Squid не работает как прозрачный прокси на 1 инт



  • Все это прекрасно работает в Centos 6.5 + Squid собраный из портов
    Более подробна проблема описана тут http://www.anticisco.ru/forum/viewtopic.php?f=2&t=6961

    вывод pfctl -sn && pfctl -sr

    no nat proto carp all
    nat-anchor "natearly/*" all
    nat-anchor "natrules/*" all
    nat on em0 inet from 192.168.56.10 port = isakmp to any port = isakmp -> 192.168.56.5 port 500
    nat on em0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 192.168.56.5 port 500
    nat on em0 inet from 0.0.0.0 port = isakmp to any port = isakmp -> 192.168.56.5 port 500
    nat on em0 inet from 192.168.56.10 to any -> 192.168.56.5 port 1024:65535
    nat on em0 inet from 127.0.0.0/8 to any -> 192.168.56.5 port 1024:65535
    nat on em0 inet from 0.0.0.0 to any -> 192.168.56.5 port 1024:65535
    no rdr proto carp all
    rdr-anchor "relayd/*" all
    rdr-anchor "tftp-proxy/*" all
    rdr on em0 inet proto gre from any to 192.168.56.5 -> 127.0.0.1
    rdr on em0 inet proto tcp from any to 192.168.56.5 port = http -> 127.0.0.1 port 3129
    rdr-anchor "miniupnpd" all
    scrub on em0 all max-mss 1420 fragment reassemble
    anchor "relayd/*" all
    anchor "openvpn/*" all
    anchor "ipsec/*" all
    block drop in log quick inet6 all label "Block all IPv6"
    block drop out log quick inet6 all label "Block all IPv6"
    block drop in log inet all label "Default deny rule IPv4"
    block drop out log inet all label "Default deny rule IPv4"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    block drop quick inet proto tcp from any port = 0 to any
    block drop quick inet proto tcp from any to any port = 0
    block drop quick inet proto udp from any port = 0 to any
    block drop quick inet proto udp from any to any port = 0
    block drop quick inet6 proto tcp from any port = 0 to any
    block drop quick inet6 proto tcp from any to any port = 0
    block drop quick inet6 proto udp from any port = 0 to any
    block drop quick inet6 proto udp from any to any port = 0
    block drop quick from <snort2c>to any label "Block snort2c hosts"
    block drop quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"
    block drop in quick from <virusprot>to any label "virusprot overload table"
    block drop in on ! em0 inet from 192.168.56.0/24 to any
    block drop in inet from 192.168.56.5 to any
    block drop in on em0 inet6 from fe80::a00:27ff:fe80:7ee0 to any
    pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (em0 192.168.56.10) inet from 192.168.56.5 to ! 192.168.56.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on em0 proto tcp from any to (em0) port = https flags S/SA keep state label "anti-lockout rule"
    pass in quick on em0 proto tcp from any to (em0) port = ssh flags S/SA keep state label "anti-lockout rule"
    pass in inet all flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost" tagged PFREFLECT
    anchor "userrules/*" all
    pass in quick on em0 reply-to (em0 192.168.56.10) inet proto tcp from 192.168.56.0/24 to any flags S/SA keep state label "USER_RULE"
    pass in quick on em0 reply-to (em0 192.168.56.10) inet proto udp from 192.168.56.0/24 to any keep state label "USER_RULE"
    pass in quick on em0 reply-to (em0 192.168.56.10) inet proto icmp from 172.16.34.167 to 192.168.56.5 icmp-type echoreq keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
    pass in quick on em0 reply-to (em0 192.168.56.10) inet proto udp from 192.168.56.11 to 192.168.56.255 port = netbios-ns keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
    pass in quick on em0 reply-to (em0 192.168.56.10) inet proto tcp from 192.168.56.11 to 192.168.56.5 port = 3128 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
    pass in quick on em0 reply-to (em0 192.168.56.10) inet proto gre from 192.168.56.10 to 192.168.56.5 keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
    pass in log quick on em0 reply-to (em0 192.168.56.10) inet proto gre from 192.168.56.5 to 192.168.56.0/24 keep state label "USER_RULE"
    pass in quick on em0 reply-to (em0 192.168.56.10) inet proto gre all keep state label "USER_RULE"
    pass in quick on em0 reply-to (em0 192.168.56.10) inet proto tcp from any to 192.168.56.5 port = http flags S/SA no state label "USER_RULE"
    pass in quick on em0 route-to (em0 192.168.56.10) inet proto tcp from any to 192.168.56.5 port = 3129 flags S/SA no state label "USER_RULE"
    anchor "tftp-proxy/*" all</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> 
    


  • Посмотрите в веб-морде Status->System Logs->Firewall и скриншот сюда. Ещё и скрины правил, опять же, из веб-морды не помешают




Log in to reply