Shorewall and squid transparent proxy problem

Николай Федосов nikolay.fedosov at gmail.com
Wed Apr 6 15:41:20 UTC 2011 

The most simple way is:

Put here the commands output:
iptables -t filter -L
iptables -t nat -L
iptables -t mangle -L

And this will be the start point!
If you also write about your goals  (I remember about squid) It will be 
great


06.04.2011 05:40, Diego Xirinachs пишет:
> Thanks a lot for your input, to answer your questions and clarify further,
>
> - I had the ACCEPT rule before the REDIRECT one before asking for 
> help, and didnt work also, will change it back and leave it like that, 
> so rules order would be:
>
>
>
> ACCEPT        $FW        net        tcp        www
> REDIRECT    loc        3128        tcp        www        -
> ACCEPT        $FW        loc        icmp
> ACCEPT        $FW        net        icmp
> ##############################
> ###################
>
> - Explain when you can/want, I am curious :D
>
> - Regarding the iptables commands, no, im not sure. I just took those 
> 2 commands from a tutorial and ran them to see if they would work.
>
> - Those 2 iptables commands you gave me, Can I run them with shorewall 
> installed or would the server act weird?
>
> Today I noticed I dont have a masq file, and that IF the EXTERNAL 
> network isnt connected on eth0 (mine is on eth1) you have to edit this 
> masq file to reverse the order, at least thats what Shorewall 
> documentation says (i dont have the URL handy) If that works I will 
> post results here.
>
> thanks a lot again :D
>
> 2011/4/5 Николай Федосов <nikolay.fedosov at gmail.com 
> <mailto:nikolay.fedosov at gmail.com>>
>
>     06.04.2011 01:43, Diego Xirinachs пишет:
>>     DNS is already accepted on my shorewall rules file, here is the
>>     complete file, I dont know why I didnt post it complete earlier.
>>
>>
>>
>>     REDIRECT    loc        3128        tcp        www        -
>>     ACCEPT        $FW        net        tcp        www
>>     ACCEPT        $FW        loc        icmp
>>     ACCEPT        $FW        net        icmp
>>     #################################################
>     Here is your your mistake! First rule eval like the first rule/
>     You try to REDIRECT packets www from firewall to port 3128, but
>     you have no www packets in your firewall if (as I am understand)
>     your policy is DROP
>
>     Try in this order:
>
>     first rule: ACCEPT        $FW        net        tcp        www
>     second rule: REDIRECT    loc        3128        tcp        www   
>         -
>
>     This example from documentation www.shorewall.net
>     <http://www.shorewall.net>
>
>
>
>
>>
>>     As you can see, DNS is already there also. Any other tips?
>>
>>     @nikolay: Really? more complicated than Iptables? I find it easy
>>     to configure access rules here, only problem I have had is this
>>     one. With iptables I tried to get the transparent proxy working
>>     but couldnt (i got the full command and ran it, didnt do
>>     anything). I tried with the following commands
>     I can explain it but not now
>
>>
>>     |
>>     iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp |--dport| 80
>>     -j DNAT |--to-destination| 192.168.0.1:3128 <http://192.168.0.1:3128>
>>     iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j
>>     REDIRECT |--to-ports| 3128|
>     Are you sure that SQUID requires nat ?????????????
>
>     iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
>     REDIRECT --to-ports 3128
>     iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -j DROP
>
>
>     And  you should to remember that THE ORDER of rules have the
>     SIGNIFICANTE sense!
>     Sorry for my english... now it's time to sleep....
>
>>
>>     eth0 is my LAN and eth1 is connected to the internet. IP address
>>     is just for the example, my internal network uses a different
>>     range than that one.
>>
>>     I would really like to get this working but I have no idea whats
>>     wrong, this kind of issues im sure Is one of those wtf problems
>>     that can be solved with a simple solution.
>>
>>     Hope it helps and thanks again.
>>
>>
>>
>>     2011/4/5 Николай Федосов <nikolay.fedosov at gmail.com
>>     <mailto:nikolay.fedosov at gmail.com>>
>>
>>         My proposal is to change the order of your rules...
>>
>>         But the true way is to : apt-get purge shorewall (it is very
>>         complicated, more complicatated than iptables)
>>
>>         05.04.2011 13:29, Diego Xirinachs пишет:
>>
>>         >> My /etc/shorewall/rules are setup with this ACCEPT and
>>         REDIRECT rules:
>>         >>
>>         >> #ACTION   SOURCE     DEST     PROTO    DEST PORT(S)    
>>         SOURCE     ORIGINAL
>>         >> #                                                      
>>         PORT(S)    DEST
>>         >> REDIRECT  loc        3128     tcp      www              -
>>         >>
>>         >> ACCEPT    $FW        net      tcp      www
>>
>>
>>         -- 
>>         ubuntu-server mailing list
>>         ubuntu-server at lists.ubuntu.com
>>         <mailto:ubuntu-server at lists.ubuntu.com>
>>         https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
>>         More info: https://wiki.ubuntu.com/ServerTeam
>>
>>
>>
>>
>>     -- 
>>     X1R1
>
>
>
>
> -- 
> X1R1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20110406/ad2a18ca/attachment.html>

More information about the ubuntu-server mailing list