Shorewall and squid transparent proxy problem

Diego Xirinachs dxiri343 at gmail.com
Wed Apr 6 01:40:51 UTC 2011 

Thanks a lot for your input, to answer your questions and clarify further,

- I had the ACCEPT rule before the REDIRECT one before asking for help, and
didnt work also, will change it back and leave it like that, so rules order
would be:



ACCEPT        $FW        net        tcp        www
REDIRECT    loc        3128        tcp        www        -
ACCEPT        $FW        loc        icmp
ACCEPT        $FW        net        icmp
##############################
###################

- Explain when you can/want, I am curious :D

- Regarding the iptables commands, no, im not sure. I just took those 2
commands from a tutorial and ran them to see if they would work.

- Those 2 iptables commands you gave me, Can I run them with shorewall
installed or would the server act weird?

Today I noticed I dont have a masq file, and that IF the EXTERNAL network
isnt connected on eth0 (mine is on eth1) you have to edit this masq file to
reverse the order, at least thats what Shorewall documentation says (i dont
have the URL handy) If that works I will post results here.

thanks a lot again :D

2011/4/5 Николай Федосов <nikolay.fedosov at gmail.com>

>  06.04.2011 01:43, Diego Xirinachs пишет:
>
> DNS is already accepted on my shorewall rules file, here is the complete
> file, I dont know why I didnt post it complete earlier.
>
>
>
> REDIRECT    loc        3128        tcp        www        -
> ACCEPT        $FW        net        tcp        www
> ACCEPT        $FW        loc        icmp
> ACCEPT        $FW        net        icmp
> #################################################
>
> Here is your your mistake! First rule eval like the first rule/
> You try to REDIRECT packets www from firewall to port 3128, but you have no
> www packets in your firewall if (as I am understand) your policy is DROP
>
> Try in this order:
>
> first rule: ACCEPT        $FW        net        tcp        www
> second rule: REDIRECT    loc        3128        tcp        www        -
>
> This example from documentation www.shorewall.net
>
>
>
>
>
> As you can see, DNS is already there also. Any other tips?
>
> @nikolay: Really? more complicated than Iptables? I find it easy to
> configure access rules here, only problem I have had is this one. With
> iptables I tried to get the transparent proxy working but couldnt (i got the
> full command and ran it, didnt do anything). I tried with the following
> commands
>
> I can explain it but not now
>
>
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 192.168.0.1:3128
> iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT
> --to-ports 3128
>
> Are you sure that SQUID requires nat ?????????????
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-ports 3128
> iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -j DROP
>
>
> And  you should to remember that THE ORDER of rules have the SIGNIFICANTE
> sense!
> Sorry for my english... now it's time to sleep....
>
>
> eth0 is my LAN and eth1 is connected to the internet. IP address is just
> for the example, my internal network uses a different range than that one.
>
> I would really like to get this working but I have no idea whats wrong,
> this kind of issues im sure Is one of those wtf problems that can be solved
> with a simple solution.
>
> Hope it helps and thanks again.
>
>
>
> 2011/4/5 Николай Федосов <nikolay.fedosov at gmail.com>
>
>> My proposal is to change the order of your rules...
>>
>> But the true way is to : apt-get purge shorewall (it is very complicated,
>> more complicatated than iptables)
>>
>> 05.04.2011 13:29, Diego Xirinachs пишет:
>>
>> >> My /etc/shorewall/rules are setup with this ACCEPT and REDIRECT rules:
>> >>
>> >> #ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE
>> ORIGINAL
>> >> #                                                       PORT(S)    DEST
>> >> REDIRECT  loc        3128     tcp      www              -
>> >>
>> >> ACCEPT    $FW        net      tcp      www
>>
>>
>
>>  --
>>  ubuntu-server mailing list
>> ubuntu-server at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
>> More info: https://wiki.ubuntu.com/ServerTeam
>>
>
>
>
> --
> X1R1
>
>
>


-- 
X1R1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20110405/5f23e131/attachment.html>

More information about the ubuntu-server mailing list