Amos Jeffries wrote:
Jason wrote:
Jason wrote:
Amos,
Thanks for answering.
Amos Jeffries wrote:
Jason wrote:
Everyone,
I have compiled squid 3.1.6 from source on amd64 Debian 5.0 with
NP: please use the correct version numbering: 3.1.0.6.
there will probably be a 3.1.6 at some point in the future and
hopefully this problem will not apply to those users, best not to
add confusion.
My mistake. This is for 3.1.0.6. My apologies to the squid community.
zph options enabled. I don't peer with any other caches, so all
peering
stuff is disabled in my build. I did not compile a kernel with
the zph
patches, because, as I understand, that is only necessary if I
want to
preserve zph marks between caches. Plus, there is no zph patch for
the kernel version I am running.
Right.
With shorewall redirect rules, squid is operating as a transparent
intercepting proxy just fine. I do not use tproxy - this is a NAT
setup.
I can not get the zph functions to work.
Here are my config options:
squid.conf
...
qos_flows local-hit=0x30
...
shorewall tcstart:
#root htb
tc qdisc add dev eth1 root handle 1: htb default 1
#default htb
tc class add dev eth1 parent 1: classid 1:1 htb rate 64kbps /
ceil 64kbps
#squid htb
tc class add dev eth1 parent 1: classid 1:7 htb rate 1Mbit
tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
ip protocol 0x6 0xff match ip tos 0x30 0xff flowid 1:7
#I tried this for squid too
#tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
ip protocol 0x6 0xff match u32 0x880430 0xffffffff at 20 flowid 1:7
The shorewall tcrules are all commented out right now, so it is
not applying
any filtering.
I have about one week to finish off this server for production...
Help?
Jason Wallace
So what are the packet traces showing you about events?
Also, its much easier for most of us to read the real firewall
rules. what does "iptables -L && iptables -t nat -L" show hapening?
Amos
iptables -L && iptables -t nat -L yields the following. I will try
to packet trace this afternoon.
I have researched what a packet trace could mean. Do you want to see
what wireshark says on a client computer when I try to retrieve
something that should come from the cache?
I can't see the tos handling in iptables, maybe we needed -v option on
the list, or shorewall may have placed it elsewhere.
I just thought, check your config for tcp_outgoing_tos, which is
likely to replace any qos_flow specifics with the blanket TOS. I'm
going to have to fix that clash up someday.
Amos
UPDATE:
When I issue
'tc filter show dev eth1'
it returns:
filter parent 1: protocol ip pref 1 u32
filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht
800 bkt 0 flowid 1:7
match 00060000/00ff0000 at 8
match 00880430/ffffffff at 20
When I issue
tc -s filter
it returns nothing
So, I THINK the filters are there.
The tc qdisc and classes are there:
tc -s qdisc
qdisc pfifo_fast 0: dev eth0 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1
1 1 1 1 1
Sent 90646920 bytes 669638 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
qdisc htb 1: dev eth1 root r2q 10 default 1 direct_packets_stat 0
Sent 338313859 bytes 340611 pkt (dropped 0, overlimits 491133 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
tc -s class show dev eth1
class htb 1:1 root prio 0 rate 512000bit ceil 512000bit burst 1599b
cburst 1599b
Sent 338315321 bytes 340622 pkt (dropped 0, overlimits 0 requeues 0)
rate 4904bit 6pps backlog 0b 0p requeues 0
lended: 340622 borrowed: 0 giants: 0
tokens: 22706 ctokens: 22706
class htb 1:2 root prio 0 rate 512000bit ceil 512000bit burst 1599b
cburst 1599b
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
lended: 0 borrowed: 0 giants: 0
tokens: 24414 ctokens: 24414
class htb 1:7 root prio 0 rate 1000Kbit ceil 1000Kbit burst 1600b cburst
1600b
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
lended: 0 borrowed: 0 giants: 0
tokens: 12500 ctokens: 12500
But the 1:7 class is empty - so nothing reaches it....
Here is the iptables output with -v. I didn't see any tc stuff there
(I'm not sure exactly what to look for).
iptables -L -v && iptables -t nat -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
7357 864K eth0_in all -- eth0 any anywhere anywhere
8623 745K eth1_in all -- eth1 any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 Drop all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:INPUT:DROP:'
0 0 DROP all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
326K 329M eth0_fwd all -- eth0 any anywhere anywhere
259K 33M eth1_fwd all -- eth1 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 Drop all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:FORWARD:DROP:'
0 0 DROP all -- any any anywhere anywhere
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
3781 250K eth0_out all -- any eth0 anywhere anywhere
6153 954K eth1_out all -- any eth1 anywhere anywhere
0 0 ACCEPT all -- any lo anywhere anywhere
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any anywhere anywhere
Chain Drop (7 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp -- any any anywhere
anywhere tcp dpt:auth
3620 395K dropBcast all -- any any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere
anywhere icmp fragmentation-needed
0 0 ACCEPT icmp -- any any anywhere
anywhere icmp time-exceeded
2 80 dropInvalid all -- any any anywhere
anywhere
0 0 DROP udp -- any any anywhere
anywhere multiport dports loc-srv,microsoft-ds
0 0 DROP udp -- any any anywhere
anywhere udp dpts:netbios-ns:netbios-ssn
0 0 DROP udp -- any any anywhere
anywhere udp spt:netbios-ns dpts:1024:65535
0 0 DROP tcp -- any any anywhere
anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds
0 0 DROP udp -- any any anywhere
anywhere udp dpt:1900
0 0 dropNotSyn tcp -- any any anywhere
anywhere
0 0 DROP udp -- any any anywhere
anywhere udp spt:domain
Chain Reject (0 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp -- any any anywhere
anywhere tcp dpt:auth
0 0 dropBcast all -- any any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere
anywhere icmp fragmentation-needed
0 0 ACCEPT icmp -- any any anywhere
anywhere icmp time-exceeded
0 0 dropInvalid all -- any any anywhere
anywhere
0 0 reject udp -- any any anywhere
anywhere multiport dports loc-srv,microsoft-ds
0 0 reject udp -- any any anywhere
anywhere udp dpts:netbios-ns:netbios-ssn
0 0 reject udp -- any any anywhere
anywhere udp spt:netbios-ns dpts:1024:65535
0 0 reject tcp -- any any anywhere
anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds
0 0 DROP udp -- any any anywhere
anywhere udp dpt:1900
0 0 dropNotSyn tcp -- any any anywhere
anywhere
0 0 DROP udp -- any any anywhere
anywhere udp spt:domain
Chain all2fw (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 Drop all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:all2fw:DROP:'
0 0 DROP all -- any any anywhere anywhere
Chain all2loc (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 Drop all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:all2loc:DROP:'
0 0 DROP all -- any any anywhere anywhere
Chain all2net (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 Drop all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:all2net:DROP:'
0 0 DROP all -- any any anywhere anywhere
Chain blacklog (7 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:blacklst:DROP:'
0 0 DROP all -- any any anywhere anywhere
Chain blacklst (4 references)
pkts bytes target prot opt in out source
destination
0 0 blacklog all -- any any x.x.x.x/14 anywhere
0 0 blacklog all -- any any x.x.x.x anywhere
0 0 blacklog all -- any any www.true.com anywhere
0 0 blacklog all -- any any
x.x.x.x-static.reverse.softlayer.com anywhere
0 0 blacklog all -- any any x.x.x.x anywhere
0 0 blacklog all -- any any x.x.x.x anywhere
0 0 blacklog all -- any any crl2.entrust.net anywhere
Chain dropBcast (2 references)
pkts bytes target prot opt in out source
destination
3618 395K DROP all -- any any anywhere
anywhere ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- any any anywhere
BASE-ADDRESS.MCAST.NET/4
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source
destination
2 80 DROP all -- any any anywhere
anywhere state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP tcp -- any any anywhere
anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
Chain dynamic (4 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
326K 329M dynamic all -- any any anywhere anywhere
326K 329M blacklst all -- any any anywhere anywhere
0 0 smurfs all -- any any anywhere
anywhere state INVALID,NEW
326K 329M tcpflags tcp -- any any anywhere anywhere
326K 329M net2loc all -- any eth1 anywhere anywhere
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
7357 864K dynamic all -- any any anywhere anywhere
7357 864K blacklst all -- any any anywhere anywhere
3620 395K smurfs all -- any any anywhere
anywhere state INVALID,NEW
2 80 tcpflags tcp -- any any anywhere anywhere
7357 864K net2fw all -- any any anywhere anywhere
Chain eth0_out (1 references)
pkts bytes target prot opt in out source
destination
3781 250K fw2net all -- any any anywhere anywhere
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
259K 33M dynamic all -- any any anywhere anywhere
259K 33M blacklst all -- any any anywhere anywhere
18509 936K smurfs all -- any any anywhere
anywhere state INVALID,NEW
259K 33M tcpflags tcp -- any any anywhere anywhere
259K 33M loc2net all -- any eth0 anywhere anywhere
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
8623 745K dynamic all -- any any anywhere anywhere
8623 745K blacklst all -- any any anywhere anywhere
7195 642K smurfs all -- any any anywhere
anywhere state INVALID,NEW
1244 83675 tcpflags tcp -- any any anywhere anywhere
8623 745K loc2fw all -- any any anywhere anywhere
Chain eth1_out (1 references)
pkts bytes target prot opt in out source
destination
6153 954K fw2loc all -- any any anywhere anywhere
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
6153 954K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any anywhere anywhere
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
27 4947 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
3754 245K ACCEPT all -- any any anywhere anywhere
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
1428 103K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any x.x.x.x
anywhere multiport dports smtp,www,pop3,imap2,https,imaps,pop3s
7195 642K ACCEPT all -- any any anywhere anywhere
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
240K 32M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any x.x.x.x
anywhere multiport dports smtp,www,pop3,imap2,https,imaps,pop3s
18509 936K ACCEPT all -- any any anywhere anywhere
Chain logdrop (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:logdrop:DROP:'
0 0 DROP all -- any any anywhere anywhere
Chain logflags (5 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- any any anywhere
anywhere LOG level info ip-options prefix
`Shorewall:logflags:DROP:'
0 0 DROP all -- any any anywhere anywhere
Chain logreject (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:logreject:REJECT:'
0 0 reject all -- any any anywhere anywhere
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
3737 469K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere
anywhere icmp echo-request
3620 395K Drop all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:net2fw:DROP:'
0 0 DROP all -- any any anywhere anywhere
Chain net2loc (1 references)
pkts bytes target prot opt in out source
destination
326K 329M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere
x.x.x.x multiport dports smtp,www,pop3,imap2,https,imaps,pop3s
0 0 Drop all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:net2loc:DROP:'
0 0 DROP all -- any any anywhere anywhere
Chain reject (7 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- any any anywhere
anywhere ADDRTYPE match src-type BROADCAST
0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4
anywhere
0 0 DROP igmp -- any any anywhere anywhere
0 0 REJECT tcp -- any any anywhere
anywhere reject-with tcp-reset
0 0 REJECT udp -- any any anywhere
anywhere reject-with icmp-port-unreachable
0 0 REJECT icmp -- any any anywhere
anywhere reject-with icmp-host-unreachable
0 0 REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain smurfs (4 references)
pkts bytes target prot opt in out source
destination
5 2144 RETURN all -- any any default anywhere
0 0 LOG all -- any any anywhere
anywhere ADDRTYPE match src-type BROADCAST LOG level info
prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- any any anywhere
anywhere ADDRTYPE match src-type BROADCAST
0 0 LOG all -- any any BASE-ADDRESS.MCAST.NET/4
anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4
anywhere
Chain tcpflags (4 references)
pkts bytes target prot opt in out source
destination
0 0 logflags tcp -- any any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 logflags tcp -- any any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 logflags tcp -- any any anywhere
anywhere tcp flags:SYN,RST/SYN,RST
0 0 logflags tcp -- any any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 logflags tcp -- any any anywhere
anywhere tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
Chain PREROUTING (policy ACCEPT 27586 packets, 1820K bytes)
pkts bytes target prot opt in out source
destination
3618 395K net_dnat all -- eth0 any anywhere anywhere
Chain POSTROUTING (policy ACCEPT 3752 packets, 245K bytes)
pkts bytes target prot opt in out source
destination
21951 1158K eth0_masq all -- any eth0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 3752 packets, 245K bytes)
pkts bytes target prot opt in out source
destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source
destination
18199 914K MASQUERADE all -- any any x.x.x.x/24 anywhere
Chain net_dnat (1 references)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- any any anywhere
anywhere multiport dports
smtp,www,pop3,imap2,https,imaps,pop3s to:x.x.x.x
