On 10/2/20 4:19 AM, Vieri Di Paola wrote:
> Hi,
>
> I have some clients in a LAN that require access to WAN through a
> transparent Squid web proxy on FW.
>
> I have this in mangle:
>
> # METHOD 1:
> DIVERT $IF_WAN $PROXY_SOURCE_WAN
> tcp - 80
> TPROXY(3129) ${IF_LAN}:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80
> TPROXY(3129) ${IF_LAN}.1:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80
> TPROXY(3129) ${IF_LAN}.12:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80
> TPROXY(3129) ${IF_LAN}.13:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80
> TPROXY(3129) ${IF_LAN}.14:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80
> TPROXY(3129) ${IF_LAN}.15:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80
> TPROXY(3129) ${IF_LAN}.16:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80
> TPROXY(3129) ${IF_LAN}.17:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80
> DIVERT $IF_WAN $PROXY_SOURCE_WAN
> tcp - 443
> TPROXY(3130) ${IF_LAN}:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 443
> TPROXY(3130) ${IF_LAN}.1:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 443
> TPROXY(3130) ${IF_LAN}.12:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 443
> TPROXY(3130) ${IF_LAN}.13:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 443
> TPROXY(3130) ${IF_LAN}.14:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 443
> TPROXY(3130) ${IF_LAN}.15:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 443
> TPROXY(3130) ${IF_LAN}.16:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 443
> TPROXY(3130) ${IF_LAN}.17:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 443
> ## non-standard port
> DIVERT $IF_WAN $PROXY_SOURCE_WAN
> tcp - 8886
> TPROXY(3130) ${IF_LAN}:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 8886
> TPROXY(3130) ${IF_LAN}.1:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 8886
> TPROXY(3130) ${IF_LAN}.12:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 8886
> TPROXY(3130) ${IF_LAN}.13:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 8886
> TPROXY(3130) ${IF_LAN}.14:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 8886
> TPROXY(3130) ${IF_LAN}.15:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 8886
> TPROXY(3130) ${IF_LAN}.16:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 8886
> TPROXY(3130) ${IF_LAN}.17:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 8886
>
> I am also required to add an ACCEPT rule from LAN* to FW for ports tcp
> 80,443,8886.
> Finally, I also need to set SSL_ports and Safe_ports in squid conf to
> include 8886 which is non-standard.
>
> So, METHOD 1 seems to work.
I seriously doubt that the TLS handshake works when you try using HTTPS.
The proxy is a 'man in the middle' in that case.
>
> However, using a list of port numbers, ranges or ipsets does not seem to work.
>
> For instance, the following in mangle does not work as expected.
>
> # METHOD 2
> DIVERT $IF_WAN $PROXY_SOURCE_WAN
> tcp - 80,443,8886
> TPROXY(3129) ${IF_LAN}:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80,443,8886
> TPROXY(3129) ${IF_LAN}.1:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80,443,8886
> TPROXY(3129) ${IF_LAN}.12:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80,443,8886
> TPROXY(3129) ${IF_LAN}.13:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80,443,8886
> TPROXY(3129) ${IF_LAN}.14:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80,443,8886
> TPROXY(3129) ${IF_LAN}.15:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80,443,8886
> TPROXY(3129) ${IF_LAN}.16:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80,443,8886
> TPROXY(3129) ${IF_LAN}.17:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN
> tcp 80,443,8886
>
> Is there a reason why METHOD 2 is apparently wrong?
>
What would be more helpful would be an explanation of 'does not work as
expected'.
=Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
