Re: [Shorewall-users] mangle TPROXY

Tom Eastep Sun, 04 Oct 2020 10:59:15 -0700

On 10/2/20 4:19 AM, Vieri Di Paola wrote:
> Hi,
> 
> I have some clients in a LAN that require access to WAN through a
> transparent Squid web proxy on FW.
> 
> I have this in mangle:
> 
> # METHOD 1:
> DIVERT          $IF_WAN                         $PROXY_SOURCE_WAN
>  tcp     -       80
> TPROXY(3129)    ${IF_LAN}:$PROXY_SOURCE_WAN     $PROXY_DESTINATION_WAN
>          tcp     80
> TPROXY(3129)    ${IF_LAN}.1:$PROXY_SOURCE_WAN   $PROXY_DESTINATION_WAN
>          tcp     80
> TPROXY(3129)    ${IF_LAN}.12:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     80
> TPROXY(3129)    ${IF_LAN}.13:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     80
> TPROXY(3129)    ${IF_LAN}.14:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     80
> TPROXY(3129)    ${IF_LAN}.15:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     80
> TPROXY(3129)    ${IF_LAN}.16:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     80
> TPROXY(3129)    ${IF_LAN}.17:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     80
> DIVERT          $IF_WAN                         $PROXY_SOURCE_WAN
>  tcp     -       443
> TPROXY(3130)    ${IF_LAN}:$PROXY_SOURCE_WAN     $PROXY_DESTINATION_WAN
>          tcp     443
> TPROXY(3130)    ${IF_LAN}.1:$PROXY_SOURCE_WAN   $PROXY_DESTINATION_WAN
>          tcp     443
> TPROXY(3130)    ${IF_LAN}.12:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     443
> TPROXY(3130)    ${IF_LAN}.13:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     443
> TPROXY(3130)    ${IF_LAN}.14:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     443
> TPROXY(3130)    ${IF_LAN}.15:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     443
> TPROXY(3130)    ${IF_LAN}.16:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     443
> TPROXY(3130)    ${IF_LAN}.17:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     443
> ## non-standard port
> DIVERT          $IF_WAN                         $PROXY_SOURCE_WAN
>  tcp     -       8886
> TPROXY(3130)    ${IF_LAN}:$PROXY_SOURCE_WAN     $PROXY_DESTINATION_WAN
>          tcp     8886
> TPROXY(3130)    ${IF_LAN}.1:$PROXY_SOURCE_WAN   $PROXY_DESTINATION_WAN
>          tcp     8886
> TPROXY(3130)    ${IF_LAN}.12:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     8886
> TPROXY(3130)    ${IF_LAN}.13:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     8886
> TPROXY(3130)    ${IF_LAN}.14:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     8886
> TPROXY(3130)    ${IF_LAN}.15:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     8886
> TPROXY(3130)    ${IF_LAN}.16:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     8886
> TPROXY(3130)    ${IF_LAN}.17:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>          tcp     8886
> 
> I am also required to add an ACCEPT rule from LAN* to FW for ports tcp
> 80,443,8886.
> Finally, I also need to set SSL_ports and Safe_ports in squid conf to
> include 8886 which is non-standard.
> 
> So, METHOD 1 seems to work.


I seriously doubt that the TLS handshake works when you try using HTTPS.
The proxy is a 'man in the middle' in that case.

> 
> However, using a list of port numbers, ranges or ipsets does not seem to work.
> 
> For instance, the following in mangle does not work as expected.
> 
> # METHOD 2
> DIVERT         $IF_WAN                         $PROXY_SOURCE_WAN
> tcp     -       80,443,8886
> TPROXY(3129)   ${IF_LAN}:$PROXY_SOURCE_WAN     $PROXY_DESTINATION_WAN
>         tcp     80,443,8886
> TPROXY(3129)   ${IF_LAN}.1:$PROXY_SOURCE_WAN   $PROXY_DESTINATION_WAN
>         tcp     80,443,8886
> TPROXY(3129)   ${IF_LAN}.12:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>         tcp     80,443,8886
> TPROXY(3129)   ${IF_LAN}.13:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>         tcp     80,443,8886
> TPROXY(3129)   ${IF_LAN}.14:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>         tcp     80,443,8886
> TPROXY(3129)   ${IF_LAN}.15:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>         tcp     80,443,8886
> TPROXY(3129)   ${IF_LAN}.16:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>         tcp     80,443,8886
> TPROXY(3129)   ${IF_LAN}.17:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
>         tcp     80,443,8886
> 
> Is there a reason why METHOD 2 is apparently wrong?
> 

What would be more helpful would be an explanation of 'does not work as
expected'.

=Tom
-- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] mangle TPROXY

Reply via email to