On 8/24/10 3:26 PM, Shawn Wright wrote: > Hello, > > I am having trouble finding rules to redirect traffic to a squid > transparent proxy running using shorewall. Here are the details: > > Shorewall 4.0.6 on Ubuntu 8.04 > single interface > squid 2.6 running in transparent mode on port 3128 on FW > > I have a Cisco Cat 6500 MSFC which redirects all port 80 traffic from a > subnet (10.3.5.0/24) to the squid box using WCCP2. Here is a tcpdump of > the traffic:
Sorry -- don't know what WCCPv2 is and really don't have the time or interest to read the Cisco docs and/or RFCs. What does it do (at the IP and link layers)? Also, I see that http://wiki.squid-cache.org/Features/Wccp2 seems to have quite a bit of information about configuring Squid to support this feature. > > 17:06:01.519659 IP 10.3.5.23.4011 > 74.125.155.104.80: S > 3903948433:3903948433(0) win 65535 <mss 1460,nop,nop,sackOK> > 17:06:01.519905 IP 74.125.155.104.80 > 10.3.5.23.4011: R 0:0(0) ack > 3903948434 win 0 > 17:06:04.536350 IP 10.3.5.23.4011 > 74.125.155.104.80: S > 3903948433:3903948433(0) win 65535 <mss 1460,nop,nop,sackOK> > 17:06:04.536408 IP 74.125.155.104.80 > 10.3.5.23.4011: R 0:0(0) ack 1 win 0 Sigh -- tcpdump output and no clue about which system the output was captured on. Client? Shorewall box? ??? Note that the connection requests are being rejected, wherever this was captured... > > I have tried using the rules shown in the Shorewall docs for squid trans > proxy, but it does not work - squid does not see the traffic. Squid does > work fine when used as manual proxy from same test client. > > I have tried: > > ACCEPT $FW net tcp www > REDIRECT net 3128 tcp 80 - The dump that you supplied shows that traffic is matching this rule. > > The squid/shorewall box has a single NIC only; it is NOT the gateway. > The gateway to the net is on the same subnet as the squid/shorewall box. > > The client box is 10.3.5.23, and the squid/shorewall box is 72.2.0.4. > Attached is a shorewall dump. Also, I see this in the conntrack table: tcp 6 56 SYN_RECV src=10.3.5.23 dst=74.125.155.105 sport=4039 dport=80 packets=1 bytes=48 src=72.2.0.4 dst=10.3.5.23 sport=3128 dport=4039 packets=5 bytes=240 mark=0 secmark=0 use=1 So the SYN from the client seems to be redirected to port 3128 as you expect. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
