This line looks to me a redirection to a 3128 (squid transparent proxy?), is it ?
Then incomming traffic wouldn't have the proper mark using IP because source address has been changed by the local one, would also fail using iface name... I guess. **************** I think you're absolutely correct.. One thing I thought would do the trick was to limit the traffic coming from port 3128 to everywhere, tried that also. The other thing I did was to limit every traffic to dport 80, coming from anywhere, (the dump attached on the previous post). Now, why that didn't work? Thanks Jorge! Ismael ----- Original Message ----- From: "Jorge Daza García-Blanes" <[EMAIL PROTECTED]> To: "Shorewall Users" <[email protected]> Sent: Saturday, December 30, 2006 6:54 AM Subject: Re: [Shorewall-users] TC - not marking correctly Thanks for your non-flaming post Tom, I apologize. Now I've read the dump and will try to make a humble second guess, I think that somehow related to my first post. This has been taken from the dump: tcp 6 431999 ESTABLISHED src=192.168.200.1 dst=201.3.160.245 sport=33955 dport=80 src=192.168.200.254 dst=192.168.200.1 sport=3128 dport=33955 [ASSURED] mark=0 use=1 This line looks to me a redirection to a 3128 (squid transparent proxy?), is it ? Then incomming traffic wouldn't have the proper mark using IP because source address has been changed by the local one, would also fail using iface name... I guess. So my guess is that this would be what I mentioned in the previous email as "natting". If that were correct, my guess is you could either use connection marks on mangle's prerouting and check for it. Or look for every packet... this might be a bit more complex because incomming traffic generated that way wouldn't have a known destionation port (comes from 80 but squid [or whoever] wouldn't be forced to use 3128 as destination port). As we wouldn't know at that point the destination local address, could also be harder to create exclusions or any other more refined marking rule... I have some theories on why that could also fail even if the masquerade theory is right (basically because you could have two tcp connections). But am I closer now at why it is marking right given the rules ? Now, show no mercy, I decided to live one more day. :) Jorge Daza García-Blanes [EMAIL PROTECTED] - GPG id: 5D7ACDEF On 30/12/2006, at 0:42, Tom Eastep wrote: > Jorge Daza García-Blanes wrote: > >> >> I just saw that the rule is in "tcfor" and the IP is local so, >> shouldn't it be in "tcout" ? > > Jorge, > > You often have to read between the lines when dealing with Shorewall > problem reports. The ifconfig output that made you think the IP is > local > was apparently obtained on a system other than where Shorewall is > running. I came to that conclusion by comparing that ifconfig output > with the dump attached to the same post. > > The dump showed the following: > > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 1000 > link/ether 00:40:f4:cb:33:75 brd ff:ff:ff:ff:ff:ff > inet 201.89.170.10/29 brd 201.89.170.15 scope global eth0 > inet6 fe80::240:f4ff:fecb:3375/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:02:55:5e:fa:ff brd ff:ff:ff:ff:ff:ff > inet 192.168.200.254/24 brd 192.168.200.255 scope global eth1 > inet6 fe80::202:55ff:fe5e:faff/64 scope link > valid_lft forever preferred_lft forever > > So it seems that the traffic in question is arriving on the firewall's > eth0 and being sent through eth1; hence, it will traverse the > 'tcfor' chain. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ [EMAIL PROTECTED] > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV________________________________ > _______________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
