Shorewall and squid transparent proxy problem

Николай Федосов nikolay.fedosov at gmail.com
Tue Apr 5 23:33:28 UTC 2011 

06.04.2011 01:43, Diego Xirinachs пишет:
> DNS is already accepted on my shorewall rules file, here is the 
> complete file, I dont know why I didnt post it complete earlier.
>
>
>
> REDIRECT    loc        3128        tcp        www        -
> ACCEPT        $FW        net        tcp        www
> ACCEPT        $FW        loc        icmp
> ACCEPT        $FW        net        icmp
> #################################################
Here is your your mistake! First rule eval like the first rule/
You try to REDIRECT packets www from firewall to port 3128, but you have 
no www packets in your firewall if (as I am understand) your policy is DROP

Try in this order:

first rule: ACCEPT        $FW        net        tcp        www
second rule: REDIRECT    loc        3128        tcp        www        -

This example from documentation www.shorewall.net



>
> As you can see, DNS is already there also. Any other tips?
>
> @nikolay: Really? more complicated than Iptables? I find it easy to 
> configure access rules here, only problem I have had is this one. With 
> iptables I tried to get the transparent proxy working but couldnt (i 
> got the full command and ran it, didnt do anything). I tried with the 
> following commands
I can explain it but not now
>
> |
> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp |--dport| 80 -j 
> DNAT |--to-destination| 192.168.0.1:3128 <http://192.168.0.1:3128>
> iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j 
> REDIRECT |--to-ports| 3128|
Are you sure that SQUID requires nat ?????????????

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
--to-ports 3128
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -j DROP


And  you should to remember that THE ORDER of rules have the 
SIGNIFICANTE sense!
Sorry for my english... now it's time to sleep....
>
> eth0 is my LAN and eth1 is connected to the internet. IP address is 
> just for the example, my internal network uses a different range than 
> that one.
>
> I would really like to get this working but I have no idea whats 
> wrong, this kind of issues im sure Is one of those wtf problems that 
> can be solved with a simple solution.
>
> Hope it helps and thanks again.
>
>
>
> 2011/4/5 Николай Федосов <nikolay.fedosov at gmail.com 
> <mailto:nikolay.fedosov at gmail.com>>
>
>     My proposal is to change the order of your rules...
>
>     But the true way is to : apt-get purge shorewall (it is very
>     complicated, more complicatated than iptables)
>
>     05.04.2011 13:29, Diego Xirinachs пишет:
>
>     >> My /etc/shorewall/rules are setup with this ACCEPT and REDIRECT
>     rules:
>     >>
>     >> #ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE
>         ORIGINAL
>     >> #                                                       PORT(S)
>        DEST
>     >> REDIRECT  loc        3128     tcp      www              -
>     >>
>     >> ACCEPT    $FW        net      tcp      www
>
>
>     -- 
>     ubuntu-server mailing list
>     ubuntu-server at lists.ubuntu.com <mailto:ubuntu-server at lists.ubuntu.com>
>     https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
>     More info: https://wiki.ubuntu.com/ServerTeam
>
>
>
>
> -- 
> X1R1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20110406/ac07ce0e/attachment.html>

More information about the ubuntu-server mailing list