Tom Eastep | 8 Oct 16:39 2008
Picon

Re: shorewall + ipsec + ipvs : route back problem

Sebastien COUPPEY wrote:

> I am facing difficulties with my chain :
> 
> 	client - ipsec - shorewall - openswan - ipvs - Real servers.
> 
> It seems that the return packets never arrive to the clients.
> 
> Architecture :

<folded and mutilated ASCII art omitted>

Your mailer folded your ASCII art to the point where it was unreadable.
									 			   	 	 		
> 
> /etc/shorewall/hosts :
> swan    eth0:10.44.0.254		  
> 				

We really need to see the output of 'shorewall dump' collected as 
described at http://www.shorewall.net/support.htm#Guidelines. Snippets 
of your configuration are not really useful.
											
-Tom
--

-- 
Tom Eastep    \ The ultimate result of shielding men from the effects of
Shoreline,     \ folly is to fill the world with fools.
Washington, USA \                                     -- Herbert Spencer
------------------------------------------------------------------------
http://www.shorewall.net
(Continue reading)

Stacker Hush | 8 Oct 18:30 2008
Picon

RES: transparent proxy

Hello. Thanks for your answer.

The default gateway of the network is the eth0 of the firewall connected to
an adsl router.

I have attached status information according the site you have tell me.

Thanks again,

Stacker

-----Mensagem original-----
De: Tom Eastep [mailto:teastep <at> shorewall.net] 
Enviada em: quarta-feira, 8 de outubro de 2008 11:36
Para: Shorewall Users
Assunto: Re: [Shorewall-users] transparent proxy

Stacker Hush wrote:

> I having problems with transparente Proxy with squid.
> 
> I have this rule in my rules file:
> REDIRECT        loc:!172.16.1.177             8080            tcp     www
> 
> The problem is the traffic isn't redirected to the 8080 port and the 
> clients try to go directly to the por 80 using  the default gateway.

Which default gateway? The Firewall's default gateway or their own default
gateway (if it isn't through the firewall)?

(Continue reading)

Sebastien COUPPEY | 8 Oct 19:07 2008
Picon

Re: shorewall + ipsec + ipvs : route back problem

Sorry for the previous email,
Here are the missing info and the dump with the used IPs

Hello,

I am facing difficulties with my chain :

	client - ipsec - shorewall - openswan - ipvs - Real servers.

It seems that the return packets never arrive to the clients.

Architecture :

client :10.44.0.254 
     |
    |
     \
+----+----+
| node A  |
|         |
+---+-----+
    |
    |
    |
    |
    |
+------+--------+
|    node B     |
|  shorewall    | 4.0.11
|   openswan    | 2.4.9
(Continue reading)

Tom Eastep | 8 Oct 19:40 2008
Picon

Re: RES: transparent proxy

Stacker Hush wrote:

> I have attached status information according the site you have tell me.

There are no REDIRECT rules in this configuration.

-Tom
--

-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Stacker Hush | 8 Oct 19:53 2008
Picon

RES: RES: transparent proxy

Hello.

The rule is commented now to avoid problems. 
But the rule is: 
REDIRECT        loc:!172.16.1.177             8080            tcp     www

Thanks,
Wilson

-----Mensagem original-----
De: Tom Eastep [mailto:teastep <at> shorewall.net] 
Enviada em: quarta-feira, 8 de outubro de 2008 14:41
Para: Shorewall Users
Assunto: Re: [Shorewall-users] RES: transparent proxy

Stacker Hush wrote:

> I have attached status information according the site you have tell me.

There are no REDIRECT rules in this configuration.

-Tom
--

-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
(Continue reading)

Tom Eastep | 8 Oct 20:02 2008
Picon

Re: RES: RES: transparent proxy

Stacker Hush wrote:
> Hello.
> 
> The rule is commented now to avoid problems. 

Unbelievable....

-Tom
--

-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep | 8 Oct 20:15 2008
Picon

Re: shorewall + ipsec + ipvs : route back problem

Sebastien COUPPEY wrote:
> Sorry for the previous email,
> Here are the missing info and the dump with the used IPs

The nat table in this dump makes no sense at all -- please forward a
tarball of /etc/shorewall/. You can send it to support <at> shorewall.net if
you like.

Thanks,
-Tom
--

-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Andy McGuire | 8 Oct 20:43 2008
Picon

Re: RES: RES: transparent proxy

try this from the documentation....

REDIRECT   loc   8080   tcp    www    -
ACCEPT      fw    net      tcp    80

On Wed, Oct 8, 2008 at 2:02 PM, Tom Eastep <teastep <at> shorewall.net> wrote:
Stacker Hush wrote:
> Hello.
>
> The rule is commented now to avoid problems.

Unbelievable....

-Tom
--
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Fabio Correa | 8 Oct 22:31 2008
Picon

Re: RES: RES: transparent proxy

This works if the squid and shorewall are in the same machine, i not sure if is that case.

Fabio

2008/10/8 Andy McGuire <mickwire <at> gmail.com>
try this from the documentation....

REDIRECT   loc   8080   tcp    www    -
ACCEPT      fw    net      tcp    80

On Wed, Oct 8, 2008 at 2:02 PM, Tom Eastep <teastep <at> shorewall.net> wrote:
Stacker Hush wrote:
> Hello.
>
> The rule is commented now to avoid problems.

Unbelievable....

-Tom
--
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep | 8 Oct 22:43 2008
Picon

Re: RES: RES: transparent proxy

Fabio Correa wrote:
> This works if the squid and shorewall are in the same machine, i not sure if
> is that case.

We basically don't have enough information here --

a) If Stacker's users are accessing the internet directly now, how does
adding the rule disrupt them if, as claimed, the rule does nothing?

b) As Fabio says, we're assuming that Squid is running on the Shorewall
box. But even if it isn't, that wouldn't cause the users to "try to go
directly to the por (SIC) 80 using  the default gateway". So I suspect
that the rule is working and Squid is not.

Because:

- In 90% of cases where transparent proxy doesn't work, it is the Squid
configuration that is wrong, not Shorewall.
- In 9% of the cases, the user forgot to enable port 80 from fw->net
even though that is carefully documented at
http://www.shorewall.net/Shorewall_Squid_Usage.html
- In the other 1%, the user is astonished to learn that HTTPS cannot be
transparently proxied.

-Tom
--
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Gmane