diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 85bb6559a..df33cca47 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -4,6 +4,8 @@ Changes in Shorewall 4.4.7 2) Backport two new options from 4.5. +3) Backport TPROXY from 4.5 + Changes in Shorewall 4.4.6 1) Fix for rp_filter and kernel 2.6.31. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index f4cde41e1..bb79b0253 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -56,6 +56,8 @@ Shorewall 4.4.7 14) Additional ruleset optimization options are available. +15) TPROXY support has been added. + ---------------------------------------------------------------------------- M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- @@ -254,6 +256,9 @@ None. particular provider. Simply specify '-' in the MARK column and Shorewall will automatically assign a mark value. +5) Support for TPROXY has been added. See + http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 6 ---------------------------------------------------------------------------- diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml index 1883f2cba..59573211f 100644 --- a/docs/Shorewall_Squid_Usage.xml +++ b/docs/Shorewall_Squid_Usage.xml @@ -285,4 +285,40 @@ ACCEPT loc $FW tcp 8080 ACCEPT $FW net tcp 80,443 + +
+ Transparent with TPROXY + + Shorewall 4.4.7 contains support for TPROXY. TPROXY differs from + REDIRECT in that it does not modify the IP header. Because the IP header + stays intact, TPROXY requires policy routing to direct the packets to the + proxy server running on the firewall. This approach requires TPROXY + support in your kernel and iptables and Squid 3. See http://wiki.squid-cache.org/Features/Tproxy4. + + The following configuration works with Squid running on the firewall + itself. + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS +- lo - - + + /etc/shorewall/providers: + + #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY +Tproxy 1 1 - lo - local + + /etc/shorewall/tcrules (assume Z interface is + eth1): + + MARK SOURCE DEST PROTO PORT(S) +TPROXY(1,3128) eth1 0.0.0.0/0 tcp 80 + + /etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST PORT(S) +ACCEPT Z $FW tcp SP +ACCEPT $FW net tcp 80 +