[Shorewall-users] small bug with transparent proxy configuration?

Brian J. Murrell Wed, 19 Aug 2015 04:12:04 -0700

Hi Tom,

I'm running shorewall 4.6.11.1 on Fedora 22 as a master for a router
running shorewall-lite.  I'm doing transparent proxying per 
http://shorewall.net/Shorewall_Squid_Usage.html#Local.


I have a providers entry of:

Squid   3       0x400   -               br-lan          10.75.22.247    
loose,notrack

And a mangle entry of:

MARK(0x400):P   br-lan:!10.75.22.3,10.75.22.247 0.0.0.0/0       tcp     80
MARK(0x400):P   br-guest:!10.75.22.3,10.75.22.247 0.0.0.0/0     tcp     80

But I end up with a tcpre (and ~excl0 and ~excl1) looking like:

Chain tcpre (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 MARK       tcp  --  br-lan *      !10.75.22.3           0.0.0.0/0   
         tcp dpt:80 MARK set 0x400
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         mark match ! 0x0/0x300
    0     0 MARK       tcp  --  br-lan *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:25 MARK set 0x200
    0     0 ~excl0     tcp  --  br-lan *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:80
    0     0 ~excl1     tcp  --  br-guest *       0.0.0.0/0            0.0.0.0/0 
           tcp dpt:80

Chain ~excl0 (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 RETURN     all  --  *      *       10.75.22.3           0.0.0.0/0   
        
    0     0 RETURN     all  --  *      *       10.75.22.247         0.0.0.0/0   
        
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         MARK set 0x400

Chain ~excl1 (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 RETURN     all  --  *      *       10.75.22.3           0.0.0.0/0   
        
    0     0 RETURN     all  --  *      *       10.75.22.247         0.0.0.0/0   
        
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         MARK set 0x400

Surely that first rule:

    0     0 MARK       tcp  --  br-lan *      !10.75.22.3           0.0.0.0/0   
         tcp dpt:80 MARK set 0x400

in the tcpre table should not be there, right?

Also, I notice that transparent proxying adds a route to the main
routing table such as:

10.75.22.247 dev br-lan  scope link  src 10.75.22.253

I'm curious why that is needed.

But also, I notice that if you change the providers entry to a
different IP address and then do a "shorewall reload" the above routing
table entry for the old IP address is not removed from the main routing
table.

Cheers,
b.

signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] small bug with transparent proxy configuration?

Reply via email to