Hello,
I am using Shorewall on a Linksys NSLU2 and am having a hard time
getting Squid Transparent proxy to redirect to a local host on my home
network. I followed the instructions on
http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall.
I've gone over the configuration multiple times, but shorewall refuses
to start as long as the provider file has the Squid line in it. Any
thoughts to what I do wrong? I've included various relative bits of
info below.
When I run shorewall -vv restart after making the configuration edits
(actual file snippets are below). I get this error on the provider section:
Setting up Proxy ARP...
Adding Providers...
RTNETLINK answers: File exists
ERROR: Command "ip route add default via 90.0.0.14 dev eth0 table
1" Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 783: 23909 Terminated
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
My setup is as follows:
Cable-Modem --> Vonage Device --> (ext_eth1) Shorewall Firewall (eth0,
90.0.0.1) --> Home Network (90.0.0.0/24)
|
|
Squid Server (90.0.0.14)
The linksys device is running Debian Etch with the 2.6.18-6 kernel.
Other appropriate bits:
shorewall 3.2.6-2
iptables 1.3.6.0debian1-5
iproute 20061002-3
My Providers file:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
Squid 1 202 - eth0 90.0.0.14 loose
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
My Start file:
#
iptables -t mangle -A PREROUTING -i eth0 -s ! 90.0.0.14 -p tcp --dport
80 -j MARK --set-mark 202
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
My Interfaces file, I commented out my original loc line just to rule
out the options as causing the problem:
#ZONE INTERFACE BROADCAST OPTIONS
net ext_eth1 detect
dhcp,tcpflags,routefilter,nosmurfs,logmartians,blacklist
#loc eth0 detect tcpflags,detectnets,nosmurfs
loc eth0 detect routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Lastly, if this is helpful, here is the full output of shorewall -vv restart
Wed Apr 23 09:30:03 2008
[EMAIL PROTECTED] /etc/shorewall
# shorewall -vv restart
Compiling...
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Available
MARK Target: Available
Extended MARK Target: Available
Mangle FORWARD Chain: Available
Determining Zones...
IPv4 Zones: net loc
Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Policy for loc to net is ACCEPT using chain loc2all
Policy for loc to fw is ACCEPT using chain loc2all
Policy for net to loc is DROP using chain net2all
Policy for net to fw is DROP using chain net2all
Policy for fw to net is ACCEPT using chain fw2net
Policy for fw to loc is ACCEPT using chain fw2loc
Determining Hosts in Zones...
net Zone: ext_eth1:0.0.0.0/0
loc Zone: eth0:0.0.0.0/0
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SMB...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
..End Macro
Pre-processing /usr/share/shorewall/action.Reject...
Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
Compiling /etc/shorewall/routestopped ...
Compiling Accounting...
Creating Interface Chains...
Compiling Proxy ARP
Compiling /etc/shorewall/providers...
Provider Squid 1 202 - eth0 90.0.0.14 loose compiled
Compiling NAT...
Compiling NETMAP...
Compiling Common Rules
Compiling Blacklisting...
Blacklisting enabled on ext_eth1:0.0.0.0/0
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags checking...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling IP Forwarding...
Compiling IPSEC...
Compiling /etc/shorewall/rules...
Rule "DNAT net loc:90.0.0.3 tcp smtp,imaps - " compiled.
Rule "DNAT net loc:90.0.0.2 tcp http,https,ssh - " compiled.
Compiling /etc/shorewall/tunnels...
Compiling Actions...
Generating Transitive Closure of Used-action List...
Compiling /usr/share/shorewall/action.Drop for Chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
Rule "REJECT - - tcp 113 - -" compiled.
..End Macro
Rule "dropBcast " compiled.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed - -" compiled.
Rule "ACCEPT - - icmp time-exceeded - -" compiled.
..End Macro
Rule "dropInvalid " compiled.
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "DROP - - udp 135,445 - -" compiled.
Rule "DROP - - udp 137:139 - -" compiled.
Rule "DROP - - udp 1024: 137 -" compiled.
Rule "DROP - - tcp 135,139,445 - -" compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "DROP - - udp 1900 - -" compiled.
..End Macro
Rule "dropNotSyn - - tcp " compiled.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "DROP - - udp - 53 -" compiled.
..End Macro
Compiling /usr/share/shorewall/action.Reject for Chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
Rule "REJECT - - tcp 113 - -" compiled.
..End Macro
Rule "dropBcast " compiled.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed - -" compiled.
Rule "ACCEPT - - icmp time-exceeded - -" compiled.
..End Macro
Rule "dropInvalid " compiled.
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "REJECT - - udp 135,445 - -" compiled.
Rule "REJECT - - udp 137:139 - -" compiled.
Rule "REJECT - - udp 1024: 137 -" compiled.
Rule "REJECT - - tcp 135,139,445 - -" compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "DROP - - udp 1900 - -" compiled.
..End Macro
Rule "dropNotSyn - - tcp " compiled.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "DROP - - udp - 53 -" compiled.
..End Macro
Compiling /etc/shorewall/policy...
Policy ACCEPT for fw to net using chain fw2net
Policy ACCEPT for fw to loc using chain fw2loc
Policy DROP for net to loc using chain net2all
Compiling Masquerading/SNAT
Compiling /etc/shorewall/tos...
Compiling /etc/shorewall/ecn...
Compiling Traffic Control Rules...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Compiling Rule Activation...
Compiling Black List...
24.1.63.172 added to Black List
71.192.145.218 added to Black List
71.195.90.124 added to Black List
71.195.92.84 added to Black List
71.196.26.40 added to Black List
71.197.231.36 added to Black List
71.224.121.223 added to Black List
71.235.146.220 added to Black List
71.61.144.116 added to Black List
76.123.73.60 added to Black List
76.31.64.247 added to Black List
Compiling Refresh of Black List...
24.1.63.172 added to Black List
71.192.145.218 added to Black List
71.195.90.124 added to Black List
71.195.92.84 added to Black List
71.196.26.40 added to Black List
71.197.231.36 added to Black List
71.224.121.223 added to Black List
71.235.146.220 added to Black List
71.61.144.116 added to Black List
76.123.73.60 added to Black List
76.31.64.247 added to Black List
Compiling Refresh of /etc/shorewall/ecn...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Processing /etc/shorewall/params ...
Shorewall is not running
Starting Shorewall....
Loading Modules...
Initializing...
Processing /etc/shorewall/init ...
Clearing Traffic Control/QOS
Deleting user chains...
Processing /etc/shorewall/continue ...
Enabling Loopback and DNS Lookups
Setting up Accounting...
Creating Interface Chains...
Setting up Proxy ARP...
Adding Providers...
RTNETLINK answers: File exists
ERROR: Command "ip route add default via 90.0.0.14 dev eth0 table 1"
Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 783: 23909 Terminated
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
Here is the snippet of code in the .restart file that relates to my
SQUID box (90.0.0.14)
progress_message2 "Setting up Proxy ARP..."
if [ -z "$NOROUTES" ]; then
progress_message2 "Adding Providers..."
DEFAULT_ROUTE=
#
# Add Provider Squid (1)
#
if interface_is_up eth0 && [
"$(find_first_interface_address_if_any eth0)" != 0.0.0.0 ]; then
eth0_up=Yes
qt ip route flush table 1
run_ip route replace 90.0.0.14 src
$(find_first_interface_address eth0) dev eth0 table 1
run_ip route add default via 90.0.0.14 dev eth0 table 1
qt ip rule del fwmark 202
run_ip rule add fwmark 202 pref 10202 table 1
find_interface_addresses eth0 | while read address; do
qt ip rule del from $address
done
progress_message " Provider Squid (1) Added"
else
fatal_error "ERROR: Interface eth0 is not configured --
Provider Squid (1) Cannot be Added"
fi
cat > /etc/iproute2/rt_tables <<EOF
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
