El 08/05/2012 12:36, Tom Eastep escribió:
> On 05/08/2012 08:18 AM, Vinicius R. Baenas wrote:
>> Yes, it working, but is balancing the providers on the Firewall
>> Output... I need to apply routing rules depending on the source packets
>> (like LAN address or IP)...
>>
>> For this reason we are trying to use TPROXY, because according to the
>> documentation of the SQUID and the Shorewall TROXY keeps the original
>> packet headers (spoofing), which in theory would allow me to use the
>> shorewall routing rules on tcrules according to source ...
>>
>> It's possible to create this police using shorewall and redirect without
>> tcp_out_going into squid.conf, using only the shorewall routing
>> configuration (tcrules)?
> I don't see how. The original IP header is kept on the client<->Squid
> connection, but the outgoing connection from Squid to the net will have
> tcp_out_going as the source IP address.
>
> -Tom
Since the idea of tproxy is keeping original ip address, it should work
without tcp_outgoing in squid.
Here's what I add to my shorewall/started to add tproxy.
/sbin/ip rule del fwmark 0x1 lookup 100 2>/dev/null
if [ -z "$SKIPSQUID" ];then
/sbin/ip rule add fwmark 0x1 lookup 100 2>/dev/null
/sbin/ip route add local 0.0.0.0/0 dev lo table 100 2>/dev/null
run_iptables -t mangle -N DIVERT
run_iptables -t mangle -A DIVERT -j MARK --set-mark 1
run_iptables -t mangle -A DIVERT -j ACCEPT
run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 !
--tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
run_iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 !
--tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
run_iptables -t mangle -N excltproxy
#destination addresses to skip
run_iptables -t mangle -A excltproxy -d x.x.x.x -j RETURN
#source addresses to skip
run_iptables -t mangle -A excltproxy -s y.y.y.y -j RETURN
#skip local addresses as destination
run_iptables -t mangle -A excltproxy -d x.x.x.x/24 -j RETURN
#tproxy
run_iptables -t mangle -A excltproxy -p tcp -j TPROXY --on-port
3128 --tproxy-mark 0x1/0x1
#send port 80 to tproxy
run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80
-j excltproxy
fi;
the SKIPSQUID shell variable is to test things with or without tproxy,
but without touching the config
SKIPSQUID=1 shorewall restart will give you the standard config, without
tproxy.
Hope it helps.
Pablo.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
