Re: [squid-users] Squid 3.1.0.6, zph, shorewall, and tc on debian 5.0 (lenny)

From: Jason <jason_at_azii.net>
Date: Wed, 08 Apr 2009 17:51:02 -0700

Jason wrote:
> Amos,
>
> Thanks for answering.
>
> Amos Jeffries wrote:
>> Jason wrote:
>>> Everyone,
>>>
>>> I have compiled squid 3.1.6 from source on amd64 Debian 5.0 with
>>
>> NP: please use the correct version numbering: 3.1.0.6.
>> there will probably be a 3.1.6 at some point in the future and
>> hopefully this problem will not apply to those users, best not to add
>> confusion.
> My mistake. This is for 3.1.0.6. My apologies to the squid community.
>>
>>> zph options enabled. I don't peer with any other caches, so all
>>> peering
>>> stuff is disabled in my build. I did not compile a kernel with the zph
>>> patches, because, as I understand, that is only necessary if I want to
>>> preserve zph marks between caches. Plus, there is no zph patch for
>>> the kernel version I am running.
>>
>> Right.
>>
>>>
>>> With shorewall redirect rules, squid is operating as a transparent
>>> intercepting proxy just fine. I do not use tproxy - this is a NAT
>>> setup.
>>>
>>> I can not get the zph functions to work.
>>>
>>> Here are my config options:
>>>
>>> squid.conf
>>> ...
>>> qos_flows local-hit=0x30
>>> ...
>>>
>>> shorewall tcstart:
>>> #root htb
>>> tc qdisc add dev eth1 root handle 1: htb default 1
>>>
>>> #default htb
>>> tc class add dev eth1 parent 1: classid 1:1 htb rate 64kbps /
>>> ceil 64kbps
>>>
>>> #squid htb
>>> tc class add dev eth1 parent 1: classid 1:7 htb rate 1Mbit
>>>
>>> tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
>>> ip protocol 0x6 0xff match ip tos 0x30 0xff flowid 1:7
>>>
>>> #I tried this for squid too
>>> #tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
>>> ip protocol 0x6 0xff match u32 0x880430 0xffffffff at 20 flowid 1:7
>>>
>>> The shorewall tcrules are all commented out right now, so it is not
>>> applying
>>> any filtering.
>>>
>>> I have about one week to finish off this server for production...
>>> Help?
>>>
>>>
>>> Jason Wallace
>>>
>>
>> So what are the packet traces showing you about events?
>>
>> Also, its much easier for most of us to read the real firewall rules.
>> what does "iptables -L && iptables -t nat -L" show hapening?
>>
>> Amos
>
> iptables -L && iptables -t nat -L yields the following. I will try to
> packet trace this afternoon.
I have researched what a packet trace could mean. Do you want to see
what wireshark says on a client computer when I try to retrieve
something that should come from the cache?

>
> iptables -L && iptables -t nat -L
> Chain INPUT (policy DROP)
> target prot opt source destination
> eth0_in all -- anywhere anywhere
> eth1_in all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> Drop all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> warning prefix `Shorewall:INPUT:DROP:'
> DROP all -- anywhere anywhere
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> eth0_fwd all -- anywhere anywhere
> eth1_fwd all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> Drop all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> warning prefix `Shorewall:FORWARD:DROP:'
> DROP all -- anywhere anywhere
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> eth0_out all -- anywhere anywhere
> eth1_out all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere
>
> Chain Drop (7 references)
> target prot opt source destination
> reject tcp -- anywhere anywhere tcp dpt:auth
> dropBcast all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp
> fragmentation-needed
> ACCEPT icmp -- anywhere anywhere icmp
> time-exceeded
> dropInvalid all -- anywhere anywhere
> DROP udp -- anywhere anywhere multiport
> dports loc-srv,microsoft-ds
> DROP udp -- anywhere anywhere udp
> dpts:netbios-ns:netbios-ssn
> DROP udp -- anywhere anywhere udp
> spt:netbios-ns dpts:1024:65535
> DROP tcp -- anywhere anywhere multiport
> dports loc-srv,netbios-ssn,microsoft-ds
> DROP udp -- anywhere anywhere udp dpt:1900
> dropNotSyn tcp -- anywhere anywhere
> DROP udp -- anywhere anywhere udp
> spt:domain
>
> Chain Reject (0 references)
> target prot opt source destination
> reject tcp -- anywhere anywhere tcp dpt:auth
> dropBcast all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp
> fragmentation-needed
> ACCEPT icmp -- anywhere anywhere icmp
> time-exceeded
> dropInvalid all -- anywhere anywhere
> reject udp -- anywhere anywhere multiport
> dports loc-srv,microsoft-ds
> reject udp -- anywhere anywhere udp
> dpts:netbios-ns:netbios-ssn
> reject udp -- anywhere anywhere udp
> spt:netbios-ns dpts:1024:65535
> reject tcp -- anywhere anywhere multiport
> dports loc-srv,netbios-ssn,microsoft-ds
> DROP udp -- anywhere anywhere udp dpt:1900
> dropNotSyn tcp -- anywhere anywhere
> DROP udp -- anywhere anywhere udp
> spt:domain
>
> Chain all2fw (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> Drop all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> warning prefix `Shorewall:all2fw:DROP:'
> DROP all -- anywhere anywhere
>
> Chain all2loc (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> Drop all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> warning prefix `Shorewall:all2loc:DROP:'
> DROP all -- anywhere anywhere
>
> Chain all2net (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> Drop all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> warning prefix `Shorewall:all2net:DROP:'
> DROP all -- anywhere anywhere
>
> Chain blacklog (7 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `Shorewall:blacklst:DROP:'
> DROP all -- anywhere anywhere
>
> Chain blacklst (4 references)
> target prot opt source destination
> blacklog all -- x.x.x.x anywhere
> blacklog all -- x.x.x.x anywhere
> blacklog all -- x.x.x.x anywhere
> blacklog all -- x.x.x.x anywhere
> blacklog all -- x.x.x.x anywhere
> blacklog all -- x.x.x.x anywhere
> blacklog all -- x.x.x.x anywhere
>
> Chain dropBcast (2 references)
> target prot opt source destination
> DROP all -- anywhere anywhere ADDRTYPE
> match dst-type BROADCAST
> DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
>
> Chain dropInvalid (2 references)
> target prot opt source destination
> DROP all -- anywhere anywhere state
> INVALID
>
> Chain dropNotSyn (2 references)
> target prot opt source destination
> DROP tcp -- anywhere anywhere tcp
> flags:!FIN,SYN,RST,ACK/SYN
>
> Chain dynamic (4 references)
> target prot opt source destination
>
> Chain eth0_fwd (1 references)
> target prot opt source destination
> dynamic all -- anywhere anywhere
> blacklst all -- anywhere anywhere
> smurfs all -- anywhere anywhere state
> INVALID,NEW
> tcpflags tcp -- anywhere anywhere
> net2loc all -- anywhere anywhere
>
> Chain eth0_in (1 references)
> target prot opt source destination
> dynamic all -- anywhere anywhere
> blacklst all -- anywhere anywhere
> smurfs all -- anywhere anywhere state
> INVALID,NEW
> tcpflags tcp -- anywhere anywhere
> net2fw all -- anywhere anywhere
>
> Chain eth0_out (1 references)
> target prot opt source destination
> fw2net all -- anywhere anywhere
>
> Chain eth1_fwd (1 references)
> target prot opt source destination
> dynamic all -- anywhere anywhere
> blacklst all -- anywhere anywhere
> smurfs all -- anywhere anywhere state
> INVALID,NEW
> tcpflags tcp -- anywhere anywhere
> loc2net all -- anywhere anywhere
>
> Chain eth1_in (1 references)
> target prot opt source destination
> dynamic all -- anywhere anywhere
> blacklst all -- anywhere anywhere
> smurfs all -- anywhere anywhere state
> INVALID,NEW
> tcpflags tcp -- anywhere anywhere
> loc2fw all -- anywhere anywhere
>
> Chain eth1_out (1 references)
> target prot opt source destination
> fw2loc all -- anywhere anywhere
>
> Chain fw2loc (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere
>
> Chain fw2net (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere
>
> Chain loc2fw (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- x.x.x.x anywhere multiport
> dports smtp,www,pop3,imap2,https,imaps,pop3s
> ACCEPT all -- anywhere anywhere
>
> Chain loc2net (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- x.x.x.x anywhere multiport
> dports smtp,www,pop3,imap2,https,imaps,pop3s
> ACCEPT all -- anywhere anywhere
>
> Chain logdrop (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `Shorewall:logdrop:DROP:'
> DROP all -- anywhere anywhere
>
> Chain logflags (5 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> info ip-options prefix `Shorewall:logflags:DROP:'
> DROP all -- anywhere anywhere
>
> Chain logreject (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `Shorewall:logreject:REJECT:'
> reject all -- anywhere anywhere
>
> Chain net2fw (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere icmp
> echo-request
> Drop all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> warning prefix `Shorewall:net2fw:DROP:'
> DROP all -- anywhere anywhere
>
> Chain net2loc (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere x.x.x.x multiport
> dports smtp,www,pop3,imap2,https,imaps,pop3s
> Drop all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> warning prefix `Shorewall:net2loc:DROP:'
> DROP all -- anywhere anywhere
>
> Chain reject (7 references)
> target prot opt source destination
> DROP all -- anywhere anywhere ADDRTYPE
> match src-type BROADCAST
> DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
> DROP igmp -- anywhere anywhere
> REJECT tcp -- anywhere anywhere
> reject-with tcp-reset
> REJECT udp -- anywhere anywhere
> reject-with icmp-port-unreachable
> REJECT icmp -- anywhere anywhere
> reject-with icmp-host-unreachable
> REJECT all -- anywhere anywhere
> reject-with icmp-host-prohibited
>
> Chain shorewall (0 references)
> target prot opt source destination
>
> Chain smurfs (4 references)
> target prot opt source destination
> RETURN all -- default anywhere
> LOG all -- anywhere anywhere ADDRTYPE
> match src-type BROADCAST LOG level info prefix `Shorewall:smurfs:DROP:'
> DROP all -- anywhere anywhere ADDRTYPE
> match src-type BROADCAST
> LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG
> level info prefix `Shorewall:smurfs:DROP:'
> DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
>
> Chain tcpflags (4 references)
> target prot opt source destination
> logflags tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
> logflags tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/NONE
> logflags tcp -- anywhere anywhere tcp
> flags:SYN,RST/SYN,RST
> logflags tcp -- anywhere anywhere tcp
> flags:FIN,SYN/FIN,SYN
> logflags tcp -- anywhere anywhere tcp spt:0
> flags:FIN,SYN,RST,ACK/SYN
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> net_dnat all -- anywhere anywhere
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> eth0_masq all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain eth0_masq (1 references)
> target prot opt source destination
> MASQUERADE all -- x.x.x.x/24 anywhere
>
> Chain net_dnat (1 references)
> target prot opt source destination
> DNAT tcp -- anywhere anywhere multiport
> dports smtp,www,pop3,imap2,https,imaps,pop3s to:x.x.x.x
>
>
Received on Thu Apr 09 2009 - 00:51:12 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 09 2009 - 12:00:02 MDT