Hi all,
I have a strange problem in trying to install a transparent proxy (in my
internal net not on the shorewall server) according to the instructions
as outlined in http://www.shorewall.net/Shorewall_Squid_Usage.html#Local
My Network looks the following:
Internal Net: 10.0.0.0/24 Squid Server listening on port 3128
(ip 10.0.0.152, DNS name server01)
| |
+----------
|
Shorewall int: eth0 (ip 10.0.0.156)
:
Shorewall ext: eth1 (ip 10.0.1.2)
|
DMZ Net: 10.0.1.0/24
|
Thomson Router to Internet (ip 10.0.1.138) (TG585 v7 from Telekom
Austria)
The shorewall server is an Linksys NSLU2 Slug (named FireSlug) running on
Debian Lenny with its internal interface eth0 and an USB Network interface
on Port2 as external interface eth1.
The shorewall server runs DNS and DHCP server in secondary and slave mode
respectively. The primary ones are running on the internal network
The Thomson Router is configured in the standard firewall mode, which is a
bit tricky to describe because its a template setup. However I do not think
that this causes my problem because if I run the Thomson Router in
transparent mode the problem persists, so I assume I have to focus on the
shorewall configuration on the FireSlug
Now with the documentation mentioned above, I have full functionality on the
web when just sticking to either http:// or https:// pages (The Browser are
usually configured without proxy otherwise I would not need a transparent
proxy :-) ).
My problem arises when I get to pages with mixed content (either images from
https:// urls on http:// pages or script based redirection from http:// to
https://). A good example is the page www.xing.com. If I enter
http://www.xing.com the site tries to redirect to https://www.xing.com and
then my browser times out. By just hitting reload with the already
redirected link it works as expected.
When I set the proxy in my browser setting to 10.0.0.152:3128 everything
works (I assume that squid is correctly tunneling the SSL requests).
Therefore I guess it is due to the redirection mechanism on the shorewall
which is just forwarding port 80 to the squid server and forwarding 443
through the firewall directly. Maybe by switching from 80 to 443 this
mechanism somehow breaks?
I attach my configuration files of shorewall for reference.
iptables -t nat -L on the squid server gives:
====
Chain PREROUTING (policy ACCEPT)
target proc opt source destination
REDIRECT tcp -- anywhere !server01 tcp
dpt:http redir ports 3128
=====
All other chains are empty on the squid server
The relevant configuration files on the shorewall client read:
Interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 detect
dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc eth0 detect dhcp,tcpflags,nosmurfs,routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Masq:
#INTERFACE SOURCE ADDRESS PROTO PORT(S)
IPSEC MARK
eth1 eth0 10.0.1.2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Params:
############################################################################
###
SYSLOG_SVR=10.0.0.152
NTP_SVR=10.0.0.152
DNS_SVR=10.0.0.152
DHCP_SVR=10.0.0.152
AMULE_SVR=10.0.0.152
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Policy:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
loc $FW REJECT info
loc all REJECT info
$FW net ACCEPT
$FW loc REJECT info
$FW all REJECT info
net $FW DROP info
net loc DROP info
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
Squid 1 202 - eth0 10.0.0.152
loose
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Routestopped:
#INTERFACE HOST(S) OPTIONS
eth1 10.0.1.0/24
eth0 10.0.0.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Rules:
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/ MARK
# PORT PORT(S)
DEST LIMIT GROUP
DNS/ACCEPT $FW net
DNS/ACCEPT loc $FW
DNS/ACCEPT $FW loc:$DNS_SVR
SSH/ACCEPT loc $FW
Ping/ACCEPT loc $FW
Ping/DROP net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
Syslog/ACCEPT $FW loc:$SYSLOG_SVR
NTP/ACCEPT $FW loc:$NTP_SVR
HTTP/ACCEPT $FW net
HTTP/ACCEPT loc $FW
HTTPS/ACCEPT $FW net
HTTPS/ACCEPT loc $FW
Webmin/ACCEPT loc $FW
DHCP/ACCEPT loc:$DHCP_SVR $FW
DHCP/ACCEPT $FW loc:$DHCP_SVR
aMule/DNAT net loc:$AMULE_SVR
aMule/ACCEPT net $FW
ACCEPT loc $FW tcp 5351
ACCEPT loc $FW udp 5351
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Tcrules:
#MARK SOURCE DEST PROTO DEST SOURCE USER
TEST LENGTH TOS
# PORT(S) PORT(S)
202:P eth0:!10.0.0.152 0.0.0.0/0 tcp 80
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
zone:
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
And finally shorewall.conf:
STARTUP_ENABLED=Yes
VERBOSITY=1
SHOREWALL_COMPILER=
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
NFQUEUE_DEFAULT="none"
RSH_COMMAND='ssh ${ro...@${system} ${command}'
RCP_COMMAND='scp ${files} ${ro...@${system}:${destination}'
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=0
EXPORTPARAMS=Yes
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
DELETE_THEN_ADD=Yes
MULTICAST=No
DONT_LOAD=
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE
Now, I know that I could set up a wpad mechanism and make automatic
configuration of my browsers. However I like the concept of transparent
proxying and I'm interested where this problem in switching between port 80
on squid and port 443 forwarding through the firewall comes from.
Kind regards,
Rainer Minixhofer
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
