On 04/04/2016 10:47 AM, Tom Eastep wrote: > On 04/02/2016 05:30 PM, Troy Telford wrote: >> After several years of working well, (and an OS Update), TPROXY has stopped >> working over IPv6. (IPv4 works fine). >> >> I'm not sure if the problem is in Squid, Shorewall, or maybe even the Linux >> Kernel I'm using. >> >> When the http proxy is specified manually (non-transparent): >> * The proxy works correctly with IPv6. >> * Wireshark shows IPv6 HTTP traffic as usual over both internal & >> external >> interfaces. >> * The squid log shows IPv6 HTTP traffic over port 80. >> >> When a system is not configured for a proxy (ie. using TPROXY): >> * Wireshark doesn't show anything going out over the external interface >> * Wireshark shows mostly TCP retransmissions & TCP spurious >> retransmissions >> on the internal interface (to the destination server). I figure these >> are mostly the traffic to/from the laptop on the inside of the >> firewall. >> * And the system using transparent proxy can't connect over IPv6. >> * The squid log shows no http (port 80) traffic. >> >> It doesn't appear that the Squid proxy is seeing the packets. >> >> Squid appears to be listening over IPv6: >> >> # netstat -lpnut | grep squid >> tcp6 0 0 :::3128 :::* >> LISTEN 8792/(squid-1) >> tcp6 0 0 :::3129 :::* >> LISTEN 8792/(squid-1) >> tcp6 0 0 :::3130 :::* >> LISTEN 8792/(squid-1) >> udp 0 0 0.0.0.0:55240 0.0.0.0:* >> 8792/(squid-1) >> udp6 0 0 :::34061 :::* >> 8792/(squid-1) >> >> /etc/squid/squid.conf (I think this is the only tproxy configuration) >> http_port 3128 >> http_port 3129 tproxy >> http_port 3130 intercept >> >> /etc/shorewall6/interfaces >> ?FORMAT 2 >> #ZONE INTERFACE OPTIONS >> gige6 eth0 dhcp,tcpflags >> net6 eth1 dhcp >> dmz6 eth2 dhcp,tcpflags >> # TPROXY >> - lo - >> >> /etc/shorewall6/mangle: >> >> DIVERT eth1 ::/0 tcp - >> www >> TPROXY(3129) eth0 [!2601:681:4602:e4e0:ec4:7aff:fe31:3f62/64] tcp >> www >> TPROXY(3129) eth2 [!2601:681:4602:e4e2:204:75ff:feac:c16f/64] tcp >> www >> >> /etc/shorewall6/rules >> #SECTION ALL >> #SECTION ESTABLISHED >> #SECTION RELATED >> ?SECTION NEW >> Ping(ACCEPT) net6 $FW >> ACCEPT gige6 $FW tcp www >> ACCEPT dmz6 $FW tcp www >> >> /etc/shorewall6/policy: >> $FW gige6 ACCEPT >> $FW net6 ACCEPT >> gige6 $FW ACCEPT >> gige6 net6 ACCEPT >> dmz6 net6 ACCEPT >> all all DROP info >> >> Kernel & software information: >> >> Linux <host> 4.4.0-1-amd64 #1 SMP Debian 4.4.6-1 (2016-03-17) >> x86_64 GNU/Linux >> shorewall6: 5.0.7-1 (Debian) >> Squid: 3.5.15-1 (Debian) >> >> Any ideas? > > I don't. I'm seeing the same thing here. I can tell you that the rules > generated by Shorewall6 for DIVERT and TPROXY haven't changed since at > least 4.5.21. >
I take that back. When testing TPROXY, I neglected to remove the REDIRECT rule to port 3128. Once I deleted that, it worked correctly. If you'll forward the output of 'shorewall6 dump', I'll take a look... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
