El 09/05/2012 10:17, Vinicius R. Baenas escribió: > Hello Pablo. > > I need to tell shorewall in which mark/ISP (in /etc/shorewall/providers) > the package will go, depending on the source host or network or > destination (i will make rules for them and apply on the shorewall). > > The problem is the transparent squid running on the firewall ($FW) host. > The squid is indispensable because the lab has access restricions and > policy. > In this way, if I make any rule on the firewall from a host and specify > a destination on port 80 to make it go trough a determined outgoing IP > (using shorewall's tcrules file and marks), it doesn't work since all > packages on port 80 are redirected to SQUID and the source is always the > firewall ($FW) and not the host in the lab acessing the websites. That is correct for redirect, but in tproxy case, the source address coming out of squid is the client's ip, so rules should still apply. > > I tried to mark outgoing packages to providers marks (in > /etc/shorewall/providers) on firewall host ($FW) in the tcout chain, but > also doesn't works. > I would like to centralize all the routes configuration on the > shorewall, doing with marks and providers. > > In your example, the package mark ( -j MARK --set mark ) is "1" and the > tproxy mark ( -j TPROXY --on port 3128 --tproxy-mark 0x1/0x1 ) is also "1". Exactly, both should be the same mark, I guess you could use a mask mark so it doesn't interfere with shorewall's providers marks, but I've never tested it. > > I also tried to create a DIVERT chain to create rules and set mark to a > provider (from /etc/shorewall/providers) according to source and > destination IP on the package and to set the tproxy-mark to TPROXY. > Doesn't worked. The divert chain is mandatory according to tproxy documentation, and it doesn't need anything else than a mark matching the tproxy-mark > > Thank you in advance... > > > Em 08-05-2012 13:05, Pablo Sebastian Greco escreveu: >> El 08/05/2012 12:36, Tom Eastep escribió: >>> On 05/08/2012 08:18 AM, Vinicius R. Baenas wrote: >>>> Yes, it working, but is balancing the providers on the Firewall >>>> Output... I need to apply routing rules depending on the source packets >>>> (like LAN address or IP)... >>>> >>>> For this reason we are trying to use TPROXY, because according to the >>>> documentation of the SQUID and the Shorewall TROXY keeps the original >>>> packet headers (spoofing), which in theory would allow me to use the >>>> shorewall routing rules on tcrules according to source ... >>>> >>>> It's possible to create this police using shorewall and redirect without >>>> tcp_out_going into squid.conf, using only the shorewall routing >>>> configuration (tcrules)? >>> I don't see how. The original IP header is kept on the client<->Squid >>> connection, but the outgoing connection from Squid to the net will have >>> tcp_out_going as the source IP address. >>> >>> -Tom >> Since the idea of tproxy is keeping original ip address, it should work >> without tcp_outgoing in squid. >> Here's what I add to my shorewall/started to add tproxy. >> /sbin/ip rule del fwmark 0x1 lookup 100 2>/dev/null >> if [ -z "$SKIPSQUID" ];then >> /sbin/ip rule add fwmark 0x1 lookup 100 2>/dev/null >> /sbin/ip route add local 0.0.0.0/0 dev lo table 100 2>/dev/null >> run_iptables -t mangle -N DIVERT >> run_iptables -t mangle -A DIVERT -j MARK --set-mark 1 >> run_iptables -t mangle -A DIVERT -j ACCEPT >> run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 ! >> --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT >> run_iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 ! >> --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT >> run_iptables -t mangle -N excltproxy >> #destination addresses to skip >> run_iptables -t mangle -A excltproxy -d x.x.x.x -j RETURN >> #source addresses to skip >> run_iptables -t mangle -A excltproxy -s y.y.y.y -j RETURN >> #skip local addresses as destination >> run_iptables -t mangle -A excltproxy -d x.x.x.x/24 -j RETURN >> #tproxy >> run_iptables -t mangle -A excltproxy -p tcp -j TPROXY --on-port >> 3128 --tproxy-mark 0x1/0x1 >> #send port 80 to tproxy >> run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 >> -j excltproxy >> fi; >> >> the SKIPSQUID shell variable is to test things with or without tproxy, >> but without touching the config >> SKIPSQUID=1 shorewall restart will give you the standard config, without >> tproxy. >> >> Hope it helps. >> >> Pablo. >> >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
