| View previous topic :: View next topic |
| Author |
Message |
mikegpitt
Advocate
Joined: 22 May 2004
Posts: 3152
|
 Posted: Sun Feb 04, 2007 7:14 pm Post subject: forwarding port 80 to 8080 on local machine [SOLVED] |
 |
|
Edit:
Original title: forwarding one port to another via shorewall
Solution: As discussed below, it is impossible to forward http traffic in this manner on a machine with one ethernet card. Instead the http_proxy var must be used.
Original post:
I'm having a very hard time trying to get shorewall to forward port 80 traffic to port 8080 on the local machine.
The whole setup is that I want to forward all web traffic to port 8080 (which is running dansguardian). This traffic is automatically forwarded to squid (port 3128), and goes out to the internet.
With shorewall off, things work perfect when setting firefox to use the proxy 127.0.0.1:8080, however when trying to get this to work via shorewall all traffic seems to get rejected.
Here are my config files (note machine has only 1 ethernet card, eth1):
/etc/shorewall/interfaces:
| Code: | | net eth1 detect dhcp,nosmurfs |
/etc/shorewall/zones:
| Code: | fw firewall
net ipv4 |
/etc/shorewall/policy:
| Code: | fw net ACCEPT
net all DROP info
all all REJECT info |
/etc/shorewall/rules:
| Code: |
REDIRECT net 8080 tcp www
ACCEPT fw net tcp www |
A few wierd things:
1) When I take the line "fw net ACCEPT" out of my policy, all internet goes down, even though I have the line "ACCEPT fw net tcp www" in my rules. Why would this be?
2) In the shorewall docs, it does the REDIRECT in the rules file, not though net, but through loc. What is loc? It seems like some configurations that have it also have more than 1 network card, which obviously won't help in my case.
Can anyone help?
Last edited by mikegpitt on Tue Feb 06, 2007 7:36 pm; edited 2 times in total |
|
| Back to top |
|
 |
Fukai
Tux's lil' helper
Joined: 05 Jul 2006
Posts: 149
Location: São Paulo, Brazil
|
| Posted: Mon Feb 05, 2007 2:57 am Post subject: |
|
|
for loc add this to /etc/shorewall/interfaces
and this to zones
And you can use this to redirect in rules
| Code: | | REDIRECT loc 80 tcp 8080 - |
This do a 8080->80 redirect from the traffic comming from loopback interface.
EDIT uhh look you need a 80->8080 redirect so change the args in REDIRECT |
|
| Back to top |
|
|
mikegpitt
Advocate
Joined: 22 May 2004
Posts: 3152
|
| Posted: Mon Feb 05, 2007 3:20 am Post subject: |
|
|
Still no luck.
I added this to interfaces:
I added this to zones:
I also tried just this:
I tried both these lines in rules:
| Code: | | REDIRECT loc 80 tcp 8080 - |
and...
| Code: | | REDIRECT loc 8080 tcp 80 - |
I believe the second one is what I want (redirect port 80 traffic to 8080).
I messed with various combinations and the traffic doesn't appear to be forwarding.
BTW - Question #1 from my first post seems to have sorted itself out. |
|
| Back to top |
|
|
Fukai
Tux's lil' helper
Joined: 05 Jul 2006
Posts: 149
Location: São Paulo, Brazil
|
| Posted: Mon Feb 05, 2007 3:46 am Post subject: |
|
|
| When you say it is rejected something appears in shorewall log? |
|
| Back to top |
|
|
mikegpitt
Advocate
Joined: 22 May 2004
Posts: 3152
|
| Posted: Mon Feb 05, 2007 5:55 pm Post subject: |
|
|
| Fukai wrote: | | When you say it is rejected something appears in shorewall log? |
It is wierd. When I have this line in my policy:
Nothing is rejected, but it the traffic going to port 80 doesn't seem to be redirected either.
When I take that line out, then I receive things like this in my log:
| Code: | | Feb 5 12:51:28 localhost Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.107 DST=151.197.0.38 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62040 DF PROTO=UDP SPT=32771 DPT=53 LEN=40 |
Now... this somewhat makes sense to be, because I guess by default everything is being blocked. What doesn't make sense is that when I add this line in my rules, things are still blocked.
| Code: | | ACCEPT fw net tcp www |
I'm really stuck with all this. I have tried MANY different combinations of rules and either no redirection happens, or I have no internet. |
|
| Back to top |
|
|
mikegpitt
Advocate
Joined: 22 May 2004
Posts: 3152
|
| Posted: Tue Feb 06, 2007 4:32 pm Post subject: |
|
|
Well, after reading some shorewall docs, I'm thinking that maybe I don't want need the loc zone. Apparently loc is for machines that have 2 network interfaces, and have an internal nework zone (like a LAN) and an external zone, in front of the firewall, ie. the internet.
I still can't get the REDIRECT rules to work. It seems that it is trying to append this to the iptables chain:
| Code: | | /sbin/iptables -t nat -A net_dnat -p tcp -d 127.0.0.1/24 --dport 80 -j REDIRECT --to-port 8080 |
That rules seems to make sense, so I suppose elsewhere in my config something is preventing the machine from forwarding.
BTW - This is my current policy:
| Code: | #SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
$FW net ACCEPT
net $FW DROP info
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
|
|
|
| Back to top |
|
|
jpl888
Guru
Joined: 13 Apr 2005
Posts: 337
Location: Piltown, Co. Kilkenny, Ireland.
|
| Posted: Tue Feb 06, 2007 5:41 pm Post subject: |
|
|
Ok so am I right in thinking you have just one machine (which is the firewall) that you want to transparent proxy for?
If so that will never work. When you tell Shorewall to redirect port 80 to 8080 the traffic will just go into a vicious loop and never actually go anywhere.
I will illustrate my point.
Traffic comes in from firewall on port 80, gets redirected to port 8080, which is Dansguardian. Dansguardian does it's thang and passes the traffic onto squid on port 3128. Squid does it's thang and tries to actually request the web page on port 80 from the firewall.
Hence the traffic goes back into the REDIRECT chain and does the whole thing over and over again.
Get it?
Your only options are to either go direct OR tell your machine about the proxy via the "http_proxy" and "ftp_proxy" environment variables. |
|
| Back to top |
|
|
mikegpitt
Advocate
Joined: 22 May 2004
Posts: 3152
|
| Posted: Tue Feb 06, 2007 7:22 pm Post subject: |
|
|
Ok, now it's starting to make more sense... I feel like an idiot for wasting so much time on the firewall conf. Live and learn.
Now onto http_proxy.
As suggested by this guide: http://gentoo-wiki.com/Http_proxy I created the file /etc/env.d/99local put in the http_proxy var and ran an env-update && source /etc/profile.
| Code: | # echo $http_proxy
http://127.0.0.1:8080 |
The only problem is that it doesn't work! I am trying this via the links text browser since I'm not in front of the machine at the moment.
EDIT: This may be a links specific problem. I found this on the net:
| Code: | | Warning: links is a notable exception here. It does not honor the http_proxy environment variable! However, you can add http_proxy 127.0.0.1:8118 to your /etc/links.cfg and/or to your ~/.links/links.cfg. Or go to Setup -> Network Options and do the same there. Or use the -http-proxy 127.0.0.1:8118 command line option. |
EDIT2: I was able to verify with wget. It works! Now hopefully it works with freifox as well when I get in front of the machine. |
|
| Back to top |
|
|
michael105
n00b
Joined: 01 Mar 2006
Posts: 12
|
| Posted: Sun Jun 08, 2008 2:17 pm Post subject: It is possible |
|
|
Hi,
finally I found out how to enable transparent proxying with shorewall and squid at the same machine..
I'm not sure, however, if the solution is secure.
1. Create a tap interface with the address, e.g., 192.168.1.2
2. Order squid to use this address for all outgoing traffic:
in squid.conf:
tcp_outgoing_address 192.168.1.2
3. Use the normal REDIRECT rule in rules:
REDIRECT fw 3128 tcp www -
4. After starting shorewall, insert a rule into the nat table:
iptables -t nat -I OUTPUT 1 -p tcp -s 192.168.1.2 -j ACCEPT
UPDATE:
Discard point 4 - instead put the command below into the file /etc/shorewall/started
/sbin/iptables -t nat -I OUTPUT 1 -p tcp -s 192.168.1.2 -j ACCEPT
Michael |
|
| Back to top |
|
|
|
Networking & Security
