Re: [Shorewall-users] Transparent Proxy with WCCP2 help

[Shawn Wright]

A bit more detail on this one, as I'm not sure my description is clear. 
Manually setting the client (10.3.5.23) to use proxy on (72.2.0.4:80) does 
work, so iptables is redirecting packets destined for the FW:80 to FW:3128. I 
need to intercept *all* packets destined for port 80 (except those with 
dest=local networks) and redirect to port 3128 on the firewall. 


I've also tried this with no luck: 

DNAT net:10.0.0.0/8 net:72.2.0.4:3128 tcp 80 


Shawn Wright 
I.T. Manager, Shawnigan Lake School 
http://www.shawnigan.ca 


----- "Shawn Wright" <swri...@shawnigan.ca> wrote: 



Hello, 

I am having trouble finding rules to redirect traffic to a squid transparent 
proxy running using shorewall. Here are the details: 

Shorewall 4.0.6 on Ubuntu 8.04 
single interface 
squid 2.6 running in transparent mode on port 3128 on FW 

I have a Cisco Cat 6500 MSFC which redirects all port 80 traffic from a subnet 
(10.3.5.0/24) to the squid box using WCCP2. Here is a tcpdump of the traffic: 

17:06:01.519659 IP 10.3.5.23.4011 > 74.125.155.104.80: S 
3903948433:3903948433(0) win 65535 <mss 1460,nop,nop,sackOK> 
17:06:01.519905 IP 74.125.155.104.80 > 10.3.5.23.4011: R 0:0(0) ack 3903948434 
win 0 
17:06:04.536350 IP 10.3.5.23.4011 > 74.125.155.104.80: S 
3903948433:3903948433(0) win 65535 <mss 1460,nop,nop,sackOK> 
17:06:04.536408 IP 74.125.155.104.80 > 10.3.5.23.4011: R 0:0(0) ack 1 win 0 

I have tried using the rules shown in the Shorewall docs for squid trans proxy, 
but it does not work - squid does not see the traffic. Squid does work fine 
when used as manual proxy from same test client. 

I have tried: 

ACCEPT $FW net tcp www 
REDIRECT net 3128 tcp 80 - 

The squid/shorewall box has a single NIC only; it is NOT the gateway. The 
gateway to the net is on the same subnet as the squid/shorewall box. 

The client box is 10.3.5.23, and the squid/shorewall box is 72.2.0.4. Attached 
is a shorewall dump. 

Thanks. 


Shawn Wright 
I.T. Manager, Shawnigan Lake School 
http://www.shawnigan.ca 



------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users