Re: [Shorewall-users] RES: RES: RES: transparent proxy

[Tom E. <te...@sh...>]

Stacker Hush wrote:
> Here my firewall configuration:
> 
> Now the REDIRECT rule is activacted in status.txt
> 
> eth0: 192.168.0.254 (wan - connected to ADSL)
> eth1: 172.16.1.254 (lan)
> tap0: 192.168.99.1 openvpn
> 
> zones:
> fw      firewall
> net     ipv4
> loc     ipv4
> vpn     ipv4
> 
> interfaces:
> net     eth0            detect
> loc     eth1            detect
> vpn     tap0
> 
> masq: 
> eth0                    eth1
> eth1                    eth0
> 
> squid is running in 8080 port.
> 
> In messages i see:
> Oct  8 19:48:25 farroupilha kernel: Shorewall:FORWARD:REJECT:IN=eth0
> OUT=eth0 SRC=172.16.1.1 DST=65.77.157.50 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=20577 DF PROTO=TCP SPT=1232 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

That is a sign of a very sick configuration.

Note that "IN=eth0 OUT=eth0". That means that the packets are arriving
on eth0 and being routed back out of eth0. More troubling from the dump are:

Table main:

192.168.99.0/24 dev tap0  proto kernel  scope link  src 192.168.99.1
172.16.1.0/24 dev eth1  proto kernel  scope link  src 172.16.1.254
-------------     ----

ARP

? (172.16.1.200) at 00:1E:0B:79:56:C1 [ether] on eth1
? (192.168.99.3) at 00:FF:E4:C4:C3:DF [ether] on tap0
? (172.16.1.2) at 00:0E:2E:EC:64:17 [ether] on eth1
? (172.16.1.1) at 00:0F:EA:D2:10:DB [ether] on eth1
   ----------                                  ----

So 172.16.1.1 should be connected to eth1 yet traffic from that system
is arriving on eth0!!!

You need to understand why that is happening -- my best guess is that
eth0 and eth1 are connected to the same Ethernet segment.

-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________