El 09/05/2012 12:07, Stephane Chazelas escribió: > 2012-05-08 13:05:14 -0300, Pablo Sebastian Greco: > [...] >> Since the idea of tproxy is keeping original ip address, it should work >> without tcp_outgoing in squid. >> Here's what I add to my shorewall/started to add tproxy. >> /sbin/ip rule del fwmark 0x1 lookup 100 2>/dev/null >> if [ -z "$SKIPSQUID" ];then >> /sbin/ip rule add fwmark 0x1 lookup 100 2>/dev/null >> /sbin/ip route add local 0.0.0.0/0 dev lo table 100 2>/dev/null >> run_iptables -t mangle -N DIVERT >> run_iptables -t mangle -A DIVERT -j MARK --set-mark 1 >> run_iptables -t mangle -A DIVERT -j ACCEPT >> run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 ! >> --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT >> run_iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 ! >> --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT >> run_iptables -t mangle -N excltproxy >> #destination addresses to skip >> run_iptables -t mangle -A excltproxy -d x.x.x.x -j RETURN >> #source addresses to skip >> run_iptables -t mangle -A excltproxy -s y.y.y.y -j RETURN >> #skip local addresses as destination >> run_iptables -t mangle -A excltproxy -d x.x.x.x/24 -j RETURN >> #tproxy >> run_iptables -t mangle -A excltproxy -p tcp -j TPROXY --on-port >> 3128 --tproxy-mark 0x1/0x1 >> #send port 80 to tproxy >> run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 >> -j excltproxy >> fi; > [...] > > Hi Pablo, > > this seems to answer a few of the questions I asked in the other > thread I just started (confustions over TPROXY). > > A few questions though: > - why the !SYN check above? if "socket" matches on a SYN > packet (retransmission?), where's the harm in marking it for > local delivery? I'm trying to find where I got that "optimization" from, and I can't , so I don't really have an explanation. Just that I got it from an example from someone o either tproxy or squid lists. > - as in the other thread, what about packets with a 80 dport > where 80 is the /client/ port (OK, client ports are generally > not <1024, but let's say we want a transparent proxy for port > 8080 now)? > - wouldn't the "-j ACCEPT" above potentially bypass some other > shorewall rules? I don't think so, since only tproxy packets should match socket check. The original rule was iptables -A PREROUTING -m socket -j DIVERT, I just added the port check to lower the amount of socket checks, in order to improve performance. > Thanks for helping lifting some of my confusion here, > Stephane > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
