>>> On 3/21/2016 6:39 AM, Vieri Di Paola wrote:
>>>> Hi, >>>> >>>> I would like to intercept http traffic ONLY to one destination and send it >>>> to Squid (test system). >>>> >>>> I'm not sure I'm writing the shorewall mangle rules correctly. >>>> >>>> I have this: >>>> >>>> DIVERT $IF_WAN 89.16.167.134/32 tcp - 80 >>>> TPROXY(3129) $IF_LAN 89.16.167.134/32 tcp 80 >>>> >>>> When a LAN host at 10.215.144.48 tries to connect to 89.16.167.134 it >>>> fails with a timeout (Squid >>>> timeout message).>>> >>> Snip >>> >>>> >>>> Did I misconfigure the mangle file? >>>> >>> >>> What is the output of 'shorewall show mangle' after you have attempted >>> to connect? >> >> I'm attaching the output of 'shorewall show mangle' right after the LAN host >> at 10.215.144.48 >> attempts connecting to 89.16.167.134 and receives a timeout message from >> squid.> > Is 10.215.144.48 accessed via interface enp1s8? Remember that you must > configure a DIVERT rule for each interface that routes to servers that > the client might connect to. The connection is as follows: 10.215.144.48 (HTTP client) - enp0s8 :: $FW + Squid :: enp1s8 - 89.16.167.134 (HTTP server) My setup is similar to the one described here: http://shorewall.net/Shorewall_Squid_Usage.html#TPROXY There's only one DIVERT rule there because the destination server is reachable through just one interface. I think I had it all wrong so I reconfigured Shorewall mangle this way: DIVERT $IF_WAN:89.16.167.134 10.215.144.48 tcp - 80 TPROXY(3129) $IF_LAN 89.16.167.134 tcp 80 where IF_LAN=enp0s8 IF_WAN=enp1s8 It seems to be working fine now. BTW please correct me if I'm wrong but there may be a few mistakes in the man page (v. 5.0.6.2). # man shorewall-mangle DIVERT Two DIVERT rule should precede the TPROXY rule and should select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively (assuming that tcp port 80 is being proxied). DIVERT avoids sending packets to the TPROXY target once a socket connection to Squid3 has been established by TPROXY. DIVERT marks the packet with a unique mark and exempts it from any rules that follow. TPROXY([port][,address]) Transparently redirects a packet without altering the IP header. Requires a tproxy provider to be defined in shorewall-providers[10](5). There are three parameters to TPROXY - neither is required: o port - the port on which the proxy server is listening. If omitted, the original destination port. o address - a local (to the firewall) IP address on which the proxy server is listening. If omitted, the IP address of the interface on which the request arrives. 1) I suppose "Two DIVERT rule" should read "The DIVERT rule". 2) I also suppose "select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively" should read "select SOURCE PORT tcp 80 and DEST PORT tcp 80 respectively". 3) Finally, "There are three parameters to TPROXY" should read "There are two parameters to TPROXY". Thanks, Vieri ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
