On 7/4/12 7:23 AM, "Tom Eastep" <[email protected]> wrote:
>On 07/04/2012 03:33 AM, Anshuman Aggarwal wrote: >> Hi, >> I have the following rules to transparently redirect all port 80 >> traffic (including that originating on the firewall itself) to my >> firewall+proxy server while not going into a redirect loop for the >> processes running on the server itself (by excluding using !:group). >> However, a local process running on the server is also seeing its >> traffic redirected to the proxy resulting in a forwarding loop? >> >> Any ideas, or what are the requirements for the exclusion by group? >> REDIRECT loc 33128 tcp www - >>!10.0.0.0/28 >> REDIRECT $FW 33128 tcp www - >> !10.0.0.0/24 - !:proxy > >When I try that, I don't get a forwarding loop; but it doesn't work and >I'm seeing this: > >Jul 4 07:09:19 gateway fw-net REJECT IN= OUT=eth1 SRC=70.90.191.121 >DST=127.0.0.1 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=61499 CE DF PROTO=TCP >SPT=37282 DPT=3128 SEQ=2835240680 ACK=0 WINDOW=5840 SYN URGP=0 > >Note that it is trying to route packets to the local system >(DST=127.0.0.1) out of eth1. The ip stack doesn't seem to be re-routing >the packet after NAT is applied. This is on Debian Squeeze. However, if I allow tcp port 80 *for all users* fw->net, then it works and still goes through the proxy (without loops). -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
