPT:IN=br0 OUT= PHYSIN=vethWKjPPy SRC=192.168.2.8 DST=216.34.181.45 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5993 DF PROTO=TCP SPT=37139 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x200 Obviously, nothing else is getting through... I set up some ''info'' logging in the shorewall policy, to show anything (or attempts to make) connections between $FW and the lxc zone. The only thing showing up in the log is the http requests being made by the container. I''ll make another shorewall dump set, and post them shortly... -- Troy Telford ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
Here''s my current shorewall/shorewall6 dump set. The only thing that isn''t working is the LXC containers. LXC is setup to use br0 as the primary bridge, and each container gets its own vethxxxxx interface. -- Troy Telford ttelford.groups@gmail.com ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 2013-04-26 23:18:11 +0000, Tom Eastep said:> That''s fascinating, given that I gave you a bad rule. What I wanted you > to do was: > > TPROXY(3129) eth0 !<address of eth0> tcp 80 > > Same with br0: > > TPROXY(3129) br0 !<address of br0> tcp 80 > > -TomI realize this is a couple of weeks old, but... I noticed that the current documentation (http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY) has the following syntax in a note: TPROXY(3129) eth1:!192.0.2.144 0.0.0.0/0 tcp 80 On the mailing list, you''ve told me to use:> TPROXY(3129) eth0 !<address of eth0 tcp 80Does the documentation at www.shorewall.net need to be updated? Which one is the correct syntax? (For the record, the one Tom gave above is the one that works for me; the one documented at www.shorewall.net does not work if I connect via IPv4 to the web server on $FW.) -- Troy Telford ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
On 05/15/2013 03:37 PM, Troy Telford wrote:> On 2013-04-26 23:18:11 +0000, Tom Eastep said: >> That''s fascinating, given that I gave you a bad rule. What I wanted you >> to do was: >> >> TPROXY(3129) eth0 !<address of eth0> tcp 80 >> >> Same with br0: >> >> TPROXY(3129) br0 !<address of br0> tcp 80 >> >> -Tom > > I realize this is a couple of weeks old, but... > > I noticed that the current documentation > (http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY) > has the following syntax in a note: > > TPROXY(3129) eth1:!192.0.2.144 0.0.0.0/0 tcp 80 > > On the mailing list, you''ve told me to use: >> TPROXY(3129) eth0 !<address of eth0 tcp 80 > > Does the documentation at www.shorewall.net need to be updated? > > Which one is the correct syntax? > > (For the record, the one Tom gave above is the one that works for me; > the one documented at www.shorewall.net does not work if I connect via > IPv4 to the web server on $FW.) >The doc at www.shorewall.net was wrong and has been corrected. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
On 2013-05-17 15:19:02 +0000, Tom Eastep said:>> I realize this is a couple of weeks old, but... >> >> I noticed that the current documentation >> (http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY) >> has the following syntax in a note: >> >> TPROXY(3129) eth1:!192.0.2.144 0.0.0.0/0 tcp 80 >> >> On the mailing list, you''ve told me to use: >>> TPROXY(3129) eth0 !<address of eth0 tcp 80 >> >> Does the documentation at www.shorewall.net need to be updated? >> >> Which one is the correct syntax? >> >> (For the record, the one Tom gave above is the one that works for me; >> the one documented at www.shorewall.net does not work if I connect via >> IPv4 to the web server on $FW.) >> > > The doc at www.shorewall.net was wrong and has been corrected.I hate to bring this up again, but I still can''t get the documented version to work:'' I''m running Shorewall 4.5.16.1 (debian "sid") The documented version is: TPROXY(3129) eth1 0.0.0.0/0 tcp 80 - !192.0.2.144 When I try that syntax, I receive the following error from ''shorewall check'': ERROR: USER/GROUP only allowed in the OUTPUT chain /etc/shorewall/tcrules (line 20) It appears to me that shorewall/tcrules doesn''t have an "ORIGINAL DEST" column. I am able to find the ''ORIGINAL DEST'' column in shorewall/rules, however. -- Troy Telford ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
On 05/17/2013 01:13 PM, Troy Telford wrote:> I hate to bring this up again, but I still can''t get the documented > version to work:'' > > I''m running Shorewall 4.5.16.1 (debian "sid") > > The documented version is: > > TPROXY(3129) eth1 0.0.0.0/0 tcp 80 > - !192.0.2.144 > > When I try that syntax, I receive the following error from ''shorewall check'': > > ERROR: USER/GROUP only allowed in the OUTPUT chain > /etc/shorewall/tcrules (line 20) > > It appears to me that shorewall/tcrules doesn''t have an "ORIGINAL DEST" column. > > I am able to find the ''ORIGINAL DEST'' column in shorewall/rules, however. >Yep. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d