On 4/18/13 10:23 AM, "Ernesto Domato" <[email protected]> wrote:
>Hi all, I can make it work shorewall following the transparent proxy >documentation. > >My configuration is a virtual machine running Squid with shorewall, >connected with a virtual bridge to the host that also runs shorewall. > >The Squid part (on the virtual machine) works perfectly with >shorewall. But the routing part on the host doesn't. > >My interfaces configuration is: > >net eth0 detect logmartians,nosmurfs,routefilter,tcpflags >loc eth1 detect logmartians,nosmurfs,routefilter,tcpflags >kvm ovsbr0 detect >routeback,logmartians,nosmurfs,routefilter,tcpflags > >ovsbr0 is the virtual switch where the Squid is connected, the switch >has IP 192.168.200.1 and the Squid VM 192.168.200.2 > >My masq configuration is: > >eth0 10.0.0.0/8,\ > 192.168.200.2 157.X.X.X > >policy: > >$FW net ACCEPT >$FW kvm ACCEPT > >loc net ACCEPT >loc kvm ACCEPT >kvm net ACCEPT >kvm loc ACCEPT > >all all REJECT info > >providers: > >Squid 1 202 - ovsbr0 192.168.200.2 loose,notrack > >tcrules: > >202:P eth1:!192.168.200.2 0.0.0.0/0 tcp 80 > >zones: > >fw firewall >net ipv4 >loc ipv4 >kvm ipv4 > >And if I do a tcpdump on the Squid VM I can see the packages entering >the VM and going out again to the machine that made the request like: > >14:08:01.456450 IP 10.99.32.124.36480 > 173.194.42.1.80: Flags [S], >seq 2797245282, win 14600, options [mss 1460,sackOK,TS val 1975561 ecr >0,nop,wscale 4], length 0 > >14:08:01.456477 IP 173.194.42.1.80 > 10.99.32.124.36480: Flags [S.], >seq 1740205425, ack 2797245283, win 5792, options [mss 1460,sackOK,TS >val 455790 ecr 1975561,nop,wscale 6], length 0 > >try to access Google. But nothing appears on Squid logs and on the >request machine. > >Last thing is that I know that the Squid part is working because using >the redirect rule in shorewall there and configuring the host by hand >and not shorewall it works as expected. > >Let me know any other information that you may need to try solve my >problem. You have a REDIRECT rule on the system running Squid? -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
