Menu
▾
▴
Re: [Shorewall-users] shorewall6 seems to be ignoring tproxy
|
From: Tom E. <te...@sh...> - 2012-12-24 03:58:56
|
On 12/23/2012 06:02 PM, Steve Wray wrote: > Thanks for getting back to me. > > The squid config has: > > http_port 3128 tproxy > http_port 3129 transparent > > netstat shows: > tcp 0 0 0.0.0.0:3129 0.0.0.0:* LISTEN > - > tcp6 0 0 :::3128 :::* LISTEN > - > > I didn't realise there was a convention regarding which ports squid listens > on for what. > > Also, if squid wasn't listening on the port I'd set in the Shorewall config, > wouldn't the web pages just completely fail to load instead of passing > through to the sites? > > I also notice some other odd things; > > When I go to test-ipv6.com it says I'm going through a proxy > "Your IPv6 address on the public internet appears to be 2001:xxx:x:xxx::x > Proxied via: 1.1 router1.xxxx (squid/3.1.19)" > Where the IP address is correct for our ipv6 tunnel . > > When I go to v6.testmyipv6.com it gives my IP address as the address of the > test VM (windows 7, chrome). > When I go to ds.testmyipv6.com it gives my IP address as the address of my > router. > > In the case of the pure ipv6 test there is nothing in the squid log. In the > case of the dual stack test there are entries in the squid log. > > I'm guessing that test-ipv6.com is doing a dual stack test. > > Shorewall6 dump output attached. > > > -----Original Message----- > From: Tom Eastep [mailto:te...@sh...] > Sent: Friday, 21 December 2012 11:36 p.m. > To: Shorewall Users > Subject: Re: [Shorewall-users] shorewall6 seems to be ignoring tproxy > > On 12/21/2012 02:04 AM, Steve Wray wrote: > >> >> interfaces: >> >> - lo - - >> >> dmz eth3 detect tcpflags,forward=1,nosmurfs >> lan eth0 detect tcpflags,forward=1,nosmurfs >> out he-ipv6 detect tcpflags,forward=1,nosmurfs >> virt eth1 detect tcpflags,forward=1,nosmurfs >> virt2 eth4 detect tcpflags,forward=1,nosmurfs >> >> zones: >> >> fw firewall >> dmz ipv6 >> lan ipv6 >> out ipv6 >> virt ipv6 >> virt2 ipv6 >> >> tcrules: >> >> FORMAT 2 >> DIVERT he-ipv6 :: tcp - 80 >> TPROXY(3128,::1) eth1 :: tcp 80 >> #TPROXY(3128) eth1 :: tcp 80 >> >> # Neither of the above lines work > > Is Squid really listining on port 3128 for IPv6 TPROXY? That's normally the > intercept port (for REDIRECT) and 3129 is used for TPROXY. > > If that isn't the issue, please forward the output of 'shorewall6 dump' > as a compressed attachment. Do you see the obvious problem with this rule from your dump output? Chain PREROUTING (policy ACCEPT 1361 packets, 464K bytes) pkts bytes target prot opt in out source destination 1361 464K tcpre all * * ::/0 ::/0 0 0 divert tcp he-ipv6 * ::/0 ::/128 tcp spt:80flags:! 0x17/0x02 socket --transparent 0 0 TPROXY tcp eth1 * ::/0 ::/128 tcp dpt:80 TPROXY redirect :::3128 mark 0x200/0x200 Look at the destination column. That is the all-zero address. That goes back to your tcrules: TPROXY(3128,::1) eth1 :: tcp 80 -- -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ |