I have been setting up a router for ipv6 using Hurricane as my provider.

 

Ultimately I want to use dansguardian on this but my first step has been to set up squid3 as a transparent tproxy.

 

This is working for ipv4 using shorewall and redirect.

 

Of course, shorewall6 doesn’t use redirect and I’ve followed the documentation to set up the transparent proxy using tproxy in shorewall6

 

This test network does have a lot of interfaces on it, it’s a development system. Virtually everything is working smoothly with respect to ipv6; all the networks route to the internet and to each other fine. The only problem I have now is that the tproxy settings in shorewall6 seem to be completely ignored.

 

I am seeing some things in the squid logs which make me think that something is happening eg when the test VM goes to www.google.com:

 

1356083809.137    670 10.0.0.100 TCP_MISS/204 301 GET http://clients1.google.com/generate_204 - DIRECT/2607:f8b0:4007:801::1001 text/html

 

Where 10.0.0.100 is the ipv4 address of the test VM. But there aren’t nearly enough hits to reflect real proxying and when I observe with tcpdump theres a lot more. Also a ping to google.com does go to the ipv6 address.

 

When I go to http://test-ipv6.com I get 10/10 but I only see ipv4 traffic in the squid logs.

 

Tcpdump on port 80 shows all the ipv6 traffic shooting straight through to the internet from the test VM.

 

Here are the relevant file contents:

 

interfaces:

-       lo           -            -

dmz     eth3         detect       tcpflags,forward=1,nosmurfs

lan     eth0         detect       tcpflags,forward=1,nosmurfs

out     he-ipv6      detect       tcpflags,forward=1,nosmurfs

virt    eth1         detect       tcpflags,forward=1,nosmurfs

virt2   eth4         detect       tcpflags,forward=1,nosmurfs

 

zones:

fw              firewall

dmz             ipv6

lan             ipv6

out             ipv6

virt            ipv6

virt2           ipv6

 

tcrules:

FORMAT 2

DIVERT          he-ipv6     ::          tcp        -           80

TPROXY(3128,::1) eth1        ::          tcp        80

#TPROXY(3128) eth1        ::          tcp        80

# Neither of the above lines work

 

rules:

ACCEPT        any      out

ACCEPT        virt     $FW    tcp      80

ACCEPT        virt2    $FW    tcp      80

ACCEPT        lan      $FW    tcp      80

ACCEPT        $FW      out    tcp      80

ACCEPT        any      $FW    41

ACCEPT        any      any    ipv6-icmp

Ping(ACCEPT)  any      any

ACCEPT        dmz          any

ACCEPT        lan          any

ACCEPT        virt         any

ACCEPT        virt2        any

ACCEPT        lan          any

ACCEPT        virt:<2001:470:f06b:1::1>       out

ACCEPT        virt2:<2001:470:f06b:4::4>       out

ACCEPT        lan:<2001:470:f06b:F::F>        out

 

policy:

dmz           fw                  ACCEPT

dmz           lan                 REJECT         info

dmz           out                 ACCEPT

dmz           virt                REJECT         info

dmz           virt2               REJECT         info

lan           dmz                 REJECT         info

lan           fw                  ACCEPT

lan           out                 ACCEPT

lan           virt                ACCEPT

lan           virt2               ACCEPT

virt          dmz                 REJECT        info

virt          fw                  ACCEPT

virt          lan                 ACCEPT

virt          out                 ACCEPT

virt          virt2               ACCEPT

virt2         dmz                 REJECT        info

virt2         fw                  ACCEPT

virt2         lan                 ACCEPT

virt2         out                 ACCEPT

virt2         virt                ACCEPT

fw            all                 ACCEPT

out           all                 REJECT        info

 

tunnels:

generic:41        out     2001:470:c:1fd::2

 

 

Here is info requested on the shorewall help page:

 

 

# /sbin/shorewall version

4.5.10

 

# ip -6 addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000

    inet6 2001:470:f06b:f::f/64 scope global

       valid_lft forever preferred_lft forever

    inet6 fe80::20c:29ff:fe19:428e/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000

    inet6 2001:470:f06b:1::1/64 scope global

       valid_lft forever preferred_lft forever

    inet6 fe80::20c:29ff:fe19:4298/64 scope link

       valid_lft forever preferred_lft forever

4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000

    inet6 fe80::20c:29ff:fe19:42a2/64 scope link

       valid_lft forever preferred_lft forever

5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000

    inet6 2001:470:f06b:3::3/64 scope global

       valid_lft forever preferred_lft forever

    inet6 fe80::250:56ff:feb7:4057/64 scope link

       valid_lft forever preferred_lft forever

6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000

    inet6 2001:470:f06b:4::4/64 scope global

       valid_lft forever preferred_lft forever

    inet6 fe80::250:56ff:feb7:3925/64 scope link

       valid_lft forever preferred_lft forever

8: he-ipv6: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480

    inet6 2001:470:c:1fd::2/64 scope global

       valid_lft forever preferred_lft forever

    inet6 fe80::a04:1/64 scope link

       valid_lft forever preferred_lft forever

    inet6 fe80::ac10:63/64 scope link

       valid_lft forever preferred_lft forever

    inet6 fe80::7965:b226/64 scope link

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:1/64 scope link

       valid_lft forever preferred_lft forever

    inet6 fe80::c0a8:163/64 scope link

       valid_lft forever preferred_lft forever

 

# ip -6 route show

2001:470:c:1fd::/64 via :: dev he-ipv6  proto kernel  metric 256

2001:470:f06b:1::/64 dev eth1  proto kernel  metric 256

2001:470:f06b:3::/64 dev eth3  proto kernel  metric 256

2001:470:f06b:4::/64 dev eth4  proto kernel  metric 256

2001:470:f06b:f::/64 dev eth0  proto kernel  metric 256

fe80::/64 dev eth1  proto kernel  metric 256

fe80::/64 dev eth4  proto kernel  metric 256

fe80::/64 dev eth0  proto kernel  metric 256

fe80::/64 dev eth2  proto kernel  metric 256

fe80::/64 dev eth3  proto kernel  metric 256

fe80::/64 via :: dev he-ipv6  proto kernel  metric 256

default dev he-ipv6  metric 1024