Hi, I would like to intercept http traffic ONLY to one destination and send it to Squid (test system).
I'm not sure I'm writing the shorewall mangle rules correctly. I have this: DIVERT $IF_WAN 89.16.167.134/32 tcp - 80 TPROXY(3129) $IF_LAN 89.16.167.134/32 tcp 80 When a LAN host at 10.215.144.48 tries to connect to 89.16.167.134 it fails with a timeout (Squid timeout message). The Squid log show this: 1458547553.425 59804 10.215.144.48 TCP_MISS/503 4170 GET http://89.16.167.134/ - ORIGINAL_DST/89.16.167.134 text/html and a trace also shows that there's a reply from the remote server to the local client: # tcpdump -n -i enp0s8 host 89.16.167.134 14:25:43.498728 IP 10.215.144.48.26749 > 89.16.167.134.80: Flags [F.], seq 3518647191, ack 1563867428, win 251, length 0 14:25:43.499032 IP 89.16.167.134.80 > 10.215.144.48.26749: Flags [F.], seq 1, ack 1, win 245, length 0 14:25:43.499300 IP 10.215.144.48.26749 > 89.16.167.134.80: Flags [.], ack 2, win 251, length 0 14:25:43.506180 IP 10.215.144.48.26911 > 89.16.167.134.80: Flags [S], seq 3536059045, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 14:25:43.506224 IP 89.16.167.134.80 > 10.215.144.48.26911: Flags [S.], seq 3476582901, ack 3536059046, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 14:25:43.506467 IP 10.215.144.48.26911 > 89.16.167.134.80: Flags [.], ack 1, win 256, length 0 14:25:43.506517 IP 10.215.144.48.26911 > 89.16.167.134.80: Flags [P.], seq 1:281, ack 1, win 256, length 280: HTTP: GET / HTTP/1.1 14:25:43.506546 IP 89.16.167.134.80 > 10.215.144.48.26911: Flags [.], ack 281, win 237, length 0 14:25:53.520460 IP 10.215.144.48.26911 > 89.16.167.134.80: Flags [.], seq 280:281, ack 1, win 256, length 1: HTTP 14:25:53.520497 IP 89.16.167.134.80 > 10.215.144.48.26911: Flags [.], ack 281, win 237, options [nop,nop,sack 1 {280:281}], length 0 14:26:03.535602 IP 10.215.144.48.26911 > 89.16.167.134.80: Flags [.], seq 280:281, ack 1, win 256, length 1: HTTP 14:26:03.535634 IP 89.16.167.134.80 > 10.215.144.48.26911: Flags [.], ack 281, win 237, options [nop,nop,sack 1 {280:281}], length 0 14:26:13.535119 IP 10.215.144.48.26911 > 89.16.167.134.80: Flags [.], seq 280:281, ack 1, win 256, length 1: HTTP 14:26:13.535165 IP 89.16.167.134.80 > 10.215.144.48.26911: Flags [.], ack 281, win 237, options [nop,nop,sack 1 {280:281}], length 0 14:26:23.550258 IP 10.215.144.48.26911 > 89.16.167.134.80: Flags [.], seq 280:281, ack 1, win 256, length 1: HTTP 14:26:23.550296 IP 89.16.167.134.80 > 10.215.144.48.26911: Flags [.], ack 281, win 237, options [nop,nop,sack 1 {280:281}], length 0 14:26:33.565400 IP 10.215.144.48.26911 > 89.16.167.134.80: Flags [.], seq 280:281, ack 1, win 256, length 1: HTTP 14:26:33.565438 IP 89.16.167.134.80 > 10.215.144.48.26911: Flags [.], ack 281, win 237, options [nop,nop,sack 1 {280:281}], length 0 14:26:43.339074 IP 89.16.167.134.80 > 10.215.144.48.26911: Flags [P.], seq 1:4167, ack 281, win 237, length 4166: HTTP: HTTP/1.1 503 Service Unavailable 14:26:43.339421 IP 10.215.144.48.26911 > 89.16.167.134.80: Flags [.], ack 2921, win 256, length 0 14:26:43.546032 IP 89.16.167.134.80 > 10.215.144.48.26911: Flags [P.], seq 2921:4167, ack 281, win 237, length 1246: HTTP 14:26:43.546280 IP 10.215.144.48.26911 > 89.16.167.134.80: Flags [.], ack 4167, win 251, options [nop,nop,sack 1 {2921:4167}], length 0 However squid debug messages show that it never receives the server's reply: 2016/03/21 09:32:55.857 kid1| Intercept.cc(362) Lookup: address BEGIN: me/client= 89.16.167.134:80, destination/me= 10.215.144.48:9271 2016/03/21 09:32:55.857 kid1| Intercept.cc(169) TproxyTransparent: address TPROXY: local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17 2016/03/21 09:32:55.857 kid1| TcpAcceptor.cc(289) acceptOne: Listener: local=[::]:3129 remote=[::] FD 36 flags=25 accepted new connection local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17 handler Subscription: 0x81310d70*1 2016/03/21 09:32:55.857 kid1| AsyncCall.cc(93) ScheduleCall: TcpAcceptor.cc(319) will call httpAccept(local=89.16.167.13 :80 remote=10.215.144.48 FD 8 flags=17, MXID_11362) [call14981437] 2016/03/21 09:32:55.857 kid1| AsyncCallQueue.cc(55) fireNext: entering httpAccept(local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17, MXID_11362) 2016/03/21 09:32:55.857 kid1| client_side.cc(3664) httpAccept: local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17: accepted 2016/03/21 09:32:55.858 kid1| AsyncCallQueue.cc(57) fireNext: leaving httpAccept(local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17, MXID_11362) 2016/03/21 09:32:55.858 kid1| comm.cc(553) commSetConnTimeout: local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17 timeout 300 2016/03/21 09:32:55.858 kid1| client_side.cc(231) readSomeData: local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17: reading request... 2016/03/21 09:32:55.858 kid1| Read.cc(58) comm_read_base: comm_read, queueing read for local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17; asynCall 0x80c2c3a0*1 2016/03/21 09:32:55.858 kid1| IoCallback.cc(116) finish: called for local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17 (0, 0) 2016/03/21 09:32:55.858 kid1| AsyncCall.cc(93) ScheduleCall: IoCallback.cc(135) will call ConnStateData::clientReadRequest(local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17, data=0x873af8b8) [call14981441] 2016/03/21 09:32:55.858 kid1| AsyncCallQueue.cc(55) fireNext: entering ConnStateData::clientReadRequest(local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17, data=0x873af8b8) 2016/03/21 09:32:55.858 kid1| client_side.cc(3243) clientReadRequest: local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17 2016/03/21 09:32:55.858 kid1| Read.cc(91) ReadNow: local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17, size 16382, retval 280, errno 0 2016/03/21 09:32:55.858 kid1| client_side.cc(3192) clientParseRequests: local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17: attempting to parse Host: 89.16.167.134 Host: 89.16.167.134 2016/03/21 09:32:55.858 kid1| client_side.cc(2250) parseHttpRequest: parseHttpRequest: req_hdr = {Host: 89.16.167.134 Host: 89.16.167.134 2016/03/21 09:32:55.858 kid1| mime_header.cc(59) mime_get_header_field: mime_get_header: checking 'Host: 89.16.167.134' 2016/03/21 09:32:55.859 kid1| mime_header.cc(82) mime_get_header_field: mime_get_header: returning '89.16.167.134' 2016/03/21 09:32:55.859 kid1| client_side.cc(2117) prepareTransparentURL: TRANSPARENT HOST REWRITE: 'http://89.16.167.13 /' 2016/03/21 09:32:55.859 kid1| client_side.cc(2337) parseHttpRequest: HTTP Client local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17 Host: 89.16.167.134 2016/03/21 09:32:55.859 kid1| client_side.cc(3213) clientParseRequests: local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17: done parsing a request 2016/03/21 09:32:55.859 kid1| comm.cc(553) commSetConnTimeout: local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17 timeout 86400 2016/03/21 09:32:55.859 kid1| url.cc(357) urlParse: urlParse: Split URL 'http://89.16.167.134/' into proto='http', host= 89.16.167.134', port='80', path='/' 2016/03/21 09:32:55.859 kid1| HttpRequest.h(82) SetHost: HttpRequest::SetHost() given IP: 89.16.167.134 Host: 89.16.167.134 2016/03/21 09:32:55.859 kid1| client_side_request.cc(631) hostHeaderVerify: validate host=89.16.167.134, port=0, portStr=NULL 2016/03/21 09:32:55.859 kid1| ipcache.cc(501) ipcache_nbgethostbyname: ipcache_nbgethostbyname: Name '89.16.167.134'. 2016/03/21 09:32:55.859 kid1| ipcache.cc(810) ipcacheCheckNumeric: ipcacheCheckNumeric: HIT_BYPASS for '89.16.167.134' == 89.16.167.134 2016/03/21 09:32:55.859 kid1| ipcache.cc(514) ipcache_nbgethostbyname: ipcache_nbgethostbyname: BYPASS for '89.16.167.13 ' (already numeric) 2016/03/21 09:32:55.859 kid1| client_side_request.cc(524) hostHeaderIpVerify: validate IP 89.16.167.134:80 possible from Host: 2016/03/21 09:32:55.860 kid1| RegexData.cc(51) match: aclRegexData::match: checking 'http://89.16.167.134/' 2016/03/21 09:32:55.860 kid1| DomainData.cc(108) match: aclMatchDomainList: checking '89.16.167.134' 2016/03/21 09:32:55.860 kid1| DomainData.cc(113) match: aclMatchDomainList: '89.16.167.134' NOT found 2016/03/21 09:32:55.860 kid1| ipcache.cc(810) ipcacheCheckNumeric: ipcacheCheckNumeric: HIT_BYPASS for '89.16.167.134' == 89.16.167.134 2016/03/21 09:32:55.860 kid1| RegexData.cc(51) match: aclRegexData::match: checking 'http://89.16.167.134/' 2016/03/21 09:32:55.861 kid1| client_side_request.cc(741) clientAccessCheckDone: The request GET http://89.16.167.134/ is ALLOWED; last ACL checked: localnet 2016/03/21 09:32:55.861 kid1| client_side.cc(231) readSomeData: local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17: reading request... 2016/03/21 09:32:55.861 kid1| Read.cc(58) comm_read_base: comm_read, queueing read for local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17; asynCall 0x83a67ee0*1 2016/03/21 09:32:55.861 kid1| AsyncCallQueue.cc(57) fireNext: leaving ConnStateData::clientReadRequest(local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17, data=0x873af8b8) 2016/03/21 09:32:55.862 kid1| client_side_request.cc(741) clientAccessCheckDone: The request GET http://89.16.167.134/ is ALLOWED; last ACL checked: localnet 2016/03/21 09:32:55.862 kid1| client_side_request.cc(1491) processRequest: GET http://89.16.167.134/ 2016/03/21 09:32:55.862 kid1| client_side_request.cc(1513) httpStart: TAG_NONE for 'http://89.16.167.134/' 2016/03/21 09:32:55.862 kid1| HttpRequest.cc(689) storeId: sent back canonicalUrl:http://89.16.167.134/ 2016/03/21 09:32:55.862 kid1| client_side_reply.cc(631) processMiss: GET http://89.16.167.134/ 2016/03/21 09:32:55.862 kid1| store.cc(780) storeCreatePureEntry: storeCreateEntry: 'http://89.16.167.134/' 2016/03/21 09:32:55.863 kid1| store_key_md5.cc(89) storeKeyPrivate: storeKeyPrivate: GET http://89.16.167.134/ 2016/03/21 09:32:55.889 kid1| FwdState.cc(328) Start: 'http://89.16.167.134/' 2016/03/21 09:32:55.889 kid1| FwdState.cc(132) FwdState: Forwarding client request local=89.16.167.134:80 remote=10.215.144.48 FD 8 flags=17, url=http://89.16.167.134/ 2016/03/21 09:32:55.889 kid1| peer_select.cc(137) peerSelect: e:=IWV/0x82538218*2 http://89.16.167.134/ 2016/03/21 09:32:55.889 kid1| peer_select.cc(441) peerSelectFoo: GET 89.16.167.134 2016/03/21 09:32:55.890 kid1| peer_select.cc(441) peerSelectFoo: GET 89.16.167.134 2016/03/21 09:32:55.890 kid1| peer_select.cc(280) peerSelectDnsPaths: Found sources for 'http://89.16.167.134/' 2016/03/21 09:32:55.890 kid1| peer_select.cc(288) peerSelectDnsPaths: ORIGINAL_DST = local=10.215.144.48 remote=89.16.167.134:80 flags=25 2016/03/21 09:32:55.890 kid1| FwdState.cc(383) startConnectionOrFail: http://89.16.167.134/ 2016/03/21 09:32:55.890 kid1| FwdState.cc(785) connectStart: fwdConnectStart: http://89.16.167.134/ 2016/03/21 09:32:55.890 kid1| pconn.cc(329) key: PconnPool::key(local=10.215.144.48 remote=89.16.167.134:80 flags=25, 89.16.167.134) is {89.16.167.134:80/89.16.167.134} 2016/03/21 09:32:55.890 kid1| pconn.cc(439) pop: lookup for key {89.16.167.134:80/89.16.167.134} failed. 2016/03/21 09:32:55.890 kid1| peer_select.cc(79) ~ps_state: http://89.16.167.134/ 2016/03/21 09:32:55.890 kid1| fd.cc(198) fd_open: fd_open() FD 13 89.16.167.134 2016/03/21 09:32:55.891 kid1| ConnOpener.cc(289) createFd: local=10.215.144.48 remote=89.16.167.134:80 flags=25 will timeout in 60 2016/03/21 09:32:55.891 kid1| ConnOpener.cc(343) doConnect: local=10.215.144.48 remote=89.16.167.134:80 flags=25: Comm::INPROGRESS Did I misconfigure the mangle file? Thanks, Vieri ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
