Menu
▾
▴
Re: [Shorewall-users] shorewall machine web requests and squid
|
From: Tom E. <te...@sh...> - 2009-09-30 18:29:15
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Justin T Pryzby wrote: > Shorewall 4.4 is running on a gateway machine with 2 providers, and > also running squid and pppd. I have two related problems. One is > that I've never been able to get "balance,track" working for both > interfaces, thus can't use "routefilter" for both. 2nd problem is web > access from the shorewall machine itself. > > Two external interfaces are eth0 T1 and ppp0. PPP0 is a DSL modem in > briding mode. It needs "TCPMSS clamp to PMTU". I wasn't able to get > it working with the "balance" option on both interfaces. So we have > providers:"balance" only on the dsl and interfaces:"routefilter" only > on eth0. Apparently this causes PPP0 to be the default route, which > seems to also cause all packets to get their MSS set. That is all very unclear. > > If I add balance and routefilter where they're missing, I get lots of > these: > > Sep 29 11:02:45 charcoal kernel: [319681.436182] martian source 206.80.216.107 from 69.63.184.142, on dev ppp0 Then you are doing something wrong. > > masq looks like: > lo 0.0.0.0/0 127.0.0.1 tcp 3128 What in the world is that for? > ppp0 0.0.0.0/0 > eth0 0.0.0.0/0 detect > > 2nd problem is squid. I *was* able to get locally-generated HTTP > requests working, but only using a kludge: > > rules: > ACCEPT loc:lo all > REDIRECT fw 3128 tcp www - !192.168.1.254 - !proxy > > interfaces: > loc lo detect routefilter,logmartians,tcpflags,nosmurfs > > As far as I know, lo shouldn't need to be listed in any file. > > If I don't add interfaces:"lo", then I can't add it to "masq", and > packets redirected to 3128 have the (dynamic) source address of the > ppp0 interface (due to default route?). That's of course not found in > squid.conf, so it rejects the request. > > Does anyone have any suggestions for either problem? No -- but if you configure Shorewall the way that you think should work (without all of the workarounds) then submit the output of "shorewall dump" collected as described at http://www.shorewall.net/support.htm#Guidelines, we will try to help. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrDo4MACgkQO/MAbZfjDLJJbQCeOGPFzVLu5U7zv87CxAHQvYlE fKMAn2s9l4MEJJ04iCpeR1XMLAiG+DIx =tvKs -----END PGP SIGNATURE----- |