On 04/02/2016 05:30 PM, Troy Telford wrote: > After several years of working well, (and an OS Update), TPROXY has stopped > working over IPv6. (IPv4 works fine). > > I'm not sure if the problem is in Squid, Shorewall, or maybe even the Linux > Kernel I'm using. > > When the http proxy is specified manually (non-transparent): > * The proxy works correctly with IPv6. > * Wireshark shows IPv6 HTTP traffic as usual over both internal & external > interfaces. > * The squid log shows IPv6 HTTP traffic over port 80. > > When a system is not configured for a proxy (ie. using TPROXY): > * Wireshark doesn't show anything going out over the external interface > * Wireshark shows mostly TCP retransmissions & TCP spurious > retransmissions > on the internal interface (to the destination server). I figure these > are mostly the traffic to/from the laptop on the inside of the firewall. > * And the system using transparent proxy can't connect over IPv6. > * The squid log shows no http (port 80) traffic. > > It doesn't appear that the Squid proxy is seeing the packets. > > Squid appears to be listening over IPv6: > > # netstat -lpnut | grep squid > tcp6 0 0 :::3128 :::* > LISTEN 8792/(squid-1) > tcp6 0 0 :::3129 :::* > LISTEN 8792/(squid-1) > tcp6 0 0 :::3130 :::* > LISTEN 8792/(squid-1) > udp 0 0 0.0.0.0:55240 0.0.0.0:* > 8792/(squid-1) > udp6 0 0 :::34061 :::* > 8792/(squid-1) > > /etc/squid/squid.conf (I think this is the only tproxy configuration) > http_port 3128 > http_port 3129 tproxy > http_port 3130 intercept > > /etc/shorewall6/interfaces > ?FORMAT 2 > #ZONE INTERFACE OPTIONS > gige6 eth0 dhcp,tcpflags > net6 eth1 dhcp > dmz6 eth2 dhcp,tcpflags > # TPROXY > - lo - > > /etc/shorewall6/mangle: > > DIVERT eth1 ::/0 tcp - > www > TPROXY(3129) eth0 [!2601:681:4602:e4e0:ec4:7aff:fe31:3f62/64] tcp > www > TPROXY(3129) eth2 [!2601:681:4602:e4e2:204:75ff:feac:c16f/64] tcp > www > > /etc/shorewall6/rules > #SECTION ALL > #SECTION ESTABLISHED > #SECTION RELATED > ?SECTION NEW > Ping(ACCEPT) net6 $FW > ACCEPT gige6 $FW tcp www > ACCEPT dmz6 $FW tcp www > > /etc/shorewall6/policy: > $FW gige6 ACCEPT > $FW net6 ACCEPT > gige6 $FW ACCEPT > gige6 net6 ACCEPT > dmz6 net6 ACCEPT > all all DROP info > > Kernel & software information: > > Linux <host> 4.4.0-1-amd64 #1 SMP Debian 4.4.6-1 (2016-03-17) > x86_64 GNU/Linux > shorewall6: 5.0.7-1 (Debian) > Squid: 3.5.15-1 (Debian) > > Any ideas?
I don't. I'm seeing the same thing here. I can tell you that the rules generated by Shorewall6 for DIVERT and TPROXY haven't changed since at least 4.5.21. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
