On Sun, Oct 4, 2020 at 7:58 PM Tom Eastep <[email protected]> wrote: > > On 10/2/20 4:19 AM, Vieri Di Paola wrote: > > Hi, > > > > I have some clients in a LAN that require access to WAN through a > > transparent Squid web proxy on FW. > > > > I have this in mangle: > > > > # METHOD 1: > > DIVERT $IF_WAN $PROXY_SOURCE_WAN > > tcp - 80 > > TPROXY(3129) ${IF_LAN}:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80 > > TPROXY(3129) ${IF_LAN}.1:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80 > > TPROXY(3129) ${IF_LAN}.12:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80 > > TPROXY(3129) ${IF_LAN}.13:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80 > > TPROXY(3129) ${IF_LAN}.14:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80 > > TPROXY(3129) ${IF_LAN}.15:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80 > > TPROXY(3129) ${IF_LAN}.16:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80 > > TPROXY(3129) ${IF_LAN}.17:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80 > > DIVERT $IF_WAN $PROXY_SOURCE_WAN > > tcp - 443 > > TPROXY(3130) ${IF_LAN}:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 443 > > TPROXY(3130) ${IF_LAN}.1:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 443 > > TPROXY(3130) ${IF_LAN}.12:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 443 > > TPROXY(3130) ${IF_LAN}.13:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 443 > > TPROXY(3130) ${IF_LAN}.14:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 443 > > TPROXY(3130) ${IF_LAN}.15:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 443 > > TPROXY(3130) ${IF_LAN}.16:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 443 > > TPROXY(3130) ${IF_LAN}.17:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 443 > > ## non-standard port > > DIVERT $IF_WAN $PROXY_SOURCE_WAN > > tcp - 8886 > > TPROXY(3130) ${IF_LAN}:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 8886 > > TPROXY(3130) ${IF_LAN}.1:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 8886 > > TPROXY(3130) ${IF_LAN}.12:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 8886 > > TPROXY(3130) ${IF_LAN}.13:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 8886 > > TPROXY(3130) ${IF_LAN}.14:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 8886 > > TPROXY(3130) ${IF_LAN}.15:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 8886 > > TPROXY(3130) ${IF_LAN}.16:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 8886 > > TPROXY(3130) ${IF_LAN}.17:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 8886 > > > > I am also required to add an ACCEPT rule from LAN* to FW for ports tcp > > 80,443,8886. > > Finally, I also need to set SSL_ports and Safe_ports in squid conf to > > include 8886 which is non-standard. > > > > So, METHOD 1 seems to work. > > I seriously doubt that the TLS handshake works when you try using HTTPS. > The proxy is a 'man in the middle' in that case. > > > > > However, using a list of port numbers, ranges or ipsets does not seem to > > work. > > > > For instance, the following in mangle does not work as expected. > > > > # METHOD 2 > > DIVERT $IF_WAN $PROXY_SOURCE_WAN > > tcp - 80,443,8886 > > TPROXY(3129) ${IF_LAN}:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80,443,8886 > > TPROXY(3129) ${IF_LAN}.1:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80,443,8886 > > TPROXY(3129) ${IF_LAN}.12:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80,443,8886 > > TPROXY(3129) ${IF_LAN}.13:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80,443,8886 > > TPROXY(3129) ${IF_LAN}.14:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80,443,8886 > > TPROXY(3129) ${IF_LAN}.15:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80,443,8886 > > TPROXY(3129) ${IF_LAN}.16:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80,443,8886 > > TPROXY(3129) ${IF_LAN}.17:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN > > tcp 80,443,8886 > > > > Is there a reason why METHOD 2 is apparently wrong? > > > > What would be more helpful would be an explanation of 'does not work as > expected'.
With METHOD 1 in Squid I get messages such as these in the log: NONE/200 0 CONNECT w.x.y.z:443 TCP_MISS/200 5786 GET https://domain.org With METHOD 2 in Squid I get this instead: NONE/000 0 NONE error:invalid-request - HIER_NONE/- - TCP_TUNNEL/200 8740 NONE w.x.y.z:443 This might be a question for the Squid mailing list, but I'm asking it here because I am getting two different behaviors when changing only SW's configuration. Vieri _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
