On 05/09/2012 06:17 AM, Vinicius R. Baenas wrote: > Hello Pablo. > > I need to tell shorewall in which mark/ISP (in /etc/shorewall/providers) > the package will go, depending on the source host or network or > destination (i will make rules for them and apply on the shorewall). > > The problem is the transparent squid running on the firewall ($FW) host. > The squid is indispensable because the lab has access restricions and > policy. > > In this way, if I make any rule on the firewall from a host and specify > a destination on port 80 to make it go trough a determined outgoing IP > (using shorewall's tcrules file and marks), it doesn't work since all > packages on port 80 are redirected to SQUID and the source is always the > firewall ($FW) and not the host in the lab acessing the websites. > > I tried to mark outgoing packages to providers marks (in > /etc/shorewall/providers) on firewall host ($FW) in the tcout chain, but > also doesn't works. > > I would like to centralize all the routes configuration on the > shorewall, doing with marks and providers. > > In your example, the package mark ( -j MARK --set mark ) is "1" and the > tproxy mark ( -j TPROXY --on port 3128 --tproxy-mark 0x1/0x1 ) is also "1". > > I also tried to create a DIVERT chain to create rules and set mark to a > provider (from /etc/shorewall/providers) according to source and > destination IP on the package and to set the tproxy-mark to TPROXY. > Doesn't worked.
If you are running Squid 3.2 or later, you can: - set clientside_mark=Yes in squid.conf - Use REDIRECT rather than TPROXY - Mark TCP port 80 packets in the PREROUTING chain - The outgoing packets from Squid->net will have the same mark value as the incoming loc->fw packets. I haven't personally tried that as I am running Squid 2.y so YMMV. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
