Re: [Shorewall-users] shorewall6 seems to be ignoring tproxy

Sun, 23 Dec 2012 20:47:31 -0800 

> -----Original Message-----

> From: Tom Eastep [mailto:[email protected]]

> Sent: Monday, 24 December 2012 11:59 a.m.

> To: [email protected]

> Subject: Re: [Shorewall-users] shorewall6 seems to be ignoring tproxy

> 

> On 12/23/2012 06:02 PM, Steve Wray wrote:

> > Thanks for getting back to me.

[snip]

> Do you see the obvious problem with this rule from your dump output?

> 

> Chain PREROUTING (policy ACCEPT 1361 packets, 464K bytes)

>  pkts bytes target     prot opt in     out     source

> destination

>  1361  464K tcpre      all      *      *       ::/0                 ::/0

> 

>   0     0 divert     tcp      he-ipv6 *       ::/0

> ::/128               tcp spt:80flags:! 0x17/0x02 socket --transparent

>     0     0 TPROXY     tcp      eth1   *       ::/0

> ::/128               tcp dpt:80 TPROXY redirect :::3128 mark 0x200/0x200

> 

> Look at the destination column. That is the all-zero address.

> 

> That goes back to your tcrules:

> 

> TPROXY(3128,::1) eth1        ::          tcp        80

 

Yes I see this.

 

But I don't know how this tcpre rule gets there. I don't think that I
explicitly request it in my shorewall6 configuration.

 

My tcrules file contains only

 

FORMAT 2

DIVERT       he-ipv6 :: tcp -  80

TPROXY(3128) eth1    :: tcp 80

 

Which is exactly as suggested in the documentation.

http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY

and so far as I can tell I'm following this very closely.

 

So Shorewall6 must be inferring that I want this rule.

 

I wondered if it might be settings in shorewall6.conf and checked:

I did have

TC_ENABLED=Internal

But I've set that to No, and get the same tcpre rule created.

 

I had CLEAR_TC=YES and I've set that to no, restarted Shorewall, and I get
the same tcpre rule.

 

Do I need to explicitly tell Shorewall6 to not create this rule?

 

 

 

>                              --

> 

> -Tom

> --

> Tom Eastep        \ When I die, I want to go like my Grandfather who

> Shoreline,         \ died peacefully in his sleep. Not screaming like

> Washington, USA     \ all of the passengers in his car

>  <http://shorewall.net> http://shorewall.net

> \________________________________________________

 


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to