[Shorewall-users] Problem configuring transparent proxy

[Ernesto Domato]

Hi all, I can make it work shorewall following the transparent proxy
documentation.

My configuration is a virtual machine running Squid with shorewall,
connected with a virtual bridge to the host that also runs shorewall.

The Squid part (on the virtual machine) works perfectly with
shorewall. But the routing part on the host doesn't.

My interfaces configuration is:

net    eth0        detect        logmartians,nosmurfs,routefilter,tcpflags
loc    eth1        detect        logmartians,nosmurfs,routefilter,tcpflags
kvm    ovsbr0        detect
routeback,logmartians,nosmurfs,routefilter,tcpflags

ovsbr0 is the virtual switch where the Squid is connected, the switch
has IP 192.168.200.1 and the Squid VM 192.168.200.2

My masq configuration is:

eth0            10.0.0.0/8,\
            192.168.200.2    157.X.X.X

policy:

$FW    net    ACCEPT
$FW    kvm    ACCEPT

loc    net    ACCEPT
loc    kvm    ACCEPT
kvm    net    ACCEPT
kvm    loc    ACCEPT

all    all    REJECT        info

providers:

Squid    1    202    -        ovsbr0        192.168.200.2    loose,notrack

tcrules:

202:P    eth1:!192.168.200.2    0.0.0.0/0    tcp    80

zones:

fw    firewall
net    ipv4
loc    ipv4
kvm    ipv4

And if I do a tcpdump on the Squid VM I can see the packages entering
the VM and going out again to the machine that made the request like:

14:08:01.456450 IP 10.99.32.124.36480 > 173.194.42.1.80: Flags [S],
seq 2797245282, win 14600, options [mss 1460,sackOK,TS val 1975561 ecr
0,nop,wscale 4], length 0

14:08:01.456477 IP 173.194.42.1.80 > 10.99.32.124.36480: Flags [S.],
seq 1740205425, ack 2797245283, win 5792, options [mss 1460,sackOK,TS
val 455790 ecr 1975561,nop,wscale 6], length 0

try to access Google. But nothing appears on Squid logs and on the
request machine.

Last thing is that I know that the Squid part is working because using
the redirect rule in shorewall there and configuring the host by hand
and not shorewall it works as expected.

Let me know any other information that you may need to try solve my problem.

Thanks for all.
Ernesto

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users