LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-19-2006, 02:22 PM   #1
linux_marine
LQ Newbie
 
Registered: Sep 2006
Posts: 7

Rep: Reputation: 0
no outgoing ssh connection in subnet with shorewall/squid


Hi there, I am stuck with configuring my desktop and hopefully somebody would give me a hint or just tell me my goal is not gonna work.

I am sharing my adsl connection by my desktop with a notebook. The desktop is runing Mandriva free 2007, shorewall 3.2.3 and squid 2.6.STABLE1. It uses interface ppp0 to connect with adsl modem, and eth1 (a realtek ethernet card) to serve the notebook. I configured the notebook to obtain ip via dhcp, the eth1 is bound to 192.168.2.1. Btw, the squid on the desktop is working as transparent proxy.

everything has been working perfect except for the outgoing ssh connection from the notebook to other ssh server outside the firewall. When I tried to connect to an ssh server outside the firewall from the notebook, it just reports timed out. I checked the ip package traffic, ssh tries to connect the the remote ssh server (port 22) but no response. I am wondering if I have done something wrong, or direct ssh outgoing connection from subnet is just not gonna work?

This is my shorewall/rules file:

--------------begin-------------------
ACCEPT loc fw udp -
ACCEPT loc fw tcp -
ACCEPT net fw tcp ftp,ssh -
ACCEPT net fw udp 137,138 -
REDIRECT loc 3128 tcp www -
ACCEPT fw net tcp www
--------------end-----------------------

my shorewall/interfaces file: (eth0 is the ethernet card connect to the modem and eth2 is the 1394 port, I don't think it would interfere)
--------------begin-------------------
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 detect
loc eth2 detect
loc eth1 detect
loc eth0 detect
--------------end-----------------------

my shorewall/masquerade file:
--------------begin-------------------
ppp0 eth1
--------------end-----------------------

( I also changed it to [ppp0 192.168.2.0/255.255.255.0] or [ppp0 192.168.2.0/24], but nor did that solve the problem)


Here is the brief squid.conf file

--------------------------------------
acl mynetwork src 192.168.2.0/255.255.255.0
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 22 443 563
acl Safe_ports port 22
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access allow mynetwork
--------------------------------------------------------


Thanks for any advise.

Last edited by linux_marine; 10-19-2006 at 02:24 PM.
 
Old 11-17-2006, 12:06 AM   #2
khamesi
LQ Newbie
 
Registered: Nov 2006
Posts: 5

Rep: Reputation: 0
HI

Can you connect to outside computer from your fw server in ssh port ?

Last edited by khamesi; 11-17-2006 at 12:07 AM.
 
Old 11-21-2006, 02:30 PM   #3
linux_marine
LQ Newbie
 
Registered: Sep 2006
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by khamesi
HI

Can you connect to outside computer from your fw server in ssh port ?
Hi there,

I later found out what the problem is. I have to masq my intranet (well, actually just a notebook connected to the desktop via another ethernet card) on the outgoing interface (the ppp on my case since I use ADSL). I previously masq-ed on the ethernet interface connected to ADSL modem. To be honest, even though the problem has been solved, I yet had no idea why masq-ing the wrong interface (or not masq-ing at all) would break the SSL connection instead of the whole outgoing one for the subnet.

So now basically the whole setup, subnet with dns and transparent proxy support, is like this:

one desktop with two ethernet cards, eth0 connecting to adsl modem and eth1 connecting to a subnet whose setup is 192.168.0.x/255.255.255.0 (the desktop has ip 192.168.0.1 bound to eth1 serving as dhcp/proxy server). The ADSL interface is ppp0. the desktop runs shorewall, squid, and dhcp server.

for squid, I runs in transparent proxy mode, and set to listen to port 3128, and with a local network acl declaration:

http_port 3128
acl mynetwork src 192.168.0.12
http_access allow mynetwork


for shorewall, simply forward requests from 80 to 3128, then as what I mentioned before, in masq file, masq the subnet 192.168.0.255 on ppp0

ppp0 192.168.0.0/255.255.255.0

then done! ssh ok, https works, and secure imap is back.

HOWEVER, here are the questions:

1. Why not-masq-ing for the subnet (or masq-ing on the wrong outgoing interface) would PARTIALLY break the outgoing connection, i.e. the ssl one, for the subnet? Is it because the ssl connection requires some sort of active connections btwn the server and the client, therefore without correct masq the server couldn't communicate with the client?

2. While I was searching around like a nut for the HOWTO about my problem, I simply ran through numerous docs saying: No, There is no way by transparent proxy you can make ssl-connection work (actually it seemed to be true because the subnet can have the ssl access if explicit proxy server is set), otherwise the man-in-middle attack would come into play. Of course I also got some sort of vague mention in squid doc, saying that it could proxy ssl connections. Now, based on what I get here, what conclusion could I get? Can or Can't ssl connection be implemented on transparent proxy?

Hope the troublesome experience could help somebody.

Last edited by linux_marine; 11-21-2006 at 06:02 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problems with squid shorewall and msn messenger nightmare6667 Linux - Security 9 06-27-2006 07:25 AM
squid feeding 2 subnet varun_saa Mandriva 1 02-07-2005 06:48 PM
I need to inhibit outgoing web traffic on the firewall, and leave only Squid, How? mfeoli Linux - Networking 2 02-06-2004 09:54 AM
Can't access ssh or httpd from outside subnet vortech Linux - Networking 1 10-03-2002 04:39 PM
Bridging subnet over tcp-connection ? lhm Linux - Networking 0 06-30-2001 04:38 PM


All times are GMT -5. The time now is 02:25 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration