Re: [Shorewall-users] Shorewall, TPROXY, Transparent Squid and Multiples ISP

Stephane Chazelas Thu, 10 May 2012 06:05:53 -0700

2012-05-09 16:07:44 +0100, Stephane Chazelas:
[...]
> >          /sbin/ip rule add fwmark 0x1 lookup 100 2>/dev/null


Here, you're checking the mark value to be 1, not only the first
bit to be one.

> >          /sbin/ip route add local 0.0.0.0/0 dev lo table 100 2>/dev/null
> >          run_iptables -t mangle -N DIVERT
> >          run_iptables -t mangle -A DIVERT -j MARK --set-mark 1

Here you're clearing all the mark bits and setting the first
one.

> >          run_iptables -t mangle -A DIVERT -j ACCEPT
> >          run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 ! 
> > --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
> >          run_iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 ! 
> > --tcp-flags FIN,SYN,RST,ACK SYN -m socket -j DIVERT
> >          run_iptables -t mangle -N excltproxy
> >          #destination addresses to skip
> >          run_iptables -t mangle -A excltproxy -d x.x.x.x -j RETURN
> >          #source addresses to skip
> >          run_iptables -t mangle -A excltproxy -s y.y.y.y -j RETURN
> >          #skip local addresses as destination
> >          run_iptables -t mangle -A excltproxy -d x.x.x.x/24 -j RETURN
> >          #tproxy
> >          run_iptables -t mangle -A excltproxy -p tcp -j TPROXY --on-port 
> > 3128 --tproxy-mark 0x1/0x1

Here, you're only setting the first mark bit.

> >          #send port 80 to tproxy
> >          run_iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 
> > -j excltproxy
> > fi;
> [...]
[...]
>   - as in the other thread, what about packets with a 80 dport
>   where 80 is the /client/ port (OK, client ports are generally
>   not <1024, but let's say we want a transparent proxy for port
>   8080 now)?
[...]

Hi,

I did some tests this morning and indeed it can be a problem,
though probably not in most cases where you don't expect
connections through the firewall to clients behind the proxy.

Here is what I've I come up to here. Please let me know what you
think.

We're switching from REDIRECT to TPROXY, in order to have more
useful ULOG output where the client IP headers are preserved to
forward to an IDS.

In my setup here, I've got a few zones where transparent
proxying (with antivirus) is enabled for HTTP requests to the
internet on ports 80 and 8080.

Here is the "started" file based on Pablo's one and with my
modifications to address some of the issues I was refering to.

################################################################
/sbin/ip rule del fwmark 1/1 lookup 100 2>/dev/null
/sbin/ip table flush table 100 2> /dev/null
if [ -z "$SKIPSQUID" ];then
  /sbin/ip rule add fwmark 1/1 lookup 100
  /sbin/ip route add local 0.0.0.0/0 dev lo table 100

  run_iptables -t mangle -A PREROUTING -i "$IF_WAN" -m socket --transparent -j 
MARK --set-mark 1/1

  run_iptables -t mangle -N excltproxy
  #skip local addresses as destination
  run_iptables -t mangle -A excltproxy -d x.x.x.x/y -j RETURN
  #tproxy
  run_iptables -t mangle -A excltproxy -p tcp -j TPROXY --on-port 3129 
--tproxy-mark 1/1

  #send port 80,8080 to tproxy
  for zone in "$IF_ZONE1" "$IF_ZONE2"; do
    run_iptables -t mangle -A PREROUTING -i "$zone" -p tcp -m conntrack 
--ctstate NEW -m multiport --dports 80,8080 -j CONNMARK --set-mark 1/1
    run_iptables -t mangle -A PREROUTING -i "$zone" -m connmark --mark 1/1 -j 
excltproxy
  done
fi
################################################################

And in the rules file, I have:

################################################################
${ACCEPT_IF_PROXYING}    ZONE1  $FW     tcp     80      -       -       -       
-       1/1
${ACCEPT_IF_PROXYING}    ZONE2  $FW     tcp     80      -       -       -       
-       1/1
COMMENT
################################################################

And in the params files:

################################################################
if [ -z "$SKIPSQUID" ]; then
  ACCEPT_IF_PROXYING=ACCEPT
else
  ACCEPT_IF_PROXYING=COMMENT
fi
################################################################

Important notes:
  - I'm only modifying and checking the bit 1 of the fwmark and connmark
  - Only TCP connections initiated as an HTTP request are tproxied (using 
conntrack)
  - only packets from the client zones are potentially tproxied
  - only packets from the WAN zone are checked agains a local *transparent* 
socket
  - in "rules", only accept connections if marked (as otherwise,
    you would end up accepting non-tproxied ones.

There's still one bit I'm not clear on:

Shorewall clears the marks in mangle/FORWARD (FORWARD_CLEAR_MARK
setting), and according to
http://www.faqs.org/docs/iptables/traversingoftables.html#TABLE.FORWARDEDPACKETS
this happens *before* filter/FORWARD, so my rule in "rules"
shouldn't match. But still it does, otherwise it wouldn't work
at all. Anybody has any insight on that? (I'm on Linux 2.6.32).

-- 
Stephane


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall, TPROXY, Transparent Squid and Multiples ISP

Reply via email to