I have been trying to get this to work properly for two days now and I desperately need assistance. I have configured Squid 3 as a proxy listening on port 3129 with the tproxy flag, and followed the instructions for shorewall found here:
http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY
I am using IPv6, so I have adjusted these settings accordingly and redirect via NAT is not an option.
When I try to connect to a remote host such as ipv6.google.com on port 80, the connection gets intercepted by squid fine, which in turn connects to ipv6.google.com, but eventually the connection just times out and I am presented with the squid error page.
If I perform a tcpdump of the connection this is what I get
19:09:11.958367 IP6 2001:388:e000:c100:213:e8ff:fe6b:41e5.56667 > 2404:6800:4006:802::1014.80: Flags [S], seq 4011445546, win 12200, options [mss 1220,sackOK,TS val 3255676 ecr 0,nop,wscale 5], length 0
19:09:12.019139 IP6 2404:6800:4006:802::1014.80 > 2001:388:e000:c100:213:e8ff:fe6b:41e5.56667: Flags [S.], seq 1191029984, ack 4011445547, win 5712, options [mss 1410,sackOK,TS val 967841584 ecr 3255676,nop,wscale 6], length 0
Which repeats each time the request TTL times out.
If I use squid as a non-transparent proxy server it is able to handle IPv6 requests without any issues. So for some reason the packets are not finding their way back to squid.
I am running:
kernel - 2.6.39
iptables - 1.4.11
shorewall6 - 4.4.20
squid3 - 3.1.12
EDIT – I am seeing the same behavior with IPv4
ip6tables -nL output:
Chain INPUT (policy DROP) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW net2fw all ::/0 ::/0 loc2fw all ::/0 ::/0 ACCEPT all ::/0 ::/0 Drop all ::/0 ::/0 LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:INPUT:DROP:" DROP all ::/0 ::/0 Chain FORWARD (policy DROP) target prot opt source destination net2loc all ::/0 ::/0 loc2net all ::/0 ::/0 lo_fwd all ::/0 ::/0 Reject all ::/0 ::/0 LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:" reject all ::/0 ::/0 [goto] Chain OUTPUT (policy DROP) target prot opt source destination fw2net all ::/0 ::/0 fw2loc all ::/0 ::/0 ACCEPT all ::/0 ::/0 Reject all ::/0 ::/0 LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:OUTPUT:REJECT:" reject all ::/0 ::/0 [goto] Chain Drop (3 references) target prot opt source destination reject tcp ::/0 ::/0 tcp dpt:113 /* Auth */ dropBcast all ::/0 ::/0 dropInvalid all ::/0 ::/0 DROP udp ::/0 ::/0 multiport dports 135,445 /* SMB */ DROP udp ::/0 ::/0 udp dpts:137:139 /* SMB */ DROP udp ::/0 ::/0 udp spt:137 dpts:1024:65535 /* SMB */ DROP tcp ::/0 ::/0 multiport dports 135,139,445 /* SMB */ dropNotSyn tcp ::/0 ::/0 DROP udp ::/0 ::/0 udp spt:53 /* Late DNS Replies */ Chain Reject (2 references) target prot opt source destination reject tcp ::/0 ::/0 tcp dpt:113 /* Auth */ dropBcast all ::/0 ::/0 dropInvalid all ::/0 ::/0 reject udp ::/0 ::/0 multiport dports 135,445 /* SMB */ reject udp ::/0 ::/0 udp dpts:137:139 /* SMB */ reject udp ::/0 ::/0 udp spt:137 dpts:1024:65535 /* SMB */ reject tcp ::/0 ::/0 multiport dports 135,139,445 /* SMB */ dropNotSyn tcp ::/0 ::/0 DROP udp ::/0 ::/0 udp spt:53 /* Late DNS Replies */ Chain dropBcast (2 references) target prot opt source destination DROP all ::/0 2001:388:e000:c100::/128 DROP all ::/0 2001:388:e000:c100:ffff:ffff:ffff:ff80/121 DROP all ::/0 ff00::/8 Chain dropInvalid (2 references) target prot opt source destination DROP all ::/0 ::/0 ctstate INVALID Chain dropNotSyn (2 references) target prot opt source destination DROP tcp ::/0 ::/0 tcpflags:! 0x17/0x02 Chain dynamic (7 references) target prot opt source destination Chain fw2loc (1 references) target prot opt source destination ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 ::/0 Chain fw2net (1 references) target prot opt source destination ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT 41 ::/0 ::/0 ACCEPT all ::/0 ::/0 Chain lo_fwd (1 references) target prot opt source destination sfilter all ::/0 ::/0 [goto] dynamic all ::/0 ::/0 ctstate INVALID,NEW Chain lo_in (0 references) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW Chain loc2fw (1 references) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 ::/0 Chain loc2net (1 references) target prot opt source destination sfilter all ::/0 ::/0 [goto] dynamic all ::/0 ::/0 ctstate INVALID,NEW ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 ::/0 Chain logdrop (0 references) target prot opt source destination DROP all ::/0 ::/0 Chain logflags (5 references) target prot opt source destination LOG all ::/0 ::/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:" DROP all ::/0 ::/0 Chain logreject (0 references) target prot opt source destination reject all ::/0 ::/0 Chain net2fw (1 references) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW smurfs all ::/0 ::/0 ctstate INVALID,NEW tcpflags tcp ::/0 ::/0 ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT 41 ::/0 ::/0 ACCEPT tcp ::/0 ::/0 tcp dpt:2093 Drop all ::/0 ::/0 DROP all ::/0 ::/0 Chain net2loc (1 references) target prot opt source destination sfilter all ::/0 ::/0 [goto] dynamic all ::/0 ::/0 ctstate INVALID,NEW smurfs all ::/0 ::/0 ctstate INVALID,NEW tcpflags tcp ::/0 ::/0 ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT tcp ::/0 2001:388:e000:c100:216:3eff:fe24:dce6/128 multiport dports 25,993 Drop all ::/0 ::/0 DROP all ::/0 ::/0 Chain reject (9 references) target prot opt source destination DROP all ::/0 2001:388:e000:c100::/128 DROP all ::/0 2001:388:e000:c100:ffff:ffff:ffff:ff80/121 DROP all ff00::/8 ::/0 DROP 2 ::/0 ::/0 REJECT tcp ::/0 ::/0 reject-with tcp-reset REJECT udp ::/0 ::/0 reject-with icmp6-port-unreachable REJECT icmpv6 ::/0 ::/0 reject-with icmp6-addr-unreachable REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited Chain sfilter (3 references) target prot opt source destination LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:" DROP all ::/0 ::/0 Chain shorewall (0 references) target prot opt source destination Chain smurflog (3 references) target prot opt source destination LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:" DROP all ::/0 ::/0 Chain smurfs (2 references) target prot opt source destination smurflog all 2001:388:e000:c100::/128 ::/0 [goto] smurflog all 2001:388:e000:c100:ffff:ffff:ffff:ff80/121 ::/0 [goto] smurflog all ff00::/8 ::/0 [goto] Chain tcpflags (2 references) target prot opt source destination logflags tcp ::/0 ::/0 [goto] tcpflags: 0x3F/0x29 logflags tcp ::/0 ::/0 [goto] tcpflags: 0x3F/0x00 logflags tcp ::/0 ::/0 [goto] tcpflags: 0x06/0x06 logflags tcp ::/0 ::/0 [goto] tcpflags: 0x03/0x03 logflags tcp ::/0 ::/0 [goto] tcp spt:0flags: 0x17/0x02
ip6tables -t mangle -nL output:
Chain INPUT (policy DROP) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW net2fw all ::/0 ::/0 loc2fw all ::/0 ::/0 ACCEPT all ::/0 ::/0 Drop all ::/0 ::/0 LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:INPUT:DROP:" DROP all ::/0 ::/0 Chain FORWARD (policy DROP) target prot opt source destination net2loc all ::/0 ::/0 loc2net all ::/0 ::/0 lo_fwd all ::/0 ::/0 Reject all ::/0 ::/0 LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:" reject all ::/0 ::/0 [goto] Chain OUTPUT (policy DROP) target prot opt source destination fw2net all ::/0 ::/0 fw2loc all ::/0 ::/0 ACCEPT all ::/0 ::/0 Reject all ::/0 ::/0 LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:OUTPUT:REJECT:" reject all ::/0 ::/0 [goto] Chain Drop (3 references) target prot opt source destination reject tcp ::/0 ::/0 tcp dpt:113 /* Auth */ dropBcast all ::/0 ::/0 dropInvalid all ::/0 ::/0 DROP udp ::/0 ::/0 multiport dports 135,445 /* SMB */ DROP udp ::/0 ::/0 udp dpts:137:139 /* SMB */ DROP udp ::/0 ::/0 udp spt:137 dpts:1024:65535 /* SMB */ DROP tcp ::/0 ::/0 multiport dports 135,139,445 /* SMB */ dropNotSyn tcp ::/0 ::/0 DROP udp ::/0 ::/0 udp spt:53 /* Late DNS Replies */ Chain Reject (2 references) target prot opt source destination reject tcp ::/0 ::/0 tcp dpt:113 /* Auth */ dropBcast all ::/0 ::/0 dropInvalid all ::/0 ::/0 reject udp ::/0 ::/0 multiport dports 135,445 /* SMB */ reject udp ::/0 ::/0 udp dpts:137:139 /* SMB */ reject udp ::/0 ::/0 udp spt:137 dpts:1024:65535 /* SMB */ reject tcp ::/0 ::/0 multiport dports 135,139,445 /* SMB */ dropNotSyn tcp ::/0 ::/0 DROP udp ::/0 ::/0 udp spt:53 /* Late DNS Replies */ Chain dropBcast (2 references) target prot opt source destination DROP all ::/0 2001:388:e000:c100::/128 DROP all ::/0 2001:388:e000:c100:ffff:ffff:ffff:ff80/121 DROP all ::/0 ff00::/8 Chain dropInvalid (2 references) target prot opt source destination DROP all ::/0 ::/0 ctstate INVALID Chain dropNotSyn (2 references) target prot opt source destination DROP tcp ::/0 ::/0 tcpflags:! 0x17/0x02 Chain dynamic (7 references) target prot opt source destination Chain fw2loc (1 references) target prot opt source destination ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 ::/0 Chain fw2net (1 references) target prot opt source destination ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT 41 ::/0 ::/0 ACCEPT all ::/0 ::/0 Chain lo_fwd (1 references) target prot opt source destination sfilter all ::/0 ::/0 [goto] dynamic all ::/0 ::/0 ctstate INVALID,NEW Chain lo_in (0 references) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW Chain loc2fw (1 references) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 ::/0 Chain loc2net (1 references) target prot opt source destination sfilter all ::/0 ::/0 [goto] dynamic all ::/0 ::/0 ctstate INVALID,NEW ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT all ::/0 ::/0 Chain logdrop (0 references) target prot opt source destination DROP all ::/0 ::/0 Chain logflags (5 references) target prot opt source destination LOG all ::/0 ::/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:" DROP all ::/0 ::/0 Chain logreject (0 references) target prot opt source destination reject all ::/0 ::/0 Chain net2fw (1 references) target prot opt source destination dynamic all ::/0 ::/0 ctstate INVALID,NEW smurfs all ::/0 ::/0 ctstate INVALID,NEW tcpflags tcp ::/0 ::/0 ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT 41 ::/0 ::/0 ACCEPT tcp ::/0 ::/0 tcp dpt:2093 Drop all ::/0 ::/0 DROP all ::/0 ::/0 Chain net2loc (1 references) target prot opt source destination sfilter all ::/0 ::/0 [goto] dynamic all ::/0 ::/0 ctstate INVALID,NEW smurfs all ::/0 ::/0 ctstate INVALID,NEW tcpflags tcp ::/0 ::/0 ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ACCEPT tcp ::/0 2001:388:e000:c100:216:3eff:fe24:dce6/128 multiport dports 25,993 Drop all ::/0 ::/0 DROP all ::/0 ::/0 Chain reject (9 references) target prot opt source destination DROP all ::/0 2001:388:e000:c100::/128 DROP all ::/0 2001:388:e000:c100:ffff:ffff:ffff:ff80/121 DROP all ff00::/8 ::/0 DROP 2 ::/0 ::/0 REJECT tcp ::/0 ::/0 reject-with tcp-reset REJECT udp ::/0 ::/0 reject-with icmp6-port-unreachable REJECT icmpv6 ::/0 ::/0 reject-with icmp6-addr-unreachable REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited Chain sfilter (3 references) target prot opt source destination LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:" DROP all ::/0 ::/0 Chain shorewall (0 references) target prot opt source destination Chain smurflog (3 references) target prot opt source destination LOG all ::/0 ::/0 LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:" DROP all ::/0 ::/0 Chain smurfs (2 references) target prot opt source destination smurflog all 2001:388:e000:c100::/128 ::/0 [goto] smurflog all 2001:388:e000:c100:ffff:ffff:ffff:ff80/121 ::/0 [goto] smurflog all ff00::/8 ::/0 [goto] Chain tcpflags (2 references) target prot opt source destination logflags tcp ::/0 ::/0 [goto] tcpflags: 0x3F/0x29 logflags tcp ::/0 ::/0 [goto] tcpflags: 0x3F/0x00 logflags tcp ::/0 ::/0 [goto] tcpflags: 0x06/0x06 logflags tcp ::/0 ::/0 [goto] tcpflags: 0x03/0x03 logflags tcp ::/0 ::/0 [goto] tcp spt:0flags: 0x17/0x02
Best Answer
I found the problem, two rules missing that I assumed that shorewall should have been inserting, running the following resolves the problem.