|
no outgoing ssh connection in subnet with shorewall/squid
Hi there, I am stuck with configuring my desktop and hopefully somebody would give me a hint or just tell me my goal is not gonna work.
I am sharing my adsl connection by my desktop with a notebook. The desktop is runing Mandriva free 2007, shorewall 3.2.3 and squid 2.6.STABLE1. It uses interface ppp0 to connect with adsl modem, and eth1 (a realtek ethernet card) to serve the notebook. I configured the notebook to obtain ip via dhcp, the eth1 is bound to 192.168.2.1. Btw, the squid on the desktop is working as transparent proxy. everything has been working perfect except for the outgoing ssh connection from the notebook to other ssh server outside the firewall. When I tried to connect to an ssh server outside the firewall from the notebook, it just reports timed out. I checked the ip package traffic, ssh tries to connect the the remote ssh server (port 22) but no response. I am wondering if I have done something wrong, or direct ssh outgoing connection from subnet is just not gonna work? This is my shorewall/rules file: --------------begin------------------- ACCEPT loc fw udp - ACCEPT loc fw tcp - ACCEPT net fw tcp ftp,ssh - ACCEPT net fw udp 137,138 - REDIRECT loc 3128 tcp www - ACCEPT fw net tcp www --------------end----------------------- my shorewall/interfaces file: (eth0 is the ethernet card connect to the modem and eth2 is the 1394 port, I don't think it would interfere) --------------begin------------------- #ZONE INTERFACE BROADCAST OPTIONS net ppp0 detect loc eth2 detect loc eth1 detect loc eth0 detect --------------end----------------------- my shorewall/masquerade file: --------------begin------------------- ppp0 eth1 --------------end----------------------- ( I also changed it to [ppp0 192.168.2.0/255.255.255.0] or [ppp0 192.168.2.0/24], but nor did that solve the problem) Here is the brief squid.conf file -------------------------------------- acl mynetwork src 192.168.2.0/255.255.255.0 #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 22 443 563 acl Safe_ports port 22 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow manager localhost http_access deny manager http_access allow mynetwork -------------------------------------------------------- Thanks for any advise. |
HI
Can you connect to outside computer from your fw server in ssh port ? |
Quote:
I later found out what the problem is. I have to masq my intranet (well, actually just a notebook connected to the desktop via another ethernet card) on the outgoing interface (the ppp on my case since I use ADSL). I previously masq-ed on the ethernet interface connected to ADSL modem. To be honest, even though the problem has been solved, I yet had no idea why masq-ing the wrong interface (or not masq-ing at all) would break the SSL connection instead of the whole outgoing one for the subnet. So now basically the whole setup, subnet with dns and transparent proxy support, is like this: one desktop with two ethernet cards, eth0 connecting to adsl modem and eth1 connecting to a subnet whose setup is 192.168.0.x/255.255.255.0 (the desktop has ip 192.168.0.1 bound to eth1 serving as dhcp/proxy server). The ADSL interface is ppp0. the desktop runs shorewall, squid, and dhcp server. for squid, I runs in transparent proxy mode, and set to listen to port 3128, and with a local network acl declaration: http_port 3128 acl mynetwork src 192.168.0.12 http_access allow mynetwork for shorewall, simply forward requests from 80 to 3128, then as what I mentioned before, in masq file, masq the subnet 192.168.0.255 on ppp0 ppp0 192.168.0.0/255.255.255.0 then done! ssh ok, https works, and secure imap is back. HOWEVER, here are the questions: 1. Why not-masq-ing for the subnet (or masq-ing on the wrong outgoing interface) would PARTIALLY break the outgoing connection, i.e. the ssl one, for the subnet? Is it because the ssl connection requires some sort of active connections btwn the server and the client, therefore without correct masq the server couldn't communicate with the client? 2. While I was searching around like a nut for the HOWTO about my problem, I simply ran through numerous docs saying: No, There is no way by transparent proxy you can make ssl-connection work (actually it seemed to be true because the subnet can have the ssl access if explicit proxy server is set), otherwise the man-in-middle attack would come into play. Of course I also got some sort of vague mention in squid doc, saying that it could proxy ssl connections. Now, based on what I get here, what conclusion could I get? Can or Can't ssl connection be implemented on transparent proxy? Hope the troublesome experience could help somebody. |
| All times are GMT -5. The time now is 06:57 AM. |