Re: [Shorewall-users] Tc rules Help with multiISP + squid& squidguard...

Joffrey FLEURICE Tue, 17 Oct 2006 02:29:59 -0700

I have delete "lo" Zones And Interface and rebuild all the firewall
>From Local I ping www.google.fr with DNS resolution
DNSMASK installed on the firewall.
POSTFIX and Squid+SquidGuard Installed on firewall
All clients machines have the IP of Firewall for Dns resolution
 
New Dump joint


Without Squid : I surf and all works perfectly
With Squid And REDIRECT rule : surf Is VERY TOO LONG and they no image on web 
...( 12 minutes for one Page !!!! without images ) or I have this reponce 

Connection Failed 
The system returned: 

    (110) Connection timed out

PLEASE HELP ! I don't understand !!!




Configuration :

**********************
Zones

Local   ipv4
DMZ     ipv4
Net     ipv4
Maint   ipv4
**********************
Interfaces

DMZ     eth2    detect  dhcp
Local   eth1    detect  dhcp,routeback
Net     eth0    detect
Net     ppp0    -       dhcp
Maint   tun0    detect
**********************
Policy

Local   $FW     ACCEPT
Local   Net     ACCEPT  info
DMZ     $FW     ACCEPT
Maint   $FW     ACCEPT
Maint   DMZ     ACCEPT
Maint   Local   ACCEPT
$FW     Net     ACCEPT
$FW     Maint   ACCEPT
$FW     DMZ     ACCEPT
Local   DMZ     ACCEPT
Net     Net     DROP    info
Net     all     DROP    info
all     all     REJECT  info
**********************
Rules

Rsync/ACCEPT    Local   Net
Rsync/ACCEPT    DMZ     Net

DNS/ACCEPT      Local   Net
DNS/ACCEPT      DMZ     Net
DNS/ACCEPT      $FW     Net
DNS/ACCEPT      DMZ     $FW
DNS/ACCEPT      Local   $FW

Ping/ACCEPT     Local   Net
Ping/ACCEPT     DMZ     Net

Trcrt/ACCEPT    DMZ     Net
Trcrt/ACCEPT    Local   Net
Trcrt/ACCEPT    $FW     Net

ACCEPT          Net     DMZ:192.168.100.1,192.168.100.2 tcp     
20,21,80,81,8080,443,21,554,5902,5901

DNAT            Net     DMZ:192.168.100.1               tcp     20,21   -

ACCEPT          $FW     DMZ:192.168.100.1               tcp     25,22,389
ACCEPT          $FW     DMZ:192.168.100.2               tcp     25,22,389
ACCEPT          $FW     Local:192.168.1.1               tcp     22
ACCEPT          $FW     Local:192.168.1.2               tcp     3389
ACCEPT          $FW     Local:192.168.1.49              tcp     137,139

ACCEPT          $FW     Net                             tcp     80,53
ACCEPT          $FW     Net                             udp     53


REDIRECT        Local   3128    tcp     80      -       
!192.168.1.254,192.168.100.0/24
REDIRECT        DMZ     3128    tcp     80      -       
!192.168.1.254,192.168.100.0/24
REDIRECT        Local   8110    tcp     110     -       
!192.168.1.254,192.168.100.0/24

ACCEPT          Net     $FW     udp     1194
ACCEPT          Net     $FW     tcp     20,21,22,25,3000,10000,5902,5901

ACCEPT          DMZ     Net     tcp     20,21,80,443
ACCEPT          Local   Net     tcp     
8,20,21,22,25,80,110,443,3389,5900,5901,8081

ACCEPT          Local   Net:213.xxx.xx.40,195.xxx.xxx.13        tcp     5432
ACCEPT          Local   Net:213.xxx.xx.40,195.xxx.xxx.12        udp     5432
************************
Providers :

sdsl    200     200     main    eth0    80.xxx.xxx.161  track,balance   
eth1,eth2
adsl    201     201     main    ppp0    detect          track,balance   
eth1,eth2
************************
TcRules :

200     eth2            0.0.0.0/0       all
200     eth2            0.0.0.0/0       tcp     25
200     $FW             0.0.0.0/0       tcp     25
# Tous les paquets sortant sur le web passe par le lien ADSL
201     eth1            0.0.0.0/0       tcp     80
201     eth1            0.0.0.0/0       tcp     443
201     eth1            0.0.0.0/0       tcp     3128
*************************
Masq :

ppp0    eth2    
ppp0    eth1    
eth0    eth2    
eth0    eth1    
eth0    $PPP0_IP        80.xxx.xxx.161
ppp0    80.xxx.xxx.161  $PPP0_IP
*************************
Nat :

80.xxx.xxx.163  eth0    192.168.100.1   yes     yes
80.xxx.xxx.164  eth0    192.168.100.2   yes     yes
*************************




-----Message d'origine-----
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Tom Eastep
Envoyé : vendredi 13 octobre 2006 23:15
À : Shorewall Users
Objet : Re: [Shorewall-users] Tc rules Help with multiISP + squid& squidguard...

Joffrey FLEURICE wrote:

> 
> DMZ   eth2    detect  dhcp
> Local eth1    detect  dhcp,routeback
> Net   eth0    detect
> Net   ppp0    -               dhcp
> Maint tun0    detect
> Lo    lo
>
>
>Defining a zone for the 'lo' device is silly and unnecessary; it shouldn't 
>>hurt
>anything but it won't do anything positive either.

Ok I delete lo device

>If you actually want to control loopback traffic for some reason, simply 
>>create
>fw->fw rules and policies. 
>The only case of this that I can think of is where
>you want to redirect locally-generated HTTP traffic from users other than
>'squid' to a local Squid server.

>REDIRECT       fw      3128    tcp     80      -       -       -       !squid

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

DumpFinal5.rar
Description: DumpFinal5.rar

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Tc rules Help with multiISP + squid& squidguard...

Reply via email to