I have been setting up a router for ipv6 using Hurricane as my provider.
Ultimately I want to use dansguardian on this but my first step has been to
set up squid3 as a transparent tproxy.
This is working for ipv4 using shorewall and redirect.
Of course, shorewall6 doesn't use redirect and I've followed the
documentation to set up the transparent proxy using tproxy in shorewall6
This test network does have a lot of interfaces on it, it's a development
system. Virtually everything is working smoothly with respect to ipv6; all
the networks route to the internet and to each other fine. The only problem
I have now is that the tproxy settings in shorewall6 seem to be completely
ignored.
I am seeing some things in the squid logs which make me think that something
is happening eg when the test VM goes to www.google.com:
1356083809.137 670 10.0.0.100 TCP_MISS/204 301 GET
http://clients1.google.com/generate_204 - DIRECT/2607:f8b0:4007:801::1001
text/html
Where 10.0.0.100 is the ipv4 address of the test VM. But there aren't nearly
enough hits to reflect real proxying and when I observe with tcpdump theres
a lot more. Also a ping to google.com does go to the ipv6 address.
When I go to http://test-ipv6.com I get 10/10 but I only see ipv4 traffic in
the squid logs.
Tcpdump on port 80 shows all the ipv6 traffic shooting straight through to
the internet from the test VM.
Here are the relevant file contents:
interfaces:
- lo - -
dmz eth3 detect tcpflags,forward=1,nosmurfs
lan eth0 detect tcpflags,forward=1,nosmurfs
out he-ipv6 detect tcpflags,forward=1,nosmurfs
virt eth1 detect tcpflags,forward=1,nosmurfs
virt2 eth4 detect tcpflags,forward=1,nosmurfs
zones:
fw firewall
dmz ipv6
lan ipv6
out ipv6
virt ipv6
virt2 ipv6
tcrules:
FORMAT 2
DIVERT he-ipv6 :: tcp - 80
TPROXY(3128,::1) eth1 :: tcp 80
#TPROXY(3128) eth1 :: tcp 80
# Neither of the above lines work
rules:
ACCEPT any out
ACCEPT virt $FW tcp 80
ACCEPT virt2 $FW tcp 80
ACCEPT lan $FW tcp 80
ACCEPT $FW out tcp 80
ACCEPT any $FW 41
ACCEPT any any ipv6-icmp
Ping(ACCEPT) any any
ACCEPT dmz any
ACCEPT lan any
ACCEPT virt any
ACCEPT virt2 any
ACCEPT lan any
ACCEPT virt:<2001:470:f06b:1::1> out
ACCEPT virt2:<2001:470:f06b:4::4> out
ACCEPT lan:<2001:470:f06b:F::F> out
policy:
dmz fw ACCEPT
dmz lan REJECT info
dmz out ACCEPT
dmz virt REJECT info
dmz virt2 REJECT info
lan dmz REJECT info
lan fw ACCEPT
lan out ACCEPT
lan virt ACCEPT
lan virt2 ACCEPT
virt dmz REJECT info
virt fw ACCEPT
virt lan ACCEPT
virt out ACCEPT
virt virt2 ACCEPT
virt2 dmz REJECT info
virt2 fw ACCEPT
virt2 lan ACCEPT
virt2 out ACCEPT
virt2 virt ACCEPT
fw all ACCEPT
out all REJECT info
tunnels:
generic:41 out 2001:470:c:1fd::2
Here is info requested on the shorewall help page:
# /sbin/shorewall version
4.5.10
# ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:470:f06b:f::f/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe19:428e/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:470:f06b:1::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe19:4298/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 fe80::20c:29ff:fe19:42a2/64 scope link
valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:470:f06b:3::3/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:feb7:4057/64 scope link
valid_lft forever preferred_lft forever
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:470:f06b:4::4/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:feb7:3925/64 scope link
valid_lft forever preferred_lft forever
8: he-ipv6: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480
inet6 2001:470:c:1fd::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a04:1/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::ac10:63/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::7965:b226/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::a00:1/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::c0a8:163/64 scope link
valid_lft forever preferred_lft forever
# ip -6 route show
2001:470:c:1fd::/64 via :: dev he-ipv6 proto kernel metric 256
2001:470:f06b:1::/64 dev eth1 proto kernel metric 256
2001:470:f06b:3::/64 dev eth3 proto kernel metric 256
2001:470:f06b:4::/64 dev eth4 proto kernel metric 256
2001:470:f06b:f::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth1 proto kernel metric 256
fe80::/64 dev eth4 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth2 proto kernel metric 256
fe80::/64 dev eth3 proto kernel metric 256
fe80::/64 via :: dev he-ipv6 proto kernel metric 256
default dev he-ipv6 metric 1024
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
