Discussion:
[Shorewall-users] connection issue through shorewall firewall with TPROXY
Vieri Di Paola
2017-05-23 12:36:24 UTC
Permalink
Hi,

I'm trying to access http://www.shorewall.net from a subnet through shorewall with Squid as a transparent proxy.


I'm attaching a shorewall dump while trying to connect
from 192.168.210.142 to 63.135.54.24 on port 80
It *shouldn't* be a squid config issue (I think so, at least).

What could I try?

Vieri
Tom Eastep
2017-05-23 15:25:47 UTC
Permalink
Post by Vieri Di Paola
Hi,
I'm trying to access http://www.shorewall.net from a subnet through
shorewall with Squid as a transparent proxy.
I'm attaching a shorewall dump while trying to connect from
192.168.210.142 to 63.135.54.24 on port 80 It *shouldn't* be a
squid config issue (I think so, at least).
What could I try?
Configure Squid for TPROXY on port 3129:

http_port 3129 tproxy

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Vieri Di Paola
2017-05-23 20:17:28 UTC
Permalink
________________________________
Post by Tom Eastep
http_port 3129 tproxy
I already did. My squid configuration contains the following:

http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem

In fact, in my mangle file I have:

DIVERT $IF_WAN $PROXY_SOURCE_WAN tcp - 80
TPROXY(3129) $IF_LAN:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN tcp 80
DIVERT $IF_WAN $PROXY_SOURCE_WAN tcp - 443
TPROXY(3130) $IF_LAN:$PROXY_SOURCE_WAN $PROXY_DESTINATION_WAN tcp 443

DIVERT $IF_WAN $PROXY_SOURCE_WAN_DMZ tcp - 80
TPROXY(3129) $IF_DMZ:$PROXY_SOURCE_WAN_DMZ $PROXY_DESTINATION_WAN_DMZ tcp 80
DIVERT $IF_WAN $PROXY_SOURCE_WAN_DMZ tcp - 443
TPROXY(3130) $IF_DMZ:$PROXY_SOURCE_WAN_DMZ $PROXY_DESTINATION_WAN_DMZ tcp 443


Clients behind $IF_LAN are successfully proxied. Clients behind $IF_DMZ are not.

Vieri
Vieri Di Paola
2017-05-24 07:02:31 UTC
Permalink
________________________________
Before you do that, take a look at your dmz->fw rules -- you are only
allowing ports 80 and 443 to a restricted set of hosts with private IP
addresses
The first rule below solves my issue. The second rule (commented out) does not.

ACCEPT dmz $FW tcp 80,443
# ACCEPT dmz $FW:192.168.210.1,10.215.144.91,10.215.145.81,10.215.145.241,10.215.145.242 tcp 80,443

The private IP addresses are set on $FW's NICs.
I take it I misconfigured that, as the DIVERT&TPROXY actions require I allow all DST for ports 80,443.

Thanks!

Vieri

Loading...