PF, load balanced gateways, and Squid - firewall

So I have a FreeBSD router running PF and Squid, and it has three network interfaces: two connected to upstream providers (em0 and em1 respectively), and one for LAN (re0) that we serve. There is some load balancing configured with PF. Basically, it routes all traffic to ports 1-1024 through one interface (em0) and everything else through the other (em1).
Now, I have a Squid proxy also running on the box that transparently redirects any HTTP request from LAN to port 3128 in 127.0.0.1. Since Squid redirects this request to HTTP outside, it should follow the load balancing rule through em0, no? The problem is, when we tested it out (by browsing from a computer in the LAN to http://whatismyip.com, it reports the external IP of the em1 interface! When we turn Squid off, the external IP of em0 is reported, as expected.
How do I make Squid behave with the load balancing rule that we have set up?
Here's the related settings in /etc/pf.conf that I have:
ext_if1="em1" # DSL
ext_if2="em0" # T1
int_if="re0"
ext_gw1="x.x.x.1"
ext_gw2="y.y.y.1"
int_addr="10.0.0.1"
int_net="10.0.0.0/16"
dsl_ports = "1024:65535"
t1_ports = "1:1023"
...
squid=3128
rdr on $int_if inet proto tcp from $int_net \
to any port 80 -> 127.0.0.1 port $squid
pass in quick on $int_if route-to lo0 inet proto tcp \
from $int_net to 127.0.0.1 port $squid keep state
...
# load balancing
pass in on $int_if route-to ($ext_if1 $ext_gw1) \
proto tcp from $int_net to any port $dsl_ports keep state
pass in on $int_if route-to ($ext_if1 $ext_gw1) \
proto udp from $int_net to any port $dsl_ports
pass in on $int_if route-to ($ext_if2 $ext_gw2) \
proto tcp from $int_net to any port $t1_ports keep state
pass in on $int_if route-to ($ext_if2 $ext_gw2) \
proto udp from $int_net to any port $t1_ports
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
I have tried appending the following rule, but it did nothing:
pass in on $int_if route-to ($ext_if2 $ext_gw2) \
proto tcp from 127.0.0.1 to any port $t1_ports keep state
Thanks!

If you want all outgoing squid requests to go to a specific IP address on a specific interface, you should be able to use the "tcp_outgoing_address" option in squid.conf to specify an IP address on em0.

Related

iptables port forwarding in the ohter direction

I use linux router for accessing internet via PPPoE. This box has two interfaces: eth0 for internal LAN and eth1 for establish a ppp0-interface on a PPPoE-Modem. For firewalling and port forwarding I use iptables with nat.
This works as expecting: I can go in the internet from the LAN, I can access certain service in the LAN from outside by port forwarding:
iptables -t nat -A PREROUTING -p tcp --dport 9999 -DNAT --to 192.168.2.10:22
(as an example for accessing the ssh-port of a certain machine inside my LAN from outside)
But I want to access a single machine (192.168.8.2) on the WAN-Port eth1 from inside of the LAN:
for this reason, the eth1 is configured as:
ip addr add 192.168.8.1 dev eth1
So I can ssh 192.168.8.2 from the console on the router. This works as expected. but I want to access this also from machines from the LAN.
iptables -t nat -A PREROUTING -p tcp --dport 9997 -DNAT --to 192.168.8.2:22
but this isnt going to work. I see packets coming from my LAN-side-machine going in on eth0 and addressing 192.168.8.2, but I dont get an answer.
can someone point me to, where my error is?
thanks in advance
Marco
Unless the server (192.168.8.2) knows how to get back to the computers on the LAN (would have to check routing for traffic coming back from that server), you would have to add a -t nat POSTROUTING rule on the router to make it look like it's traffic that's going out from the router (which I would guess is already accessible from 192.168.8.2). The the traffic would be able to get back to the router when the server is responding and the router would take care of unNATing it.

How to Allow New Relic IP with UFW?

from this article: https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/networks
it suggests me to allow outgoing firewall with following ips and ports:
Networks
50.31.164.0/24
162.247.240.0/22
Ports
TCP 80
TCP 443
I'm using ufw, how can i do it?
I've tried this:
sudo ufw allow proto tcp from 50.31.164.0/24 port 80
sudo ufw allow proto tcp from 50.31.164.0/24 port 443
sudo ufw allow proto tcp from 162.247.240.0/22 port 80
sudo ufw allow proto tcp from 162.247.240.0/22 port 443
When I check my rules: they are like this:
Am I doing this right?
You already allow connections from anywhere to 80 & 443, so you don't need the extra allow statements for their specific IP ranges.
The request for outgoing connections is if you are running say your corporate site through it but are filtering outgoing traffic from your LAN (ie, only being able to get to a schools website from a kiosk in their hallway or from a lab) and you want people on your local network to be able to access it.

Squid routing SSL traffic

Good day,
I have a setup in which I am routing my received packets at my Mikrotik router to a squid server.
I also can see the incoming traffic with Tcpdump that it is actually ariving # the correct port (443) on Squid Proxy server.
On the next step I have
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 10.0.2.51:3127
(that is all I have on iptable rules)
Which routes the received 443 traffic to port 3127 which is my squid SSL port.
I am getting page not found error on my browser.
Now I know that my Squid is setup correctly, because when I input the proxy server adress manually 10.0.2.51:3127 for SSL in the Mozilla browser all is working great, all SSL pages are logged with SSLbump.
Could someone please help with figuring out why this isn't working correctly, I am quite new to proxies?
You are DNATing packets going to the proxy.
But are you SNATing the packets coming back from the proxy ?

Check if port forwarding worked for node server on AWS machine

I have deployed a node application that listens to port 5000 on a free usage tier ubuntu machine from AWS.
I've followed suggestions from:
How to start node.js on port 80 on a linux server?
and from: Best practices when running Node.js with port 80 (Ubuntu / Linode)
Answers to both these questions suggest port forwarding and I have done the same. But my server still doesn't respond to requests on port 80.
Is there a way I can check if the port forwarding was successful?
The permission settings to listen to HTTP requests have been setup through the AWS console.
Also there is nothing listening to port 80 on the machine as of now. netstat -l | grep :80 comes up empty.
The server runs fine if I access it as: http://<elastic-ip>:5000
You will not see port 80 listening since there is no daemon using that socket; the kernel is performing a packet redirect.
To check how many packets traversed the port forwarding rule you set up, inspect the PREROUTING chain on the nat tables with sudo iptables -t nat -L PREROUTING -n -v. It will show output like:
Chain PREROUTING (policy ACCEPT 15 packets, 1226 bytes)
pkts bytes target prot opt in out source destination
3 180 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3000
If you are testing from localhost, you must also redirect on OUTPUT since PREROUTING isn't used by the loopback interface. Do that with
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3000
And of course, check that port 80 is open to allow external traffic.

GRE Tunnel routing issue in Linux CentOS

I am creating GRE Tunnel between two Linux (CentOS6) servers using below steps.
On the master server:
chkconfig iptables off
service iptables stop
sysctl -w net.ipv4.conf.default.rp_filter=0
modprobe ip_gre
ip tunnel add tun1 mode gre remote 98.123.87.97 local 106.61.58.98 ttl 255
ip addr add 10.0.1.0/24 dev tun1
ip link set dev tun1 up
ip addr add 98.123.87.95/27 dev eth0
On the slave server:
chkconfig iptables off
service iptables stop
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv4.conf.proxy_arp=1
sysctl -w net.ipv4.conf.all.proxy_arp=1
sysctl -w net.ipv4.conf.eth0.rp_filter=0
sysctl -w net.ipv4.conf.default.rp_filter=0
modprobe ip_gre
ip tunnel add tunx mode gre remote 106.61.58.98 local 98.123.87.97 ttl 255
ip addr add 10.0.2.0/24 dev tun0
ip link set tunx up
ip route add 98.123.87.95/27 dev tun0
I need to add slave server's IP into the on my master server, I am getting the ping response form tunnelled IPs (Slave Server's IP) and when I am trying to SSH the tunnelled IP (Slave IP) I am reaching to Masters(this is what I want).
Problem is when I am trying to send outgoing traffic like DNS query by Tunnelled IP(Slave IP) I am getting time out request.
I guess this is routing issue of one of my server. Any idea what should i do to get through my outgoing traffic by tunnelled IPs?
Thanks,
Are you really adding 10.0.1.0/24 address? This is a network address, looks like mistake.
Also, you shuold add default route(or route to dns servers or whatever you want) on client machine through your tunnel with gateway=another_end_of_tunnel.
Don't forget to add static route to your machine if you don't want to loose connection, before adding default route!

Resources