After several years of working well, (and an OS Update), TPROXY has stopped
working over IPv6. (IPv4 works fine).
I'm not sure if the problem is in Squid, Shorewall, or maybe even the Linux
Kernel I'm using.
When the http proxy is specified manually (non-transparent):
* The proxy works correctly with IPv6.
* Wireshark shows IPv6 HTTP traffic as usual over both internal & external
interfaces.
* The squid log shows IPv6 HTTP traffic over port 80.
When a system is not configured for a proxy (ie. using TPROXY):
* Wireshark doesn't show anything going out over the external interface
* Wireshark shows mostly TCP retransmissions & TCP spurious retransmissions
on the internal interface (to the destination server). I figure these
are mostly the traffic to/from the laptop on the inside of the firewall.
* And the system using transparent proxy can't connect over IPv6.
* The squid log shows no http (port 80) traffic.
It doesn't appear that the Squid proxy is seeing the packets.
Squid appears to be listening over IPv6:
# netstat -lpnut | grep squid
tcp6 0 0 :::3128 :::*
LISTEN 8792/(squid-1)
tcp6 0 0 :::3129 :::*
LISTEN 8792/(squid-1)
tcp6 0 0 :::3130 :::*
LISTEN 8792/(squid-1)
udp 0 0 0.0.0.0:55240 0.0.0.0:*
8792/(squid-1)
udp6 0 0 :::34061 :::*
8792/(squid-1)
/etc/squid/squid.conf (I think this is the only tproxy configuration)
http_port 3128
http_port 3129 tproxy
http_port 3130 intercept
/etc/shorewall6/interfaces
?FORMAT 2
#ZONE INTERFACE OPTIONS
gige6 eth0 dhcp,tcpflags
net6 eth1 dhcp
dmz6 eth2 dhcp,tcpflags
# TPROXY
- lo -
/etc/shorewall6/mangle:
DIVERT eth1 ::/0 tcp - www
TPROXY(3129) eth0 [!2601:681:4602:e4e0:ec4:7aff:fe31:3f62/64] tcp www
TPROXY(3129) eth2 [!2601:681:4602:e4e2:204:75ff:feac:c16f/64] tcp www
/etc/shorewall6/rules
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
?SECTION NEW
Ping(ACCEPT) net6 $FW
ACCEPT gige6 $FW tcp www
ACCEPT dmz6 $FW tcp www
/etc/shorewall6/policy:
$FW gige6 ACCEPT
$FW net6 ACCEPT
gige6 $FW ACCEPT
gige6 net6 ACCEPT
dmz6 net6 ACCEPT
all all DROP info
Kernel & software information:
Linux <host> 4.4.0-1-amd64 #1 SMP Debian 4.4.6-1 (2016-03-17)
x86_64 GNU/Linux
shorewall6: 5.0.7-1 (Debian)
Squid: 3.5.15-1 (Debian)
Any ideas?
--
Troy Telford
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
