Vieri Di Paola
2017-05-26 16:17:09 UTC
________________________________
I ran this on the shorewall machine:
# ss -tnap | fgrep 62001
LISTEN 0 128 :::62001 :::* users:(("/usr/sbin/apach",pid=29038,fd=12),("/usr/sbin/apach",pid=29033,fd=12),("/usr/sbin/apach",pid=29032,fd=12),("/usr/sbin/apach",pid=29031,fd=12),("/usr/sbin/apach",pid=28968,fd=12),("/usr/sbin/apach",pid=27512,fd=12),("/usr/sbin/apach",pid=27461,fd=12),("/usr/sbin/apach",pid=22872,fd=12),("/usr/sbin/apach",pid=19472,fd=12),("/usr/sbin/apach",pid=19099,fd=12),("/usr/sbin/apach",pid=19094,fd=12))
ESTAB 0 0 ::ffff:10.215.144.92:62001 ::ffff:10.215.246.167:47475 users:(("/usr/sbin/apach",pid=29031,fd=26))
TIME-WAIT 0 0 ::ffff:10.215.144.92:62001 ::ffff:10.215.248.193:37020
ESTAB 0 0 ::ffff:10.215.144.92:62001 ::ffff:10.215.246.167:57504 users:(("/usr/sbin/apach",pid=27512,fd=26))
TIME-WAIT 0 0 ::ffff:10.215.144.92:62001 ::ffff:10.215.248.193:34666
It's an apache/php process and it is serving a page as I can test by directly connecting a "loc" host with IP address 10.215.144.48 to Shorewall's IP address 10.215.144.92 ($FW).
Also, the redirection was not supposed to match in my previous example because the destination IP of www.shorewall.net was in an ipset whitelist.
In fact, the rule is:
REDIRECT:info:OUT1 loc:$MY_NETWORKS!$OUT_VIP 62001 tcp 80 - !+OUT_WL,+OUT_MANUAL_WL,$MY_EXTRA_NETWORKS,$MY_WAN
# host www.shorewall.net
www.shorewall.net is an alias for shorewall.mastermindpro.com.
shorewall.mastermindpro.com has address 63.135.54.24
# ipset list OUT_WL | grep 63.135
63.135.48.0/20 timeout 0
Anyway, in order to simplify things even further, I added 10.215.144.48 to $OUT_VIP in order to explicitly avoid the redirection.
I then tried to access http://www.shorewall.net from 10.215.144.48 but had the exact same issue (BTW I can open the web page at 10.215.144.92, ie. $FW, on port 62001 from 10.215.144.48).
I'm attaching another dump in the hope we can shed some light on this (open port 80 at 63.135.54.24 from 10.215.144.48 via Squid TPROXY).
Thanks,
Vieri
PS.: nothing in Squid log.
Looks like you are redirecting port 80 to port 62001, but no process
is listening on that port.
How do you know there's no process listening on that port?is listening on that port.
I ran this on the shorewall machine:
# ss -tnap | fgrep 62001
LISTEN 0 128 :::62001 :::* users:(("/usr/sbin/apach",pid=29038,fd=12),("/usr/sbin/apach",pid=29033,fd=12),("/usr/sbin/apach",pid=29032,fd=12),("/usr/sbin/apach",pid=29031,fd=12),("/usr/sbin/apach",pid=28968,fd=12),("/usr/sbin/apach",pid=27512,fd=12),("/usr/sbin/apach",pid=27461,fd=12),("/usr/sbin/apach",pid=22872,fd=12),("/usr/sbin/apach",pid=19472,fd=12),("/usr/sbin/apach",pid=19099,fd=12),("/usr/sbin/apach",pid=19094,fd=12))
ESTAB 0 0 ::ffff:10.215.144.92:62001 ::ffff:10.215.246.167:47475 users:(("/usr/sbin/apach",pid=29031,fd=26))
TIME-WAIT 0 0 ::ffff:10.215.144.92:62001 ::ffff:10.215.248.193:37020
ESTAB 0 0 ::ffff:10.215.144.92:62001 ::ffff:10.215.246.167:57504 users:(("/usr/sbin/apach",pid=27512,fd=26))
TIME-WAIT 0 0 ::ffff:10.215.144.92:62001 ::ffff:10.215.248.193:34666
It's an apache/php process and it is serving a page as I can test by directly connecting a "loc" host with IP address 10.215.144.48 to Shorewall's IP address 10.215.144.92 ($FW).
Also, the redirection was not supposed to match in my previous example because the destination IP of www.shorewall.net was in an ipset whitelist.
In fact, the rule is:
REDIRECT:info:OUT1 loc:$MY_NETWORKS!$OUT_VIP 62001 tcp 80 - !+OUT_WL,+OUT_MANUAL_WL,$MY_EXTRA_NETWORKS,$MY_WAN
# host www.shorewall.net
www.shorewall.net is an alias for shorewall.mastermindpro.com.
shorewall.mastermindpro.com has address 63.135.54.24
# ipset list OUT_WL | grep 63.135
63.135.48.0/20 timeout 0
Anyway, in order to simplify things even further, I added 10.215.144.48 to $OUT_VIP in order to explicitly avoid the redirection.
I then tried to access http://www.shorewall.net from 10.215.144.48 but had the exact same issue (BTW I can open the web page at 10.215.144.92, ie. $FW, on port 62001 from 10.215.144.48).
I'm attaching another dump in the hope we can shed some light on this (open port 80 at 63.135.54.24 from 10.215.144.48 via Squid TPROXY).
Thanks,
Vieri
PS.: nothing in Squid log.