Shorewall and squid transparent proxy problem
Diego Xirinachs
dxiri343 at gmail.com
Wed Apr 6 01:40:51 UTC 2011
Thanks a lot for your input, to answer your questions and clarify further,
- I had the ACCEPT rule before the REDIRECT one before asking for help, and
didnt work also, will change it back and leave it like that, so rules order
would be:
ACCEPT $FW net tcp www
REDIRECT loc 3128 tcp www -
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
##############################
###################
- Explain when you can/want, I am curious :D
- Regarding the iptables commands, no, im not sure. I just took those 2
commands from a tutorial and ran them to see if they would work.
- Those 2 iptables commands you gave me, Can I run them with shorewall
installed or would the server act weird?
Today I noticed I dont have a masq file, and that IF the EXTERNAL network
isnt connected on eth0 (mine is on eth1) you have to edit this masq file to
reverse the order, at least thats what Shorewall documentation says (i dont
have the URL handy) If that works I will post results here.
thanks a lot again :D
2011/4/5 Николай Федосов <nikolay.fedosov at gmail.com>
> 06.04.2011 01:43, Diego Xirinachs пишет:
>
> DNS is already accepted on my shorewall rules file, here is the complete
> file, I dont know why I didnt post it complete earlier.
>
>
>
> REDIRECT loc 3128 tcp www -
> ACCEPT $FW net tcp www
> ACCEPT $FW loc icmp
> ACCEPT $FW net icmp
> #################################################
>
> Here is your your mistake! First rule eval like the first rule/
> You try to REDIRECT packets www from firewall to port 3128, but you have no
> www packets in your firewall if (as I am understand) your policy is DROP
>
> Try in this order:
>
> first rule: ACCEPT $FW net tcp www
> second rule: REDIRECT loc 3128 tcp www -
>
> This example from documentation www.shorewall.net
>
>
>
>
>
> As you can see, DNS is already there also. Any other tips?
>
> @nikolay: Really? more complicated than Iptables? I find it easy to
> configure access rules here, only problem I have had is this one. With
> iptables I tried to get the transparent proxy working but couldnt (i got the
> full command and ran it, didnt do anything). I tried with the following
> commands
>
> I can explain it but not now
>
>
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 192.168.0.1:3128
> iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT
> --to-ports 3128
>
> Are you sure that SQUID requires nat ?????????????
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-ports 3128
> iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -j DROP
>
>
> And you should to remember that THE ORDER of rules have the SIGNIFICANTE
> sense!
> Sorry for my english... now it's time to sleep....
>
>
> eth0 is my LAN and eth1 is connected to the internet. IP address is just
> for the example, my internal network uses a different range than that one.
>
> I would really like to get this working but I have no idea whats wrong,
> this kind of issues im sure Is one of those wtf problems that can be solved
> with a simple solution.
>
> Hope it helps and thanks again.
>
>
>
> 2011/4/5 Николай Федосов <nikolay.fedosov at gmail.com>
>
>> My proposal is to change the order of your rules...
>>
>> But the true way is to : apt-get purge shorewall (it is very complicated,
>> more complicatated than iptables)
>>
>> 05.04.2011 13:29, Diego Xirinachs пишет:
>>
>> >> My /etc/shorewall/rules are setup with this ACCEPT and REDIRECT rules:
>> >>
>> >> #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
>> ORIGINAL
>> >> # PORT(S) DEST
>> >> REDIRECT loc 3128 tcp www -
>> >>
>> >> ACCEPT $FW net tcp www
>>
>>
>
>> --
>> ubuntu-server mailing list
>> ubuntu-server at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
>> More info: https://wiki.ubuntu.com/ServerTeam
>>
>
>
>
> --
> X1R1
>
>
>
--
X1R1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20110405/5f23e131/attachment.html>
More information about the ubuntu-server
mailing list