mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-14 19:54:06 +01:00
Changes for 1.3.13 Release
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@401 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9a84050227
commit
5b9b519183
@ -2,50 +2,51 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall CVS Access</title>
|
||||
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall CVS Access</font>
|
||||
</h1>
|
||||
<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall CVS Access</font>
|
||||
</h1>
|
||||
<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Lots of people try to download the entire Shorewall website for off-line
|
||||
browsing, including the CVS portion. In addition to being an enormous volume
|
||||
of data (HTML versions of all versions of all Shorewall files), all of the
|
||||
pages in Shorewall CVS access are cgi-generated which places a tremendous
|
||||
load on my little server. I have therefore resorted to making CVS access
|
||||
password controlled. When you are asked to log in, enter "Shorewall" (NOTE
|
||||
THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
|
||||
<br>
|
||||
|
||||
<div align="center">
|
||||
<h3><a href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
|
||||
<br>
|
||||
Lots of people try to download the entire Shorewall website for off-line
|
||||
browsing, including the CVS portion. In addition to being an enormous volume
|
||||
of data (HTML versions of all versions of all Shorewall files), all of
|
||||
the pages in Shorewall CVS access are cgi-generated which places a tremendous
|
||||
load on my little server. I have therefore resorted to making CVS access
|
||||
password controlled. When you are asked to log in, enter "Shorewall" (NOTE
|
||||
THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
|
||||
<br>
|
||||
|
||||
<div align="center">
|
||||
<h3><a href="http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
|
||||
target="_top">CVS Login</a> <br>
|
||||
</h3>
|
||||
</div>
|
||||
|
||||
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/23/2002
|
||||
- <a href="support.htm">Tom Eastep</a> </font>
|
||||
</p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
</h3>
|
||||
</div>
|
||||
|
||||
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 1/14/2002
|
||||
- <a href="support.htm">Tom Eastep</a> </font>
|
||||
</p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
408
Shorewall-docs/Shorewall_Squid_Usage.html
Normal file
408
Shorewall-docs/Shorewall_Squid_Usage.html
Normal file
@ -0,0 +1,408 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall Squid Usage</title>
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table cellpadding="0" cellspacing="0" border="0" width="100%"
|
||||
bgcolor="#400169">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="middle" width="33%" bgcolor="#400169"><a
|
||||
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
|
||||
alt="" width="88" height="31" hspace="4">
|
||||
</a><br>
|
||||
</td>
|
||||
<td valign="middle" height="90" align="center" width="34%"><font
|
||||
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
|
||||
</td>
|
||||
<td valign="middle" height="90" width="33%" align="right"><a
|
||||
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
|
||||
alt="" width="100" height="31" hspace="4">
|
||||
</a><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
This page covers Shorewall configuration to use with <a
|
||||
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
|
||||
Proxy</b></u>. <br>
|
||||
<a href="#DMZ"></a><br>
|
||||
<img border="0" src="images/j0213519.gif" width="60" height="60"
|
||||
alt="Caution" align="middle">
|
||||
Please observe the following general requirements:<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b>In all cases, Squid should be configured to run
|
||||
as a transparent proxy as described at <a
|
||||
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
|
||||
<b><br>
|
||||
</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b>The following instructions mention the files /etc/shorewall/start
|
||||
and /etc/shorewall/init -- if you don't have those files, siimply create
|
||||
them.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> When the Squid server is in the DMZ zone or in
|
||||
the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
|
||||
file entries. That is because the packets being routed to the Squid server
|
||||
still have their original destination IP addresses.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> You must have iproute2 (<i>ip </i>utility) installed
|
||||
on your firewall.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> You must have iptables installed on your Squid
|
||||
server.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> You must have NAT and MANGLE enabled in your /etc/shorewall/conf
|
||||
file<br>
|
||||
<br>
|
||||
<b><font color="#009900"> NAT_ENABLED=Yes<br>
|
||||
</font></b> <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
|
||||
<br>
|
||||
Three different configurations are covered:<br>
|
||||
|
||||
<ol>
|
||||
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the
|
||||
Firewall.</a></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the local
|
||||
network</a></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
|
||||
|
||||
</ol>
|
||||
|
||||
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
|
||||
You want to redirect all local www connection requests EXCEPT
|
||||
those to your own
|
||||
http server (206.124.146.177)
|
||||
to a Squid transparent
|
||||
proxy running on the firewall and listening on port 3128. Squid
|
||||
will of course require access to remote web servers.<br>
|
||||
<br>
|
||||
In /etc/shorewall/rules:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
|
||||
</tr>
|
||||
<tr>
|
||||
<td>REDIRECT</td>
|
||||
<td>loc</td>
|
||||
<td>3128</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> -<br>
|
||||
</td>
|
||||
<td>!206.124.146.177</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>fw</td>
|
||||
<td>net</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
|
||||
<h2><a name="Local"></a>Squid Running in the local network</h2>
|
||||
You want to redirect all local www connection requests to a Squid
|
||||
transparent proxy
|
||||
running in your local zone at 192.168.1.3 and listening on port 3128.
|
||||
Your local interface is eth1. There may also be a web server running on
|
||||
192.168.1.3. It is assumed that web access is already enabled from the local
|
||||
zone to the internet.<br>
|
||||
|
||||
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
|
||||
other aspects of your gateway including but not limited to traffic shaping
|
||||
and route redirection. For that reason, I don't recommend it.<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>On your firewall system, issue the following command<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">echo 202 www.out >> /etc/iproute2/rt_tables</font></b><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/init, put:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/rules:<br>
|
||||
<br>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT<br>
|
||||
</td>
|
||||
<td>loc</td>
|
||||
<td>loc<br>
|
||||
</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
|
||||
</table>
|
||||
<br>
|
||||
</li>
|
||||
<li>Alternativfely, you can have the following policy:<br>
|
||||
<br>
|
||||
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>POLICY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>LOG LEVEL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>BURST PARAMETERS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</li>
|
||||
<li>In /etc/shorewall/start add:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>On 192.168.1.3, arrange for the following command to be executed
|
||||
after networking has come up<br>
|
||||
|
||||
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote> If you are running RedHat on the server, you can simply execute
|
||||
the following commands after you have typed the iptables command above:<br>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<pre><font color="#009900"><b>iptables-save > /etc/sysconfig/iptables</b></font><font
|
||||
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
|
||||
You have a single Linux system in your DMZ with IP address 192.0.2.177.
|
||||
You want to run both a web server and Squid on that system. Your DMZ interface
|
||||
is eth1 and your local interface is eth2.<br>
|
||||
|
||||
<ul>
|
||||
<li>On your firewall system, issue the following command<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>echo 202 www.out >> /etc/iproute2/rt_tables</b></font><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/init, put:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li> In /etc/shorewall/start add:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/rules, you will need:</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">ACTION<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
</td>
|
||||
<td valign="top">PROTO<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
PORT(S)<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT<br>
|
||||
PORT(2)<br>
|
||||
</td>
|
||||
<td valign="top">ORIGINAL<br>
|
||||
DEST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">dmz<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following
|
||||
command to be executed after networking has come up<br>
|
||||
|
||||
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote> If you are running RedHat on the server, you can simply execute
|
||||
the following commands after you have typed the iptables command above:<br>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<pre><font color="#009900"><b>iptables-save > /etc/sysconfig/iptables</b></font><font
|
||||
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<p><font size="-1"> Updated 1/10/2003 - <a
|
||||
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
|
||||
<a
|
||||
href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
BIN
Shorewall-docs/images/cache_now.gif
Normal file
BIN
Shorewall-docs/images/cache_now.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 493 B |
BIN
Shorewall-docs/images/squidnow.gif
Normal file
BIN
Shorewall-docs/images/squidnow.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.7 KiB |
Loading…
Reference in New Issue
Block a user