On 03/31/2011 05:05 PM, Mathias Gug wrote:
> Could you clarify what behavior are you referring to? The fact that
> puppet doesn't start after the package is installed?
>
Bingo!
It requires manual intervention (editing the /etc/default/puppet file).
The irony is that it could be fixed via puppet if it puppet was actually
running.
--
Mark D. Foster <mark@foster.cc>
http://mark.foster.cc/
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
Wed Apr 6 18:30:02 2011
Return-path: <ubuntu-server-bounces@lists.ubuntu.com>
Envelope-to: tom@linux-archive.org
Delivery-date: Wed, 06 Apr 2011 17:38:03 +0300
Received: from chlorine.canonical.com ([91.189.94.204]:36248)
by s2.java-tips.org with esmtp (Exim 4.69)
(envelope-from <ubuntu-server-bounces@lists.ubuntu.com>)
id 1Q7Tru-0006hj-RJ
for tom@linux-archive.org; Wed, 06 Apr 2011 17:38:03 +0300
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
by chlorine.canonical.com with esmtp (Exim 4.71)
(envelope-from <ubuntu-server-bounces@lists.ubuntu.com>)
id 1Q7V2w-0001Je-IX; Wed, 06 Apr 2011 15:53:30 +0000
Received: from mail-ey0-f177.google.com ([209.85.215.177])
by chlorine.canonical.com with esmtp (Exim 4.71)
(envelope-from <nikolay.fedosov@gmail.com>) id 1Q7UrM-0007GR-88
for ubuntu-server@lists.ubuntu.com; Wed, 06 Apr 2011 15:41:32 +0000
Received: by eyh6 with SMTP id 6so524699eyh.8
for <ubuntu-server@lists.ubuntu.com>;
Wed, 06 Apr 2011 08:41:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=domainkey-signature:message-id:date:from:user-agent:mime-version:to
:cc:subject:references:in-reply-to:content-type;
bh=G24jIwq2HWmFKbw05QB1cgn5nD/jBPUDISb/0vgBA3Y=;
b=xIwjeGrCN9X1+gvVVWgpvXDV3y/jiO8ljco7MxkQRDt78VkJoRhPqe3wKSwZ+OyMV3
uCMOlCtPd5hWO4D3FCQLPBFQYYDnnye4m1CMNhKeVjmgtIfTUP 2dfv22K119YvzIfBrz
BQ2rPk5GeTNsALUUttwDiISNEgC8Gt8mk7SXM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
h=message-id:date:from:user-agent:mime-version:to:cc:subject
:references:in-reply-to:content-type;
b=Z9poyavF7wi7VKFAC3xiBIfhuy2rW6wr7smGrRu3aGhduvM0 mxBsLo8TO3cXUeGyix
RmGEu9InnvTClNoFDP2sSKnul3cJydSAZogWUJuHnVURyXRkVf MVB1sZY6G8fVqHEGvd
7QqDEgPsME6Rfc8pLgI+9ALnVyjmQWFlxzWek=
Received: by 10.213.29.199 with SMTP id r7mr894582ebc.53.1302104491943;
Wed, 06 Apr 2011 08:41:31 -0700 (PDT)
Received: from [192.168.0.2] ([188.130.242.12])
by mx.google.com with ESMTPS id x54sm438241eeh.26.2011.04.06.08.41.27
(version=TLSv1/SSLv3 cipher=OTHER);
Wed, 06 Apr 2011 08:41:28 -0700 (PDT)
Message-ID: <4D9C89A0.9040008@gmail.com>
Date: Wed, 06 Apr 2011 19:41:20 +0400
From: =?UTF-8?B?0J3QuNC60L7Qu9Cw0Lkg0KTQtdC00L7RgdC+0LI=?=
<nikolay.fedosov@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8
MIME-Version: 1.0
To: Diego Xirinachs <dxiri343@gmail.com>
Subject: Re: Shorewall and squid transparent proxy problem
References: <BANLkTi=9ddSz7M7OS=v409F_eBqYj2i_jw@mail.gmail.co m> <4D9AAE6E.1010106@gmail.com> <BANLkTinQusw1=Qux6maNeo_oonia_JK8KQ@mail.gmail.co m> <4D9B7642.40305@gmail.com> <BANLkTim-yENN_4LaLkPvwiaNAygG798RZg@mail.gmail.com> <4D9BA6C8.4060706@gmail.com>
<BANLkTinPJvOV-KfmV_NgbjzuJiJROXUvdg@mail.gmail.com>
In-Reply-To: <BANLkTinPJvOV-KfmV_NgbjzuJiJROXUvdg@mail.gmail.com>
Cc: ubuntu-server@lists.ubuntu.com
X-BeenThere: ubuntu-server@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Ubuntu Server Development mailing list
<ubuntu-server.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/ubuntu-server>,
<mailto:ubuntu-server-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/ubuntu-server>
List-Post: <mailto:ubuntu-server@lists.ubuntu.com>
List-Help: <mailto:ubuntu-server-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/ubuntu-server>,
<mailto:ubuntu-server-request@lists.ubuntu.com?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============7911426913992665101=="
Sender: ubuntu-server-bounces@lists.ubuntu.com
Errors-To: ubuntu-server-bounces@lists.ubuntu.com
This is a multi-part message in MIME format.
--===============7911426913992665101==
Content-Type: multipart/alternative;
boundary="------------000100070607050506050702"
This is a multi-part message in MIME format.
--------------000100070607050506050702
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
The most simple way is:
Put here the commands output:
iptables -t filter -L
iptables -t nat -L
iptables -t mangle -L
And this will be the start point!
If you also write about your goals (I remember about squid) It will be
great
06.04.2011 05:40, Diego Xirinachs пиÑ?еÑ?:
> Thanks a lot for your input, to answer your questions and clarify further,
>
> - I had the ACCEPT rule before the REDIRECT one before asking for
> help, and didnt work also, will change it back and leave it like that,
> so rules order would be:
>
>
>
> ACCEPT $FW net tcp www
> REDIRECT loc 3128 tcp www -
> ACCEPT $FW loc icmp
> ACCEPT $FW net icmp
> ##############################
> ###################
>
> - Explain when you can/want, I am curious
>
> - Regarding the iptables commands, no, im not sure. I just took those
> 2 commands from a tutorial and ran them to see if they would work.
>
> - Those 2 iptables commands you gave me, Can I run them with shorewall
> installed or would the server act weird?
>
> Today I noticed I dont have a masq file, and that IF the EXTERNAL
> network isnt connected on eth0 (mine is on eth1) you have to edit this
> masq file to reverse the order, at least thats what Shorewall
> documentation says (i dont have the URL handy) If that works I will
> post results here.
>
> thanks a lot again
>
> 2011/4/5 Ð?иколай ФедоÑ?ов <nikolay.fedosov@gmail.com
> <mailto:nikolay.fedosov@gmail.com>>
>
> 06.04.2011 01:43, Diego Xirinachs пиÑ?еÑ?:
>> DNS is already accepted on my shorewall rules file, here is the
>> complete file, I dont know why I didnt post it complete earlier.
>>
>>
>>
>> REDIRECT loc 3128 tcp www -
>> ACCEPT $FW net tcp www
>> ACCEPT $FW loc icmp
>> ACCEPT $FW net icmp
>> #################################################
> Here is your your mistake! First rule eval like the first rule/
> You try to REDIRECT packets www from firewall to port 3128, but
> you have no www packets in your firewall if (as I am understand)
> your policy is DROP
>
> Try in this order:
>
> first rule: ACCEPT $FW net tcp www
> second rule: REDIRECT loc 3128 tcp www
> -
>
> This example from documentation www.shorewall.net
> <http://www.shorewall.net>
>
>
>
>
>>
>> As you can see, DNS is already there also. Any other tips?
>>
>> @nikolay: Really? more complicated than Iptables? I find it easy
>> to configure access rules here, only problem I have had is this
>> one. With iptables I tried to get the transparent proxy working
>> but couldnt (i got the full command and ran it, didnt do
>> anything). I tried with the following commands
> I can explain it but not now
>
>>
>> |
>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp |--dport| 80
>> -j DNAT |--to-destination| 192.168.0.1:3128 <http://192.168.0.1:3128>
>> iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j
>> REDIRECT |--to-ports| 3128|
> Are you sure that SQUID requires nat ?????????????
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
> REDIRECT --to-ports 3128
> iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -j DROP
>
>
> And you should to remember that THE ORDER of rules have the
> SIGNIFICANTE sense!
> Sorry for my english... now it's time to sleep....
>
>>
>> eth0 is my LAN and eth1 is connected to the internet. IP address
>> is just for the example, my internal network uses a different
>> range than that one.
>>
>> I would really like to get this working but I have no idea whats
>> wrong, this kind of issues im sure Is one of those wtf problems
>> that can be solved with a simple solution.
>>
>> Hope it helps and thanks again.
>>
>>
>>
>> 2011/4/5 Ð?иколай ФедоÑ?ов <nikolay.fedosov@gmail.com
>> <mailto:nikolay.fedosov@gmail.com>>
>>
>> My proposal is to change the order of your rules...
>>
>> But the true way is to : apt-get purge shorewall (it is very
>> complicated, more complicatated than iptables)
>>
>> 05.04.2011 13:29, Diego Xirinachs пиÑ?еÑ?:
>>
>> >> My /etc/shorewall/rules are setup with this ACCEPT and
>> REDIRECT rules:
>> >>
>> >> #ACTION SOURCE DEST PROTO DEST PORT(S)
>> SOURCE ORIGINAL
>> >> #
>> PORT(S) DEST
>> >> REDIRECT loc 3128 tcp www -
>> >>
>> >> ACCEPT $FW net tcp www
>>
>>
>> --
>> ubuntu-server mailing list
>> ubuntu-server@lists.ubuntu.com
>> <mailto:ubuntu-server@lists.ubuntu.com>
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
>> More info: https://wiki.ubuntu.com/ServerTeam
>>
>>
>>
>>
>> --
>> X1R1
>
>
>
>
> --
> X1R1
--------------000100070607050506050702
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
The most simple way is:<br>
<br>
Put here the commands output:<br>
iptables -t filter -L<br>
iptables -t nat -L<br>
iptables -t mangle -L<br>
<br>
And this will be the start point!<br>
If you also write about your goalsÂ* (I remember about squid) It will
be great<br>
<br>
<br>
06.04.2011 05:40, Diego Xirinachs пиÑ?еÑ?:
<blockquote
cite="mid:BANLkTinPJvOV-KfmV_NgbjzuJiJROXUvdg@mail.gmail.com"
type="cite">Thanks a lot for your input, to answer your questions
and clarify further,<br>
<br>
- I had the ACCEPT rule before the REDIRECT one before asking for
help, and didnt work also, will change it back and leave it like
that, so rules order would be:<br>
<br>
<br>
<br>
ACCEPTÂ*Â*Â* Â*Â*Â* $FWÂ*Â*Â* Â*Â*Â* netÂ*Â*Â* Â*Â*Â* tcpÂ*Â*Â* Â*Â*Â* www<br>
REDIRECTÂ*Â*Â* locÂ*Â*Â* Â*Â*Â* 3128Â*Â*Â* Â*Â*Â* tcpÂ*Â*Â* Â*Â*Â* wwwÂ*Â*Â* Â*Â*Â* -Â*Â*Â* Â*Â*Â*
Â*Â*Â* Â*Â*Â* <br>
ACCEPTÂ*Â*Â* Â*Â*Â* $FWÂ*Â*Â* Â*Â*Â* locÂ*Â*Â* Â*Â*Â* icmp<br>
ACCEPTÂ*Â*Â* Â*Â*Â* $FWÂ*Â*Â* Â*Â*Â* netÂ*Â*Â* Â*Â*Â* icmp<br>
##############################
<div class="im">###################</div>
<br>
- Explain when you can/want, I am curious
<br>
<br>
- Regarding the iptables commands, no, im not sure. I just took
those 2 commands from a tutorial and ran them to see if they would
work.<br>
<br>
- Those 2 iptables commands you gave me, Can I run them with
shorewall installed or would the server act weird?<br>
<br>
Today I noticed I dont have a masq file, and that IF the EXTERNAL
network isnt connected on eth0 (mine is on eth1) you have to edit
this masq file to reverse the order, at least thats what Shorewall
documentation says (i dont have the URL handy) If that works I
will post results here. <br>
<br>
thanks a lot again
<br>
<br>
<div class="gmail_quote">2011/4/5 Ð?иколай ФедоÑ?ов <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:nikolay.fedosov@gmail.com">nikolay.fe dosov@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> 06.04.2011 01:43, Diego
Xirinachs пиÑ?еÑ?:
<blockquote type="cite">
<div class="im">DNS is already accepted on my shorewall
rules file, here is the complete file, I dont know why I
didnt post it complete earlier.<br>
<br>
<br>
<br>
</div>
<div class="im"> REDIRECTÂ*Â*Â* locÂ*Â*Â* Â*Â*Â* 3128Â*Â*Â* Â*Â*Â* tcpÂ*Â*Â*
Â*Â*Â* wwwÂ*Â*Â* Â*Â*Â* -<br>
ACCEPTÂ*Â*Â* Â*Â*Â* $FWÂ*Â*Â* Â*Â*Â* netÂ*Â*Â* Â*Â*Â* tcpÂ*Â*Â* Â*Â*Â* wwwÂ*Â*Â*
Â*Â*Â* Â*Â*Â* Â*Â*Â* <br>
ACCEPTÂ*Â*Â* Â*Â*Â* $FWÂ*Â*Â* Â*Â*Â* locÂ*Â*Â* Â*Â*Â* icmp<br>
ACCEPTÂ*Â*Â* Â*Â*Â* $FWÂ*Â*Â* Â*Â*Â* netÂ*Â*Â* Â*Â*Â* icmp<br>
#################################################< br>
</div>
</blockquote>
Here is your your mistake! First rule eval like the first
rule/<br>
You try to REDIRECT packets www from firewall to port 3128,
but you have no www packets in your firewall if (as I am
understand) your policy is DROP<br>
<br>
Try in this order:<br>
<br>
first rule: ACCEPTÂ*Â*Â* Â*Â*Â* $FWÂ*Â*Â* Â*Â*Â* netÂ*Â*Â* Â*Â*Â* tcpÂ*Â*Â* Â*Â*Â*
www<br>
second rule: REDIRECTÂ*Â*Â* locÂ*Â*Â* Â*Â*Â* 3128Â*Â*Â* Â*Â*Â* tcpÂ*Â*Â* Â*Â*Â*
wwwÂ*Â*Â* Â*Â*Â* -<br>
<br>
This example from documentation <a moz-do-not-send="true"
href="http://www.shorewall.net" target="_blank">www.shorewall.net</a>
<div class="im"><br>
<br>
<br>
<br>
<blockquote type="cite"><br>
As you can see, DNS is already there also. Any other
tips?<br>
<br>
@nikolay: Really? more complicated than Iptables? I find
it easy to configure access rules here, only problem I
have had is this one. With iptables I tried to get the
transparent proxy working but couldnt (i got the full
command and ran it, didnt do anything). I tried with the
following commands<br>
</blockquote>
</div>
I can explain it but not now
<div class="im"><br>
<blockquote type="cite"> <br>
<code><br>
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp <code>--dport</code>
80 -j DNAT <code>--to-destination</code> <a
moz-do-not-send="true"
href="http://192.168.0.1:3128" target="_blank">192.168.0.1:3128</a><br>
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp
--dport 80 -j REDIRECT <code>--to-ports</code> 3128</code><br>
</blockquote>
</div>
Are you sure that SQUID requires nat ?????????????<br>
<br>
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-ports 3128<br>
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -j
DROP<br>
<br>
<br>
AndÂ* you should to remember that THE ORDER of rules have the
SIGNIFICANTE sense!<br>
Sorry for my english... now it's time to sleep....
<div class="im"><br>
<blockquote type="cite"><br>
eth0 is my LAN and eth1 is connected to the internet. IP
address is just for the example, my internal network
uses a different range than that one.<br>
<br>
I would really like to get this working but I have no
idea whats wrong, this kind of issues im sure Is one of
those wtf problems that can be solved with a simple
solution.<br>
<br>
Hope it helps and thanks again.<br>
<br>
<br>
<br>
<div class="gmail_quote">2011/4/5 Ð?иколай ФедоÑ?ов <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:nikolay.fedosov@gmail.com"
target="_blank">nikolay.fedosov@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt
0pt 0.8ex; border-left: 1px solid rgb(204, 204,
204); padding-left: 1ex;"> My proposal is to change
the order of your rules...<br>
<br>
But the true way is to : apt-get purge shorewall (it
is very complicated, more complicatated than
iptables)<br>
<br>
05.04.2011 13:29, Diego Xirinachs пиÑ?еÑ?:
<div><br>
>> My /etc/shorewall/rules are setup with
this ACCEPT and REDIRECT rules:<br>
>><br>
>> #ACTION Â* SOURCE Â* Â* DEST Â* Â* PROTO Â*
Â*DEST PORT(S) Â* Â* SOURCE Â* Â* ORIGINAL<br>
>> # Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*
Â* Â* Â* Â* Â* Â* Â* PORT(S) Â* Â*DEST<br>
>> REDIRECT Â*loc Â* Â* Â* Â*3128 Â* Â* tcp Â* Â*
Â*www Â* Â* Â* Â* Â* Â* Â*-<br>
>><br>
>> ACCEPT Â* Â*$FW Â* Â* Â* Â*net Â* Â* Â*tcp Â* Â*
Â*www<br>
Â* <br>
</div>
</blockquote>
<blockquote class="gmail_quote" style="margin: 0pt 0pt
0pt 0.8ex; border-left: 1px solid rgb(204, 204,
204); padding-left: 1ex;">
<div> <br>
</div>
-- <br>
<div>
<div> ubuntu-server mailing list<br>
<a moz-do-not-send="true"
href="mailto:ubuntu-server@lists.ubuntu.com"
target="_blank">ubuntu-server@lists.ubuntu.com</a><br>
<a moz-do-not-send="true"
href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-server"
target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-server</a><br>
More info: <a moz-do-not-send="true"
href="https://wiki.ubuntu.com/ServerTeam"
target="_blank">https://wiki.ubuntu.com/ServerTeam</a></div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
X1R1<br>
</blockquote>
<br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
X1R1<br>
</blockquote>
<br>
</body>
</html>
--------------000100070607050506050702--
--===============7911426913992665101==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
--===============7911426913992665101==--
Puppet Integration
