Hi,
I have some clients in a LAN that require access to WAN through a
transparent Squid web proxy on FW.
I have this in mangle:
# METHOD 1:
DIVERT $IF_WAN $PROXY_SOURCE_WAN
tcp - 80
TPROXY(3129) ${IF_LAN}:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80
TPROXY(3129) ${IF_LAN}.1:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80
TPROXY(3129) ${IF_LAN}.12:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80
TPROXY(3129) ${IF_LAN}.13:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80
TPROXY(3129) ${IF_LAN}.14:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80
TPROXY(3129) ${IF_LAN}.15:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80
TPROXY(3129) ${IF_LAN}.16:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80
TPROXY(3129) ${IF_LAN}.17:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80
DIVERT $IF_WAN $PROXY_SOURCE_WAN
tcp - 443
TPROXY(3130) ${IF_LAN}:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 443
TPROXY(3130) ${IF_LAN}.1:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 443
TPROXY(3130) ${IF_LAN}.12:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 443
TPROXY(3130) ${IF_LAN}.13:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 443
TPROXY(3130) ${IF_LAN}.14:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 443
TPROXY(3130) ${IF_LAN}.15:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 443
TPROXY(3130) ${IF_LAN}.16:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 443
TPROXY(3130) ${IF_LAN}.17:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 443
## non-standard port
DIVERT $IF_WAN $PROXY_SOURCE_WAN
tcp - 8886
TPROXY(3130) ${IF_LAN}:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 8886
TPROXY(3130) ${IF_LAN}.1:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 8886
TPROXY(3130) ${IF_LAN}.12:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 8886
TPROXY(3130) ${IF_LAN}.13:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 8886
TPROXY(3130) ${IF_LAN}.14:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 8886
TPROXY(3130) ${IF_LAN}.15:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 8886
TPROXY(3130) ${IF_LAN}.16:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 8886
TPROXY(3130) ${IF_LAN}.17:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 8886
I am also required to add an ACCEPT rule from LAN* to FW for ports tcp
80,443,8886.
Finally, I also need to set SSL_ports and Safe_ports in squid conf to
include 8886 which is non-standard.
So, METHOD 1 seems to work.
However, using a list of port numbers, ranges or ipsets does not seem to work.
For instance, the following in mangle does not work as expected.
# METHOD 2
DIVERT $IF_WAN $PROXY_SOURCE_WAN
tcp - 80,443,8886
TPROXY(3129) ${IF_LAN}:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80,443,8886
TPROXY(3129) ${IF_LAN}.1:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80,443,8886
TPROXY(3129) ${IF_LAN}.12:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80,443,8886
TPROXY(3129) ${IF_LAN}.13:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80,443,8886
TPROXY(3129) ${IF_LAN}.14:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80,443,8886
TPROXY(3129) ${IF_LAN}.15:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80,443,8886
TPROXY(3129) ${IF_LAN}.16:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80,443,8886
TPROXY(3129) ${IF_LAN}.17:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
tcp 80,443,8886
Is there a reason why METHOD 2 is apparently wrong?
Would a shorewall dump be useful?
Vieri
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
