Re: [Shorewall-users] mangle TPROXY

[Vieri Di Paola]

On Sun, Oct 4, 2020 at 7:58 PM Tom Eastep <teas...@shorewall.net> wrote:
>
> On 10/2/20 4:19 AM, Vieri Di Paola wrote:
> > Hi,
> >
> > I have some clients in a LAN that require access to WAN through a
> > transparent Squid web proxy on FW.
> >
> > I have this in mangle:
> >
> > # METHOD 1:
> > DIVERT          $IF_WAN                         $PROXY_SOURCE_WAN
> >  tcp     -       80
> > TPROXY(3129)    ${IF_LAN}:$PROXY_SOURCE_WAN     $PROXY_DESTINATION_WAN
> >          tcp     80
> > TPROXY(3129)    ${IF_LAN}.1:$PROXY_SOURCE_WAN   $PROXY_DESTINATION_WAN
> >          tcp     80
> > TPROXY(3129)    ${IF_LAN}.12:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     80
> > TPROXY(3129)    ${IF_LAN}.13:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     80
> > TPROXY(3129)    ${IF_LAN}.14:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     80
> > TPROXY(3129)    ${IF_LAN}.15:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     80
> > TPROXY(3129)    ${IF_LAN}.16:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     80
> > TPROXY(3129)    ${IF_LAN}.17:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     80
> > DIVERT          $IF_WAN                         $PROXY_SOURCE_WAN
> >  tcp     -       443
> > TPROXY(3130)    ${IF_LAN}:$PROXY_SOURCE_WAN     $PROXY_DESTINATION_WAN
> >          tcp     443
> > TPROXY(3130)    ${IF_LAN}.1:$PROXY_SOURCE_WAN   $PROXY_DESTINATION_WAN
> >          tcp     443
> > TPROXY(3130)    ${IF_LAN}.12:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     443
> > TPROXY(3130)    ${IF_LAN}.13:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     443
> > TPROXY(3130)    ${IF_LAN}.14:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     443
> > TPROXY(3130)    ${IF_LAN}.15:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     443
> > TPROXY(3130)    ${IF_LAN}.16:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     443
> > TPROXY(3130)    ${IF_LAN}.17:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     443
> > ## non-standard port
> > DIVERT          $IF_WAN                         $PROXY_SOURCE_WAN
> >  tcp     -       8886
> > TPROXY(3130)    ${IF_LAN}:$PROXY_SOURCE_WAN     $PROXY_DESTINATION_WAN
> >          tcp     8886
> > TPROXY(3130)    ${IF_LAN}.1:$PROXY_SOURCE_WAN   $PROXY_DESTINATION_WAN
> >          tcp     8886
> > TPROXY(3130)    ${IF_LAN}.12:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     8886
> > TPROXY(3130)    ${IF_LAN}.13:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     8886
> > TPROXY(3130)    ${IF_LAN}.14:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     8886
> > TPROXY(3130)    ${IF_LAN}.15:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     8886
> > TPROXY(3130)    ${IF_LAN}.16:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     8886
> > TPROXY(3130)    ${IF_LAN}.17:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >          tcp     8886
> >
> > I am also required to add an ACCEPT rule from LAN* to FW for ports tcp
> > 80,443,8886.
> > Finally, I also need to set SSL_ports and Safe_ports in squid conf to
> > include 8886 which is non-standard.
> >
> > So, METHOD 1 seems to work.
>
> I seriously doubt that the TLS handshake works when you try using HTTPS.
> The proxy is a 'man in the middle' in that case.
>
> >
> > However, using a list of port numbers, ranges or ipsets does not seem to 
> > work.
> >
> > For instance, the following in mangle does not work as expected.
> >
> > # METHOD 2
> > DIVERT         $IF_WAN                         $PROXY_SOURCE_WAN
> > tcp     -       80,443,8886
> > TPROXY(3129)   ${IF_LAN}:$PROXY_SOURCE_WAN     $PROXY_DESTINATION_WAN
> >         tcp     80,443,8886
> > TPROXY(3129)   ${IF_LAN}.1:$PROXY_SOURCE_WAN   $PROXY_DESTINATION_WAN
> >         tcp     80,443,8886
> > TPROXY(3129)   ${IF_LAN}.12:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >         tcp     80,443,8886
> > TPROXY(3129)   ${IF_LAN}.13:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >         tcp     80,443,8886
> > TPROXY(3129)   ${IF_LAN}.14:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >         tcp     80,443,8886
> > TPROXY(3129)   ${IF_LAN}.15:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >         tcp     80,443,8886
> > TPROXY(3129)   ${IF_LAN}.16:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >         tcp     80,443,8886
> > TPROXY(3129)   ${IF_LAN}.17:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
> >         tcp     80,443,8886
> >
> > Is there a reason why METHOD 2 is apparently wrong?
> >
>
> What would be more helpful would be an explanation of 'does not work as
> expected'.

With METHOD 1 in Squid I get messages such as these in the log:

NONE/200 0 CONNECT w.x.y.z:443
TCP_MISS/200 5786 GET https://domain.org

With METHOD 2 in Squid I get this instead:

NONE/000 0 NONE error:invalid-request - HIER_NONE/- -
TCP_TUNNEL/200 8740 NONE w.x.y.z:443

This might be a question for the Squid mailing list, but I'm asking it
here because I am getting two different behaviors when changing only
SW's configuration.

Vieri


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users