Manoj S Gaur wrote: > 1. We have shorewall running at gateway (172.16.1.1) with NAT. > 2. We have a number of web servers (172.16.1.x/24). These web > servers are accessed through port forwarding at the gateway > (172.16.1.1) and websites are visible through virtual hosting > through a web re-director. > 3. Presently the proxy server runs in a transparent mode, i.e., all > web requests goes to the gateway at port 80, they gets redirected to > 3128, content filtering is done there via ufdbguard and acceptable > requests are forwarded. > Now we wish to switch to non-transparent mode as follows: > 1. Users of our LAN are authenticated on an LDAP server and they are > suppose to manually setup proxy settings for their browsers for > internet access at port 3128 looking at our gateway (172.16.1.1). > > Now the problem we are facing is that with non-transparanet proxy > setting from wthin our Intranet (172.x.y.z/8) we are unable to see > our internal websites which are running on 172.16.1.x/24 !! > > The rules we are using in transparanet mode are: > > For the gateway: > (The external interface is at 210.212.X.Y (eth0) > The internal interface is at 172.16.1.1 (eth1)) > > In /etc/shorewall/rules: > > # Squid for web access > REDIRECT loc 3128 tcp 80 - !210.212.X.Y > > DNAT loc loc:172.16.1.10 tcp > www - 210.212.X.Y > > In /etc/shorewall/masq: > > eth1:172.16.1.10 eth1 172.16.1.1 tcp www > > The routeback option has been set for eth1 as well. > > > Can someone suggest the revised rules so that we may run this in > non-transparent mode as mentioned above and still be able to view > the internal webservers through port forwarding? > Thanks in advance. > Gaur > > > > What does 'unable to see' mean? > What IP address do your internal users attempt to connect to access > these internal servers? > What does the user see when the connection attempt fails? > What 'Shorewall' messages appear when the user attempts a connection? > What messages are written to the Squid logs when the user attempts a > connection? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net <http://shorewall.net/> > \________________________________________________ > > 'unable to see' means that the proxied and authenticated users are able to > browse all the sites except our own webserver(s). > As authoratative nameserver is running on the gateway (172.16.1.1), so > the users > are trying to connect to external resolved IPs (210.x.y.z) on which it comes > "connection refused message". > And this message is written onto squid log: > 1241001622.284 118 172.17.4.21 TCP_MISS/503 2655 GET > http://www.mnit.ac.in/ > username DIRECT/210.x.y.z text/html
You need to add this rule: DNAT $FW loc:p.q.r.s tcp 80 i.j.k.l -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
