Hi list,
I''m using shorewall 4.5.5 on debian stable.
i''m having some issue to set up transparent proxy. Setup is quite
complex.
Provider A Provider B
\ /
\ /
\ /
\ /
FW
/ ---------| \
/ \
Bridge Net B
/ \
NetC NetD
Nodes on NetD should access net through proxy located on NetB. I''ve
setted up a config as described in
http://www.shorewall.net/Shorewall_Squid_Usage.html#idp114696
I''ve two different providers. I''ve added a marking rule,
setted up PRIORITY in order to get fwmark used first (before rules defined in
rtrules).
Here is the issue :
Packet sent to net by nodes on NetD get correctly marked, so get routed to proxy
on NetB which handle request. Packe come back to firewall interface through NetB
and stop there (src IP is the requested IP (eg www.google.com), dest IP is the
NetD node which has made http request according to tcpdump). Although tcpdump
shows up the packet, no Shorewall log about this last incoming packet.
Traffic from NetB is authorized to access NetD (no ip source or dest check)….
Any clue on what maybe wrong?
Thanks
Christophe
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
Another (important detail) : Setup is working when client node try to reach a web server located in netB but not for an internet web server…. routefilter=0 and logmartians=0 options are set for FW interface on netB Thanks Christophe Le 26 juil. 2013 à 09:52, Christophe Ségui <christophe.segui@math.univ-toulouse.fr> a écrit :> Hi list, > > I''m using shorewall 4.5.5 on debian stable. > > i''m having some issue to set up transparent proxy. Setup is quite complex. > > > > Provider A Provider B > \ / > \ / > \ / > \ / > FW > / ---------| \ > / \ > Bridge Net B > / \ > NetC NetD > > > Nodes on NetD should access net through proxy located on NetB. I''ve setted up a config as described in http://www.shorewall.net/Shorewall_Squid_Usage.html#idp114696 > > I''ve two different providers. I''ve added a marking rule, setted up PRIORITY in order to get fwmark used first (before rules defined in rtrules). > > Here is the issue : > Packet sent to net by nodes on NetD get correctly marked, so get routed to proxy on NetB which handle request. Packe come back to firewall interface through NetB and stop there (src IP is the requested IP (eg www.google.com), dest IP is the NetD node which has made http request according to tcpdump). Although tcpdump shows up the packet, no Shorewall log about this last incoming packet. > > Traffic from NetB is authorized to access NetD (no ip source or dest check)…. > > > Any clue on what maybe wrong? > > > Thanks > Christophe > > > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
I have similar problem using One to one nat with this version of shorewall. Stephen Sent from my iPhone On 26 Jul, 2013, at 4:39 PM, Christophe Ségui <christophe.segui@math.univ-toulouse.fr> wrote:> Another (important detail) : Setup is working when client node try to reach a web server located in netB but not for an internet web server…. routefilter=0 and logmartians=0 options are set for FW interface on netB > > > Thanks > Christophe > > Le 26 juil. 2013 à 09:52, Christophe Ségui <christophe.segui@math.univ-toulouse.fr> a écrit : > >> Hi list, >> >> I''m using shorewall 4.5.5 on debian stable. >> >> i''m having some issue to set up transparent proxy. Setup is quite complex. >> >> >> >> Provider A Provider B >> \ / >> \ / >> \ / >> \ / >> FW >> / ---------| \ >> / \ >> Bridge Net B >> / \ >> NetC NetD >> >> >> Nodes on NetD should access net through proxy located on NetB. I''ve setted up a config as described in http://www.shorewall.net/Shorewall_Squid_Usage.html#idp114696 >> >> I''ve two different providers. I''ve added a marking rule, setted up PRIORITY in order to get fwmark used first (before rules defined in rtrules). >> >> Here is the issue : >> Packet sent to net by nodes on NetD get correctly marked, so get routed to proxy on NetB which handle request. Packe come back to firewall interface through NetB and stop there (src IP is the requested IP (eg www.google.com), dest IP is the NetD node which has made http request according to tcpdump). Although tcpdump shows up the packet, no Shorewall log about this last incoming packet. >> >> Traffic from NetB is authorized to access NetD (no ip source or dest check)…. >> >> >> Any clue on what maybe wrong? >> >> >> Thanks >> Christophe >> >> >> >> >> >> ------------------------------------------------------------------------------ >> See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk_______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
On 07/26/2013 01:39 AM, Christophe Ségui wrote:> Another (important detail) : Setup is working when client node try to > reach a web server located in netB but not for an internet web > server.... routefilter=0 and logmartians=0 options are set for FW > interface on netB > > > Thanks > Christophe > > Le 26 juil. 2013 à 09:52, Christophe Ségui > <christophe.segui@math.univ-toulouse.fr > <mailto:christophe.segui@math.univ-toulouse.fr>> a écrit : > >> Hi list, >> >> I''m using shorewall 4.5.5 on debian stable. >> >> i''m having some issue to set up transparent proxy. Setup is quite >> complex. >> >> >> >> Provider A Provider B >> \ / >> \ / >> \ / >> \ / >> FW >> / ---------| \ >> / \ >> Bridge Net B >> / \ >> NetC NetD >> >> >>It looks as though you used a variable pitch font to draw the above diagram -- it is unfathomable. As always with this sort of problem, we need to see the output of ''shorewall dump'' to understand what the problem is. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
On 07/26/2013 01:39 AM, Christophe Ségui wrote:> Another (important detail) : Setup is working when client node try to > reach a web server located in netB but not for an internet web > server.... routefilter=0 and logmartians=0 options are set for FW > interface on netBIf you want selective route filtering, then you want ROUTE_FILTER=No in shorewall.conf. The effective setting for each interface is the *maximum* of the setting for that interface (/proc/sys/net/ipv4/<interface>/rp_filter) and the all setting (/proc/sys/net/ipv4/all/rp_filter). From The Documentation/networking/ip-sysctl file: rp_filter - INTEGER 0 - No source validation. 1 - Strict mode as defined in RFC3704 Strict Reverse Path Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded. 2 - Loose mode as defined in RFC3704 Loose Reverse Path Each incoming packet''s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail. Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended. The max value from conf/{all,interface}/rp_filter is used when doing source validation on the {interface}. Default value is 0. Note that some distributions enable it in startup scripts. Note that Debian is one of those distributions. I''ll try to make this clearer in the Shorewall documentation. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
On 07/27/2013 05:02 AM, Stephen Fu wrote:> I have similar problem using One to one nat with this version of > shorewall. >We will need details to help you. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
On 07/27/2013 07:54 AM, Tom Eastep wrote:> On 07/26/2013 01:39 AM, Christophe Ségui wrote: >> Another (important detail) : Setup is working when client node try to >> reach a web server located in netB but not for an internet web >> server.... routefilter=0 and logmartians=0 options are set for FW >> interface on netB > > If you want selective route filtering, then you want ROUTE_FILTER=No > in shorewall.conf. The effective setting for each interface is the > *maximum* of the setting for that interface > (/proc/sys/net/ipv4/<interface>/rp_filter) and the all setting > (/proc/sys/net/ipv4/all/rp_filter). From The > Documentation/networking/ip-sysctl file: > > rp_filter - INTEGER > 0 - No source validation. > 1 - Strict mode as defined in RFC3704 Strict Reverse Path > Each incoming packet is tested against the FIB and if the > interface > is not the best reverse path the packet check will fail. > By default failed packets are discarded. > 2 - Loose mode as defined in RFC3704 Loose Reverse Path > Each incoming packet''s source address is also tested > against the FIB > and if the source address is not reachable via any interface > the packet check will fail. > > Current recommended practice in RFC3704 is to enable strict mode > to prevent IP spoofing from DDos attacks. If using asymmetric > routing > or other complicated routing, then loose mode is recommended. > > The max value from conf/{all,interface}/rp_filter is used > when doing source validation on the {interface}. > > Default value is 0. Note that some distributions enable it > in startup scripts. > > Note that Debian is one of those distributionsPlease verify the contents of /proc/sys/net/ipv4/conf/all/rp_filter. All of my Debian systems have old /etc/sysctl.conf files which I retained so I can''t tell if there was a change in that file for Wheezy or not. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
Hi, Many thanks, that was the issue, my setup is now working fine ! Cheers Christophe Le 27 juil. 2013 à 16:54, Tom Eastep <teastep@shorewall.net> a écrit :> On 07/26/2013 01:39 AM, Christophe Ségui wrote: >> Another (important detail) : Setup is working when client node try to reach a web server located in netB but not for an internet web server…. routefilter=0 and logmartians=0 options are set for FW interface on netB > > If you want selective route filtering, then you want ROUTE_FILTER=No in shorewall.conf. The effective setting for each interface is the *maximum* of the setting for that interface (/proc/sys/net/ipv4/<interface>/rp_filter) and the all setting (/proc/sys/net/ipv4/all/rp_filter). From The Documentation/networking/ip-sysctl file: > > rp_filter - INTEGER > 0 - No source validation. > 1 - Strict mode as defined in RFC3704 Strict Reverse Path > Each incoming packet is tested against the FIB and if the interface > is not the best reverse path the packet check will fail. > By default failed packets are discarded. > 2 - Loose mode as defined in RFC3704 Loose Reverse Path > Each incoming packet''s source address is also tested against the FIB > and if the source address is not reachable via any interface > the packet check will fail. > > Current recommended practice in RFC3704 is to enable strict mode > to prevent IP spoofing from DDos attacks. If using asymmetric routing > or other complicated routing, then loose mode is recommended. > > The max value from conf/{all,interface}/rp_filter is used > when doing source validation on the {interface}. > > Default value is 0. Note that some distributions enable it > in startup scripts. > > Note that Debian is one of those distributions. > > I''ll try to make this clearer in the Shorewall documentation. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk