[Shorewall-users] Trouble w/ transparent proxy in DMZ (fwmark, tc)

Tom Eastep teastep at shorewall.net
Mon Feb 28 10:52:24 PST 2005

Tom Eastep wrote:
> zerbat at gmx.net wrote:
> .
>>I did some tests running netcat in listen mode on the DMZ machine (netcat -l
>>-p 80) and tried to connect to some external webserver from a local net
>>machine (netcat 80). I had expected that I could see my typing
>>on the DMZ machine, but netcat tells me that no packets could be received or
>>sent. The same setup works fine when I just open the firewall for loc->DMZ
>>connections on port 80 (no fw marking, ip routes or tc rules).
>>The problem occurs no matter if I redirect port 80 to 3128 on the DMZ
>>machine (and then listen there) or not.
> It will NEVER work without the REDIRECT rule on because
> the packets aren't addressed to that system!!!

And now that I think about it some more, it will NEVER work because the
client is expecting a reply from the original destination (which Squid
determines using a special getsockopt() call).

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

More information about the Shorewall-users mailing list