Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 10-19-2006, 03:22 PM   #1
LQ Newbie
Registered: Sep 2006
Posts: 7

Rep: Reputation: 0
no outgoing ssh connection in subnet with shorewall/squid

Hi there, I am stuck with configuring my desktop and hopefully somebody would give me a hint or just tell me my goal is not gonna work.

I am sharing my adsl connection by my desktop with a notebook. The desktop is runing Mandriva free 2007, shorewall 3.2.3 and squid 2.6.STABLE1. It uses interface ppp0 to connect with adsl modem, and eth1 (a realtek ethernet card) to serve the notebook. I configured the notebook to obtain ip via dhcp, the eth1 is bound to Btw, the squid on the desktop is working as transparent proxy.

everything has been working perfect except for the outgoing ssh connection from the notebook to other ssh server outside the firewall. When I tried to connect to an ssh server outside the firewall from the notebook, it just reports timed out. I checked the ip package traffic, ssh tries to connect the the remote ssh server (port 22) but no response. I am wondering if I have done something wrong, or direct ssh outgoing connection from subnet is just not gonna work?

This is my shorewall/rules file:

ACCEPT loc fw udp -
ACCEPT loc fw tcp -
ACCEPT net fw tcp ftp,ssh -
ACCEPT net fw udp 137,138 -
REDIRECT loc 3128 tcp www -
ACCEPT fw net tcp www

my shorewall/interfaces file: (eth0 is the ethernet card connect to the modem and eth2 is the 1394 port, I don't think it would interfere)
net ppp0 detect
loc eth2 detect
loc eth1 detect
loc eth0 detect

my shorewall/masquerade file:
ppp0 eth1

( I also changed it to [ppp0] or [ppp0], but nor did that solve the problem)

Here is the brief squid.conf file

acl mynetwork src
#Recommended minimum configuration:
acl all src
acl manager proto cache_object
acl localhost src
acl SSL_ports port 22 443 563
acl Safe_ports port 22
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access allow mynetwork

Thanks for any advise.

Last edited by linux_marine; 10-19-2006 at 03:24 PM.
Old 11-17-2006, 01:06 AM   #2
LQ Newbie
Registered: Nov 2006
Posts: 5

Rep: Reputation: 0

Can you connect to outside computer from your fw server in ssh port ?

Last edited by khamesi; 11-17-2006 at 01:07 AM.
Old 11-21-2006, 03:30 PM   #3
LQ Newbie
Registered: Sep 2006
Posts: 7

Original Poster
Rep: Reputation: 0
Originally Posted by khamesi

Can you connect to outside computer from your fw server in ssh port ?
Hi there,

I later found out what the problem is. I have to masq my intranet (well, actually just a notebook connected to the desktop via another ethernet card) on the outgoing interface (the ppp on my case since I use ADSL). I previously masq-ed on the ethernet interface connected to ADSL modem. To be honest, even though the problem has been solved, I yet had no idea why masq-ing the wrong interface (or not masq-ing at all) would break the SSL connection instead of the whole outgoing one for the subnet.

So now basically the whole setup, subnet with dns and transparent proxy support, is like this:

one desktop with two ethernet cards, eth0 connecting to adsl modem and eth1 connecting to a subnet whose setup is 192.168.0.x/ (the desktop has ip bound to eth1 serving as dhcp/proxy server). The ADSL interface is ppp0. the desktop runs shorewall, squid, and dhcp server.

for squid, I runs in transparent proxy mode, and set to listen to port 3128, and with a local network acl declaration:

http_port 3128
acl mynetwork src
http_access allow mynetwork

for shorewall, simply forward requests from 80 to 3128, then as what I mentioned before, in masq file, masq the subnet on ppp0


then done! ssh ok, https works, and secure imap is back.

HOWEVER, here are the questions:

1. Why not-masq-ing for the subnet (or masq-ing on the wrong outgoing interface) would PARTIALLY break the outgoing connection, i.e. the ssl one, for the subnet? Is it because the ssl connection requires some sort of active connections btwn the server and the client, therefore without correct masq the server couldn't communicate with the client?

2. While I was searching around like a nut for the HOWTO about my problem, I simply ran through numerous docs saying: No, There is no way by transparent proxy you can make ssl-connection work (actually it seemed to be true because the subnet can have the ssl access if explicit proxy server is set), otherwise the man-in-middle attack would come into play. Of course I also got some sort of vague mention in squid doc, saying that it could proxy ssl connections. Now, based on what I get here, what conclusion could I get? Can or Can't ssl connection be implemented on transparent proxy?

Hope the troublesome experience could help somebody.

Last edited by linux_marine; 11-21-2006 at 07:02 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
problems with squid shorewall and msn messenger nightmare6667 Linux - Security 9 06-27-2006 08:25 AM
squid feeding 2 subnet varun_saa Mandriva 1 02-07-2005 07:48 PM
I need to inhibit outgoing web traffic on the firewall, and leave only Squid, How? mfeoli Linux - Networking 2 02-06-2004 10:54 AM
Can't access ssh or httpd from outside subnet vortech Linux - Networking 1 10-03-2002 05:39 PM
Bridging subnet over tcp-connection ? lhm Linux - Networking 0 06-30-2001 05:38 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:54 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration