Hi,
I just setup a very basic HTTP proxy with Squid on a router running CentOS 7.
Up until early 2020 I've been using a bone-headed shell script with iptables to configure my firewall. But I decided to follow advice from a few gurus on this list, and I've since moved my configurations to FirewallD, which works nicely.
There's one configuration left to tackle, that's port redirection for the Squid proxy server. Which also works fine, though I'd like to figure out a little detail. Here goes.
My router has two network interfaces, which I've aptly named WAN and LAN in the NetworkManager configuration:
$ nmcli con show NAME UUID TYPE DEVICE WAN 9574b606-8f6d-3edc-95ad-8165df0f3fce ethernet enp2s0 LAN c726b168-1fcd-4dc5-a01d-8ad8a1ba38ee ethernet enp3s1
Squid is acting as a transparent proxy server:
$ sudo grep http_port /etc/squid/squid.conf http_port 3128 transparent
In my firewall configuration, all requests to port 80 (HTTP) are redirected to port 3128:
$ sudo firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=192.168.3.1 $ sudo firewall-cmd --reload $ sudo firewall-cmd --list-all internal (active) target: default icmp-block-inversion: no interfaces: enp3s1 sources: services: dhcp dns http squid ssh ports: protocols: masquerade: no forward-ports: port=80:proto=tcp:toport=3128:toaddr=192.168.3.1 source-ports: icmp-blocks: rich rules:
In the current state, this configuration works as expected. When a client desktop in the 192.168.3.0/24 network browses HTTP sites on the web, it appears in the Squid log on the server in /var/log/squid/access.log.
And here comes the question. How can I redirect all HTTP requests to port 3128 EXCEPT THOSE THAT ARE DIRECTLY AIMED AT THE PROXY SERVER?
Here's the thing. The proxy server (amandine.sandbox.lan) is also running httpd to display a static information page for the local network. Now client desktops can access http://amandine.sandbox.lan in a web browser just fine. But this still goes through the proxy, and I'd like these requests to rather be handled directly.
In iptables syntax this would vaguely look like this:
$ iptables -A PREROUTING -t nat -i 192.168.3.1 -p tcp \ ! -d 192.168.3.1 --dport 80 -j REDIRECT --to-port 3128
How can I translate the "! -d 192.168.3.1" part into some FirewallD-specific syntax ?
Cheers from the sunny South of France,
Niki
Am 09.05.20 um 09:42 schrieb Nicolas Kovacs:
Hi,
I just setup a very basic HTTP proxy with Squid on a router running CentOS 7.
Up until early 2020 I've been using a bone-headed shell script with iptables to configure my firewall. But I decided to follow advice from a few gurus on this list, and I've since moved my configurations to FirewallD, which works nicely.
There's one configuration left to tackle, that's port redirection for the Squid proxy server. Which also works fine, though I'd like to figure out a little detail. Here goes.
My router has two network interfaces, which I've aptly named WAN and LAN in the NetworkManager configuration:
$ nmcli con show NAME UUID TYPE DEVICE WAN 9574b606-8f6d-3edc-95ad-8165df0f3fce ethernet enp2s0 LAN c726b168-1fcd-4dc5-a01d-8ad8a1ba38ee ethernet enp3s1
Squid is acting as a transparent proxy server:
$ sudo grep http_port /etc/squid/squid.conf http_port 3128 transparent
In my firewall configuration, all requests to port 80 (HTTP) are redirected to port 3128:
$ sudo firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=192.168.3.1 $ sudo firewall-cmd --reload $ sudo firewall-cmd --list-all internal (active) target: default icmp-block-inversion: no interfaces: enp3s1 sources: services: dhcp dns http squid ssh ports: protocols: masquerade: no forward-ports: port=80:proto=tcp:toport=3128:toaddr=192.168.3.1 source-ports: icmp-blocks: rich rules:
In the current state, this configuration works as expected. When a client desktop in the 192.168.3.0/24 network browses HTTP sites on the web, it appears in the Squid log on the server in /var/log/squid/access.log.
And here comes the question. How can I redirect all HTTP requests to port 3128 EXCEPT THOSE THAT ARE DIRECTLY AIMED AT THE PROXY SERVER?
Here's the thing. The proxy server (amandine.sandbox.lan) is also running httpd to display a static information page for the local network. Now client desktops can access http://amandine.sandbox.lan in a web browser just fine. But this still goes through the proxy, and I'd like these requests to rather be handled directly.
In iptables syntax this would vaguely look like this:
$ iptables -A PREROUTING -t nat -i 192.168.3.1 -p tcp \ ! -d 192.168.3.1 --dport 80 -j REDIRECT --to-port 3128
How can I translate the "! -d 192.168.3.1" part into some FirewallD-specific syntax ?
Untested:
$ man firewalld.richlanguage
<paste> Destination destination [not] address="address[/mask]" </paste>
-- Leon
Hello,
what port does ether-wake use? (I believe it is port 9? but not sure).
Ron
The WoL magic packet is only scanned for the string above, and not actually parsed by a full protocol stack, it could be sent as any network- and transport-layer protocol, although it is typically sent as a UDP https://en.m.wikipedia.org/wiki/User_Datagram_Protocol datagram https://en.m.wikipedia.org/wiki/Datagram to port https://en.m.wikipedia.org/wiki/TCP_and_UDP_port 0,] https://en.m.wikipedia.org/wiki/Wake-on-LAN#cite_note-6 7 or 9, or directly over Ethernet as EtherType https://en.m.wikipedia.org/wiki/EtherType 0x0842
- from Wikipedia
On Sun, May 17, 2020, 6:46 PM R C cjvijf@gmail.com wrote:
Hello,
what port does ether-wake use? (I believe it is port 9? but not sure).
Ron
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Ok, I get that, found it before; "typically sent as a UDP datagram to port 0, 7 or 9, or directly over Ethernet as EtherType 0x0842"
The keyword being 'typically', but what is it that ether-wake actually uses/does? (I need to forward a WOL packet to a different
vlan on some Cisco hardware, between two Centos machines).
Ron
On 5/17/20 8:14 PM, John Pierce wrote:
The WoL magic packet is only scanned for the string above, and not actually parsed by a full protocol stack, it could be sent as any network- and transport-layer protocol, although it is typically sent as a UDP https://en.m.wikipedia.org/wiki/User_Datagram_Protocol datagram https://en.m.wikipedia.org/wiki/Datagram to port https://en.m.wikipedia.org/wiki/TCP_and_UDP_port 0,] https://en.m.wikipedia.org/wiki/Wake-on-LAN#cite_note-6 7 or 9, or directly over Ethernet as EtherType https://en.m.wikipedia.org/wiki/EtherType 0x0842
- from Wikipedia
On Sun, May 17, 2020, 6:46 PM R C cjvijf@gmail.com wrote:
Hello,
what port does ether-wake use? (I believe it is port 9? but not sure).
Ron
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Sun, 2020-05-17 at 20:25 -0600, R C wrote:
Ok, I get that, found it before; "typically sent as a UDP datagram to port 0, 7 or 9, or directly over Ethernet as EtherType 0x0842"
The keyword being 'typically', but what is it that ether-wake actually uses/does? (I need to forward a WOL packet to a different
vlan on some Cisco hardware, between two Centos machines).
WoL packets are not routeable/forwardable. They are Layer 2 broadcast packets that contain the MAC address of the machine that needs to be woken up. But since you quoted the Wikipedia article on WoL you would know that and it specifically says what the magic packet is and does.
The format of the packet is unimportant, all that happens is that the ethernet *card* receives the packet, sees that it's a magic WoL packet for that card and turns on the hardware "wakeup" line to the machine.
The packets need to be sent on the same network as the target computer - we did it a while ago for a very large complex network and it needed a box behind every single router that could be commanded to send out the WoL packet for a specific MAC address. We eventually abandoned it.
P.
Actually you are not correct.
1st: I didn't quote the wikipedia article, someone sent that as an answer to my previous post.
(similar mindset probably, as in your response)
2: You are wrong, broadcast packets, like for example DHCP, and also WOL (if UDP), can be routed, by
the means of ip helper addresses and directed broadcasts on Cisco equipment
Also, you like others seem to have a very hard time understanding what is wriiten/asked. I asked "What port number does
ether-wake us", ether-wake being part of Centos So what I am looking for is a number, like 9, 37 or something in case it is
actually using UDP. What I am NOT looking for is some patronizing answer disconnected from the question.
I really wonder why you feel the need to go out on a branch to start lecturing and quoting answers that are not asked for.
If you don't know the answer, simply don't reply. No one benefits, by you sending email here that doesn't
have much of anything to do with the topic.
Ron
On 5/18/20 2:59 AM, Pete Biggs wrote:
On Sun, 2020-05-17 at 20:25 -0600, R C wrote:
Ok, I get that, found it before; "typically sent as a UDP datagram to port 0, 7 or 9, or directly over Ethernet as EtherType 0x0842"
The keyword being 'typically', but what is it that ether-wake actually uses/does? (I need to forward a WOL packet to a different
vlan on some Cisco hardware, between two Centos machines).
WoL packets are not routeable/forwardable. They are Layer 2 broadcast packets that contain the MAC address of the machine that needs to be woken up. But since you quoted the Wikipedia article on WoL you would know that and it specifically says what the magic packet is and does.
The format of the packet is unimportant, all that happens is that the ethernet *card* receives the packet, sees that it's a magic WoL packet for that card and turns on the hardware "wakeup" line to the machine.
The packets need to be sent on the same network as the target computer
- we did it a while ago for a very large complex network and it needed
a box behind every single router that could be commanded to send out the WoL packet for a specific MAC address. We eventually abandoned it.
P.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
actually using UDP. What I am NOT looking for is some patronizing answer disconnected from the question.
I really wonder why you feel the need to go out on a branch to start lecturing and quoting answers that are not asked for.
If you don't know the answer, simply don't reply. No one benefits, by you sending email here that doesn't
have much of anything to do with the topic.
Oh, well. You try and be helpful, get abuse back.
That's life I suppose.
P.
Actually you are not correct.
1st: I didn't quote the wikipedia article, someone sent that as an answer to my previous post.
(similar mindset probably, as in your response)
2: You are wrong, broadcast packets, like for example DHCP, and also WOL (if UDP), can be routed, by
the means of ip helper addresses and directed broadcasts on Cisco equipment
Also, you like others seem to have a very hard time understanding what is wriiten/asked. I asked "What port number does
ether-wake us", ether-wake being part of Centos So what I am looking for is a number, like 9, 37 or something in case it is
Part of the problem is that there is no THE WOL package as there are different forms of WOL and their packages.
One way is using UDP port 9 as you said. I was using the script below to do so (using socat) but I can tell you that this method doesn't work for all devices.
#!/bin/bash
HWADDR="$1" DEST_IP="255.255.255.255" DEST_PORT="9"
# The magic packet is a broadcast frame containing anywhere within its payload # 6 bytes of all ones (FF FF FF FF FF FF in hexadecimal), followed by sixteen # repetitions of the target computer's 48-bit MAC address. MAGIC="\xFF\xFF\xFF\xFF\xFF\xFF" for ((CNT=0; CNT < 16; CNT++)); do MAGIC="${MAGIC}\x${HWADDR//:/\x}" done
echo -en "$MAGIC" | socat -T1 -u STDIO \ UDP-DATAGRAM:${DEST_IP}:${DEST_PORT},broadcast
Kind regards, Simon
when I found out that ether-wake only did raw ether packets, I notoced there's also a wol in the distro, that broadcasts wake up packets using udp, that I can redirect on cisco equipment. It's working now.
thanks,
Ron
On 5/18/20 9:45 AM, Simon Matter via CentOS wrote:
Actually you are not correct.
1st: I didn't quote the wikipedia article, someone sent that as an answer to my previous post.
(similar mindset probably, as in your response)
2: You are wrong, broadcast packets, like for example DHCP, and also WOL (if UDP), can be routed, by
the means of ip helper addresses and directed broadcasts on Cisco equipment
Also, you like others seem to have a very hard time understanding what is wriiten/asked. I asked "What port number does
ether-wake us", ether-wake being part of Centos So what I am looking for is a number, like 9, 37 or something in case it is
Part of the problem is that there is no THE WOL package as there are different forms of WOL and their packages.
One way is using UDP port 9 as you said. I was using the script below to do so (using socat) but I can tell you that this method doesn't work for all devices.
#!/bin/bash
HWADDR="$1" DEST_IP="255.255.255.255" DEST_PORT="9"
# The magic packet is a broadcast frame containing anywhere within its payload # 6 bytes of all ones (FF FF FF FF FF FF in hexadecimal), followed by sixteen # repetitions of the target computer's 48-bit MAC address. MAGIC="\xFF\xFF\xFF\xFF\xFF\xFF" for ((CNT=0; CNT < 16; CNT++)); do MAGIC="${MAGIC}\x${HWADDR//:/\x}" done
echo -en "$MAGIC" | socat -T1 -u STDIO \ UDP-DATAGRAM:${DEST_IP}:${DEST_PORT},broadcast
Kind regards, Simon
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Sun, May 17, 2020 at 07:46:00PM -0600, R C wrote:
what port does ether-wake use? (I believe it is port 9? but not sure).
The 'ether-wake' command in net-tools doesn't use a port at all. It's just a raw packet of EtherType 0x0842 as the so-called "Magic Packet" https://en.wikipedia.org/wiki/Wake-on-LAN#Magic_packet
For example, if you were to run:
(assuming interface name 'eth0') # tcpdump -i eth0 ether proto 0x0842
You'd see the ether-wake command's packet. If you strace the process, you'll see the socket is created as socket(AF_PACKET, SOCK_RAW, htons(0)).
thank you, that was the/an answer I was looking for.
On 5/18/20 7:51 AM, Jonathan Billings wrote:
On Sun, May 17, 2020 at 07:46:00PM -0600, R C wrote:
what port does ether-wake use? (I believe it is port 9? but not sure).
The 'ether-wake' command in net-tools doesn't use a port at all. It's just a raw packet of EtherType 0x0842 as the so-called "Magic Packet" https://en.wikipedia.org/wiki/Wake-on-LAN#Magic_packet
For example, if you were to run:
(assuming interface name 'eth0') # tcpdump -i eth0 ether proto 0x0842
You'd see the ether-wake command's packet. If you strace the process, you'll see the socket is created as socket(AF_PACKET, SOCK_RAW, htons(0)).
-
John Pierce -
Jonathan Billings -
Leon Fauster -
Nicolas Kovacs -
Pete Biggs -
R C -
Simon Matter