Search squid archive

Re: Squid 3.1.6, zph, shorewall, and tc on debian 5.0 (lenny)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Amos,

Thanks for answering.

Amos Jeffries wrote:

Jason wrote:

Everyone,

   I have compiled squid 3.1.6 from source on amd64 Debian 5.0 with


NP: please use the correct version numbering: 3.1.0.6.
there will probably be a 3.1.6 at some point in the future and hopefully this problem will not apply to those users, best not to add confusion. 
My mistake.  This is for 3.1.0.6.  My apologies to the squid community.



zph options enabled.  I don't peer with any other caches, so all peering
stuff is disabled in my build.  I did not compile a kernel with the zph
patches, because, as I understand, that is only necessary if I want to
preserve zph marks between caches.  Plus, there is no zph patch for
the kernel version I am running.


Right.



With shorewall redirect rules, squid is operating as a transparent
intercepting proxy just fine. I do not use tproxy - this is a NAT setup. 

I can not get the zph functions to work.

Here are my config options:

squid.conf
...
qos_flows local-hit=0x30
...

shorewall tcstart:
#root htb
tc qdisc add dev eth1 root handle 1: htb default 1

#default htb
tc class add dev eth1 parent 1: classid 1:1 htb rate 64kbps /
ceil 64kbps

#squid htb
tc class add dev eth1 parent 1: classid 1:7 htb rate 1Mbit

tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
ip protocol 0x6 0xff match ip tos 0x30 0xff flowid 1:7

#I tried this for squid too
#tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
ip protocol 0x6 0xff match u32 0x880430 0xffffffff at 20 flowid 1:7
The shorewall tcrules are all commented out right now, so it is not applying 
any filtering.

I have about one week to finish off this server for production...  Help?


Jason Wallace



So what are the packet traces showing you about events?
Also, its much easier for most of us to read the real firewall rules. what does "iptables -L && iptables -t nat -L" show hapening? 

Amos
iptables -L && iptables -t nat -L yields the following. I will try to packet trace this afternoon. 

iptables -L && iptables -t nat -L
Chain INPUT (policy DROP)
target     prot opt source               destination
eth0_in    all  --  anywhere             anywhere
eth1_in    all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
Drop       all  --  anywhere             anywhere
LOG all -- anywhere anywhere LOG level warning prefix `Shorewall:INPUT:DROP:' 
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
eth0_fwd   all  --  anywhere             anywhere
eth1_fwd   all  --  anywhere             anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
Drop       all  --  anywhere             anywhere
LOG all -- anywhere anywhere LOG level warning prefix `Shorewall:FORWARD:DROP:' 
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
eth0_out   all  --  anywhere             anywhere
eth1_out   all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere

Chain Drop (7 references)
target     prot opt source               destination
reject     tcp  --  anywhere             anywhere            tcp dpt:auth
dropBcast  all  --  anywhere             anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT icmp -- anywhere anywhere icmp time-exceeded 
dropInvalid  all  --  anywhere             anywhere
DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds 
DROP       udp  --  anywhere             anywhere            udp dpt:1900
dropNotSyn  tcp  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere            udp spt:domain

Chain Reject (0 references)
target     prot opt source               destination
reject     tcp  --  anywhere             anywhere            tcp dpt:auth
dropBcast  all  --  anywhere             anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT icmp -- anywhere anywhere icmp time-exceeded 
dropInvalid  all  --  anywhere             anywhere
reject udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 reject tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds 
DROP       udp  --  anywhere             anywhere            udp dpt:1900
dropNotSyn  tcp  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere            udp spt:domain

Chain all2fw (0 references)
target     prot opt source               destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
Drop       all  --  anywhere             anywhere
LOG all -- anywhere anywhere LOG level warning prefix `Shorewall:all2fw:DROP:' 
DROP       all  --  anywhere             anywhere

Chain all2loc (0 references)
target     prot opt source               destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
Drop       all  --  anywhere             anywhere
LOG all -- anywhere anywhere LOG level warning prefix `Shorewall:all2loc:DROP:' 
DROP       all  --  anywhere             anywhere

Chain all2net (0 references)
target     prot opt source               destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
Drop       all  --  anywhere             anywhere
LOG all -- anywhere anywhere LOG level warning prefix `Shorewall:all2net:DROP:' 
DROP       all  --  anywhere             anywhere

Chain blacklog (7 references)
target     prot opt source               destination
LOG all -- anywhere anywhere LOG level warning prefix `Shorewall:blacklst:DROP:' 
DROP       all  --  anywhere             anywhere

Chain blacklst (4 references)
target     prot opt source               destination
blacklog   all  --  x.x.x.x              anywhere
blacklog   all  --  x.x.x.x              anywhere
blacklog   all  --  x.x.x.x              anywhere
blacklog   all  --  x.x.x.x              anywhere
blacklog   all  --  x.x.x.x              anywhere
blacklog   all  --  x.x.x.x              anywhere
blacklog   all  --  x.x.x.x              anywhere

Chain dropBcast (2 references)
target     prot opt source               destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST 
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/4

Chain dropInvalid (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID

Chain dropNotSyn (2 references)
target     prot opt source               destination
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN 

Chain dynamic (4 references)
target     prot opt source               destination

Chain eth0_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere
blacklst   all  --  anywhere             anywhere
smurfs all -- anywhere anywhere state INVALID,NEW 
tcpflags   tcp  --  anywhere             anywhere
net2loc    all  --  anywhere             anywhere

Chain eth0_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere
blacklst   all  --  anywhere             anywhere
smurfs all -- anywhere anywhere state INVALID,NEW 
tcpflags   tcp  --  anywhere             anywhere
net2fw     all  --  anywhere             anywhere

Chain eth0_out (1 references)
target     prot opt source               destination
fw2net     all  --  anywhere             anywhere

Chain eth1_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere
blacklst   all  --  anywhere             anywhere
smurfs all -- anywhere anywhere state INVALID,NEW 
tcpflags   tcp  --  anywhere             anywhere
loc2net    all  --  anywhere             anywhere

Chain eth1_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere
blacklst   all  --  anywhere             anywhere
smurfs all -- anywhere anywhere state INVALID,NEW 
tcpflags   tcp  --  anywhere             anywhere
loc2fw     all  --  anywhere             anywhere

Chain eth1_out (1 references)
target     prot opt source               destination
fw2loc     all  --  anywhere             anywhere

Chain fw2loc (1 references)
target     prot opt source               destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere

Chain fw2net (1 references)
target     prot opt source               destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere

Chain loc2fw (1 references)
target     prot opt source               destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- x.x.x.x anywhere multiport dports smtp,www,pop3,imap2,https,imaps,pop3s 
ACCEPT     all  --  anywhere             anywhere

Chain loc2net (1 references)
target     prot opt source               destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- x.x.x.x anywhere multiport dports smtp,www,pop3,imap2,https,imaps,pop3s 
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG all -- anywhere anywhere LOG level warning prefix `Shorewall:logdrop:DROP:' 
DROP       all  --  anywhere             anywhere

Chain logflags (5 references)
target     prot opt source               destination
LOG all -- anywhere anywhere LOG level info ip-options prefix `Shorewall:logflags:DROP:' 
DROP       all  --  anywhere             anywhere

Chain logreject (0 references)
target     prot opt source               destination
LOG all -- anywhere anywhere LOG level warning prefix `Shorewall:logreject:REJECT:' 
reject     all  --  anywhere             anywhere

Chain net2fw (1 references)
target     prot opt source               destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request 
Drop       all  --  anywhere             anywhere
LOG all -- anywhere anywhere LOG level warning prefix `Shorewall:net2fw:DROP:' 
DROP       all  --  anywhere             anywhere

Chain net2loc (1 references)
target     prot opt source               destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere x.x.x.x multiport dports smtp,www,pop3,imap2,https,imaps,pop3s 
Drop       all  --  anywhere             anywhere
LOG all -- anywhere anywhere LOG level warning prefix `Shorewall:net2loc:DROP:' 
DROP       all  --  anywhere             anywhere

Chain reject (7 references)
target     prot opt source               destination
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST 
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
DROP       igmp --  anywhere             anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable REJECT all -- anywhere anywhere reject-with icmp-host-prohibited 

Chain shorewall (0 references)
target     prot opt source               destination

Chain smurfs (4 references)
target     prot opt source               destination
RETURN     all  --  default              anywhere
LOG all -- anywhere anywhere ADDRTYPE match src-type BROADCAST LOG level info prefix `Shorewall:smurfs:DROP:' DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' 
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere

Chain tcpflags (4 references)
target     prot opt source               destination
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE logflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST logflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN logflags tcp -- anywhere anywhere tcp spt:0 flags:FIN,SYN,RST,ACK/SYN 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
net_dnat   all  --  anywhere             anywhere

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
eth0_masq  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain eth0_masq (1 references)
target     prot opt source               destination
MASQUERADE  all  --  x.x.x.x/24          anywhere

Chain net_dnat (1 references)
target     prot opt source               destination
DNAT tcp -- anywhere anywhere multiport dports smtp,www,pop3,imap2,https,imaps,pop3s to:x.x.x.x
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux