Re: [squid-users] Squid 3.1.6, zph, shorewall, and tc on debian 5.0 (lenny) from Jason on 2009-04-07 (squid-users)

From: Jason <jason_at_azii.net>
Date: Tue, 07 Apr 2009 10:47:09 -0700

Amos,

Thanks for answering.

Amos Jeffries wrote:
> Jason wrote:
>> Everyone,
>>
>> I have compiled squid 3.1.6 from source on amd64 Debian 5.0 with
>
> NP: please use the correct version numbering: 3.1.0.6.
> there will probably be a 3.1.6 at some point in the future and
> hopefully this problem will not apply to those users, best not to add
> confusion.
My mistake. This is for 3.1.0.6. My apologies to the squid community.
>
>> zph options enabled. I don't peer with any other caches, so all peering
>> stuff is disabled in my build. I did not compile a kernel with the zph
>> patches, because, as I understand, that is only necessary if I want to
>> preserve zph marks between caches. Plus, there is no zph patch for
>> the kernel version I am running.
>
> Right.
>
>>
>> With shorewall redirect rules, squid is operating as a transparent
>> intercepting proxy just fine. I do not use tproxy - this is a NAT
>> setup.
>>
>> I can not get the zph functions to work.
>>
>> Here are my config options:
>>
>> squid.conf
>> ...
>> qos_flows local-hit=0x30
>> ...
>>
>> shorewall tcstart:
>> #root htb
>> tc qdisc add dev eth1 root handle 1: htb default 1
>>
>> #default htb
>> tc class add dev eth1 parent 1: classid 1:1 htb rate 64kbps /
>> ceil 64kbps
>>
>> #squid htb
>> tc class add dev eth1 parent 1: classid 1:7 htb rate 1Mbit
>>
>> tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
>> ip protocol 0x6 0xff match ip tos 0x30 0xff flowid 1:7
>>
>> #I tried this for squid too
>> #tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
>> ip protocol 0x6 0xff match u32 0x880430 0xffffffff at 20 flowid 1:7
>>
>> The shorewall tcrules are all commented out right now, so it is not
>> applying
>> any filtering.
>>
>> I have about one week to finish off this server for production... Help?
>>
>>
>> Jason Wallace
>>
>
> So what are the packet traces showing you about events?
>
> Also, its much easier for most of us to read the real firewall rules.
> what does "iptables -L && iptables -t nat -L" show hapening?
>
> Amos

iptables -L && iptables -t nat -L yields the following. I will try to
packet trace this afternoon.

iptables -L && iptables -t nat -L
Chain INPUT (policy DROP)
target prot opt source destination
eth0_in all -- anywhere anywhere
eth1_in all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
warning prefix `Shorewall:INPUT:DROP:'
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
warning prefix `Shorewall:FORWARD:DROP:'
DROP all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
eth0_out all -- anywhere anywhere
eth1_out all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain Drop (7 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp
time-exceeded
dropInvalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport
dports loc-srv,microsoft-ds
DROP udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp
spt:netbios-ns dpts:1024:65535
DROP tcp -- anywhere anywhere multiport
dports loc-srv,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain

Chain Reject (0 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp
time-exceeded
dropInvalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport
dports loc-srv,microsoft-ds
reject udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp
spt:netbios-ns dpts:1024:65535
reject tcp -- anywhere anywhere multiport
dports loc-srv,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain

Chain all2fw (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
warning prefix `Shorewall:all2fw:DROP:'
DROP all -- anywhere anywhere

Chain all2loc (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
warning prefix `Shorewall:all2loc:DROP:'
DROP all -- anywhere anywhere

Chain all2net (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
warning prefix `Shorewall:all2net:DROP:'
DROP all -- anywhere anywhere

Chain blacklog (7 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning prefix `Shorewall:blacklst:DROP:'
DROP all -- anywhere anywhere

Chain blacklst (4 references)
target prot opt source destination
blacklog all -- x.x.x.x anywhere
blacklog all -- x.x.x.x anywhere
blacklog all -- x.x.x.x anywhere
blacklog all -- x.x.x.x anywhere
blacklog all -- x.x.x.x anywhere
blacklog all -- x.x.x.x anywhere
blacklog all -- x.x.x.x anywhere

Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE
match dst-type BROADCAST
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4

Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID

Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp
flags:!FIN,SYN,RST,ACK/SYN

Chain dynamic (4 references)
target prot opt source destination

Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
blacklst all -- anywhere anywhere
smurfs all -- anywhere anywhere state
INVALID,NEW
tcpflags tcp -- anywhere anywhere
net2loc all -- anywhere anywhere

Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
blacklst all -- anywhere anywhere
smurfs all -- anywhere anywhere state
INVALID,NEW
tcpflags tcp -- anywhere anywhere
net2fw all -- anywhere anywhere

Chain eth0_out (1 references)
target prot opt source destination
fw2net all -- anywhere anywhere

Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
blacklst all -- anywhere anywhere
smurfs all -- anywhere anywhere state
INVALID,NEW
tcpflags tcp -- anywhere anywhere
loc2net all -- anywhere anywhere

Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
blacklst all -- anywhere anywhere
smurfs all -- anywhere anywhere state
INVALID,NEW
tcpflags tcp -- anywhere anywhere
loc2fw all -- anywhere anywhere

Chain eth1_out (1 references)
target prot opt source destination
fw2loc all -- anywhere anywhere

Chain fw2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain loc2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- x.x.x.x anywhere multiport
dports smtp,www,pop3,imap2,https,imaps,pop3s
ACCEPT all -- anywhere anywhere

Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- x.x.x.x anywhere multiport
dports smtp,www,pop3,imap2,https,imaps,pop3s
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning prefix `Shorewall:logdrop:DROP:'
DROP all -- anywhere anywhere

Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info ip-options prefix `Shorewall:logflags:DROP:'
DROP all -- anywhere anywhere

Chain logreject (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning prefix `Shorewall:logreject:REJECT:'
reject all -- anywhere anywhere

Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp
echo-request
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
warning prefix `Shorewall:net2fw:DROP:'
DROP all -- anywhere anywhere

Chain net2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere x.x.x.x multiport
dports smtp,www,pop3,imap2,https,imaps,pop3s
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
warning prefix `Shorewall:net2loc:DROP:'
DROP all -- anywhere anywhere

Chain reject (7 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE
match src-type BROADCAST
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with
icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited

Chain shorewall (0 references)
target prot opt source destination

Chain smurfs (4 references)
target prot opt source destination
RETURN all -- default anywhere
LOG all -- anywhere anywhere ADDRTYPE
match src-type BROADCAST LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- anywhere anywhere ADDRTYPE
match src-type BROADCAST
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG
level info prefix `Shorewall:smurfs:DROP:'
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere

Chain tcpflags (4 references)
target prot opt source destination
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere tcp spt:0
flags:FIN,SYN,RST,ACK/SYN
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
net_dnat all -- anywhere anywhere

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
eth0_masq all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain eth0_masq (1 references)
target prot opt source destination
MASQUERADE all -- x.x.x.x/24 anywhere

Chain net_dnat (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere multiport
dports smtp,www,pop3,imap2,https,imaps,pop3s to:x.x.x.x
Received on Tue Apr 07 2009 - 17:47:19 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 09 2009 - 12:00:02 MDT