From 5b9b519183101d51861cc4c3cab4f346baffbdb7 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 14 Jan 2003 20:22:15 +0000 Subject: [PATCH] Changes for 1.3.13 Release git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@401 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/Shorewall_CVS_Access.html | 69 ++-- Shorewall-docs/Shorewall_Squid_Usage.html | 408 ++++++++++++++++++++++ Shorewall-docs/images/cache_now.gif | Bin 0 -> 493 bytes Shorewall-docs/images/squidnow.gif | Bin 0 -> 1761 bytes 4 files changed, 443 insertions(+), 34 deletions(-) create mode 100644 Shorewall-docs/Shorewall_Squid_Usage.html create mode 100644 Shorewall-docs/images/cache_now.gif create mode 100644 Shorewall-docs/images/squidnow.gif diff --git a/Shorewall-docs/Shorewall_CVS_Access.html b/Shorewall-docs/Shorewall_CVS_Access.html index 7e1182e98..2bdd36ba8 100644 --- a/Shorewall-docs/Shorewall_CVS_Access.html +++ b/Shorewall-docs/Shorewall_CVS_Access.html @@ -2,50 +2,51 @@ Shorewall CVS Access - + - + - + - - - - - - + + + + + +
-

Shorewall CVS Access -

-
-
+

Shorewall CVS Access +

+
+
-
- Lots of people try to download the entire Shorewall website for off-line - browsing, including the CVS portion. In addition to being an enormous volume - of data (HTML versions of all versions of all Shorewall files), all of the - pages in Shorewall CVS access are cgi-generated which places a tremendous - load on my little server. I have therefore resorted to making CVS access -password controlled. When you are asked to log in, enter "Shorewall" (NOTE -THE CAPITALIZATION!!!!!) for both the user name and the password.
-
- -
-

+ Lots of people try to download the entire Shorewall website for off-line + browsing, including the CVS portion. In addition to being an enormous volume + of data (HTML versions of all versions of all Shorewall files), all of +the pages in Shorewall CVS access are cgi-generated which places a tremendous + load on my little server. I have therefore resorted to making CVS access + password controlled. When you are asked to log in, enter "Shorewall" (NOTE + THE CAPITALIZATION!!!!!) for both the user name and the password.
+
+ +
+

CVS Login  
-

-
- -

Updated 9/23/2002 - - Tom Eastep -

- -

Copyright - © 2001, 2002 Thomas M. Eastep.

+

+
+ +

Updated 1/14/2002 + - Tom Eastep +

+ +

Copyright + © 2001, 2002, 2003 Thomas M. Eastep.

+



diff --git a/Shorewall-docs/Shorewall_Squid_Usage.html b/Shorewall-docs/Shorewall_Squid_Usage.html new file mode 100644 index 000000000..6a35828e7 --- /dev/null +++ b/Shorewall-docs/Shorewall_Squid_Usage.html @@ -0,0 +1,408 @@ + + + + Shorewall Squid Usage + + + + + + + + + + + + + + + +
+
+ 		Using Shorewall with Squid
+ 		+
+
+
+ This page covers Shorewall configuration to use with Squid running as a Transparent + Proxy
+
+ Caution +     Please observe the following general requirements:
+
+ +     In all cases, Squid should be configured to run +as a transparent proxy as described at http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html.
+
+ +     The following instructions mention the files /etc/shorewall/start + and /etc/shorewall/init -- if you don't have those files, siimply create +them.
+
+ +     When the Squid server is in the DMZ zone or in +the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts + file entries. That is because the packets being routed to the Squid server + still have their original destination IP addresses.
+
+ +     You must have iproute2 (ip utility) installed + on your firewall.
+
+ +     You must have iptables installed on your Squid +server.
+
+ +     You must have NAT and MANGLE enabled in your /etc/shorewall/conf + file
+
+         NAT_ENABLED=Yes
+        MANGLE_ENABLED=Yes
+
+ Three different configurations are covered:
+ +
    +
  1. Squid running on the +Firewall.
    2. +
  2. Squid running in the local +network
    3. +
  3. Squid running in the DMZ
    4. + +
+ +

Squid Running on the Firewall

+ You want to redirect all local www connection requests EXCEPT + those to your own + http server (206.124.146.177) + to a Squid transparent + proxy running on the firewall and listening on port 3128. Squid + will of course require access to remote web servers.
+
+ In /etc/shorewall/rules:
+
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
REDIRECTloc3128tcpwww -
+ 		!206.124.146.177
ACCEPTfwnettcpwww
+
+
+
+
+ +

Squid Running in the local network

+ You want to redirect all local www connection requests to a Squid + transparent proxy +running in your local zone at 192.168.1.3 and listening on port 3128. +Your local interface is eth1. There may also be a web server running on +192.168.1.3. It is assumed that web access is already enabled from the local +zone to the internet.
+ +

WARNING: This setup may conflict with + other aspects of your gateway including but not limited to traffic shaping + and route redirection. For that reason, I don't recommend it.
+

+ + + +
+ 
echo 202 www.out >> /etc/iproute2/rt_tables
+
+ + + +
+ 
if [ -z "`ip rule list | grep www.out`" ] ; then
	ip rule add fwmark 202 table www.out
	ip route add default via 192.168.1.3 dev eth1 table www.out
	ip route flush cache
	echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
fi
+
+ + + +
+ 
iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202
+
+ + + +
If you are running RedHat on the server, you can simply execute + the following commands after you have typed the iptables command above:
+
+ +
+
+ + 
iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables start
+
+ +
+ +

Squid Running in the DMZ (This is what I do)

+ You have a single Linux system in your DMZ with IP address 192.0.2.177. + You want to run both a web server and Squid on that system. Your DMZ interface + is eth1 and your local interface is eth2.
+ + + +
+ 
echo 202 www.out >> /etc/iproute2/rt_tables
+
+ + + +
+ 
if [ -z "`ip rule list | grep www.out`" ] ; then
	ip rule add fwmark 202 table www.out
	ip route add default via 192.0.2.177 dev eth1 table www.out
	ip route flush cache
fi
+
+ + + +
+ 
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202
+
+ + + +
+ + + + + + + + + + + + + + + + + + + + + + +
ACTION
+ 		SOURCE
+ 		DEST
+ 		PROTO
+ 		DEST
+ PORT(S)
+ 		CLIENT
+ PORT(2)
+ 		ORIGINAL
+ DEST
+
ACCEPT
+ 		dmz
+ 		net
+ 		tcp
+ 		80
+
+
+
+
+
+ + + +
If you are running RedHat on the server, you can simply execute + the following commands after you have typed the iptables command above:
+
+ +
+
+ + 
iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables start
+
+ +
+ +

Updated 1/10/2003 - Tom Eastep +

+ + + Copyright © 2003 Thomas M. Eastep.
+
+
+
+
+ + diff --git a/Shorewall-docs/images/cache_now.gif b/Shorewall-docs/images/cache_now.gif new file mode 100644 index 0000000000000000000000000000000000000000..751f1338489283befd0292f67ee745b2c4ed8c18 GIT binary patch literal 493 zcmV&>jYkYld zV`NKaPAqUQeR6JZjgfPOSBEA91VK=PgmQ3Hpnr@pMm3ozm`t0TfPRmhp^tf_M*^6r zM}oR~g08;3qdv8^1SiF{fxKZ~v1*Raw8NMM)YP{qK*QRE(Y4dn1=B;C+uC%s;OW(f zMCHThM(XkfBX%MN1|#@6`(oWY^VE$#6951^zlq+f literal 0 HcmV?d00001 diff --git a/Shorewall-docs/images/squidnow.gif b/Shorewall-docs/images/squidnow.gif new file mode 100644 index 0000000000000000000000000000000000000000..d519070aa2fd333aa13dac2af1411e43a9d17070 GIT binary patch literal 1761 zcmb7@`#05D7{<5K?M#cNhQ>7#QBliwNvYACLM}x(91Y54ANNZk)XYTE%@Q3aXE(|v z#5687ONq%ygl1bqE1{{T1{IBF%vfq>&1%p4JBg-XDw*L5L#65aI|bj1eXXQ-m49T(~3{5rPOsgdxI(w-h5v5T%GRM7hw)Fk%ET ziWozTgA(Exae_ESoFNVcXoECpK{LGO!W`icj48$pV=jz^iV#dFCJYlUP{1W6m{Lp` zrd)u6w~Sy$F=Lo+5H9$G zu~1P;C?k{$c7Xye86}Jn#=$*6!CS&9;f!#w2YCP{bVD5AA0WUXP=gpi10_5K4j2sD zAPrhvNKUwh8V;kB3qgWE7z-6+lyS%v>;eT`QqCxc93g240Jz{e1PyK>O2`8+p&Q}= zCNK;Rff~dB8ae?BIAAbngESXbB)o=esNrzf7z7FaU@TOOb76t1^$QfLjSBlzElGe< zWPQQz2H4c^d0tP2IraJERUr|)-kEn!q;q(@{=R&kB0Fg@2|$3GHm760 zOJ+sh8K{utuX90j?j5}}nW}Az5d`tRM80u`Z>R?sCig;<3BllgD3= z4Bif?4ULdqNg8R(>`{C$O*F+#&prI=d|r5-XDKtk)`-)SWxZAU?v{>k8)9lLgRJ8= z=EZsTb%zLE}Xr^(7^S}r%oyAb`Qf7DrUUxd>pEt zW-YV}_%K>)QmrUcwCkl&k_LIJbl+gvc;7QK>SaK}vi8Aeo*yqy9q==|FV<4B4G6FL7(_ zRvzb?+CyHl#ermptX#77RkgOHW1_yzQ1WR*N3?1Gl`gB%;4nSogZWnr;?-;SXhivh z$8@$=Tcm}lZPC{0n_RG3eAS_HX`Q{plX&l2rU z#Eps(FKM2?d_7jk&faeAzjHM;cHG=LqrPC6xr$;Qj(Q~iEm^CuJz%VHZ(8EekQkKr znbtw$zaA|V+4?pvKi8O2V8XUo8qDNQpBxGAjEx>PQy96qX-WJ~NNwpczZ&1b=!e&| z4|J!EAKqpVob4|yems25%Cqli)7O6W5uXpaYjbsV9n|$keh*t7z1$g-Zf0=DwZJy7 zIpejop~UReisZJYr0(Z&O|6+GG7snL8Exg>2RBR3lBchBJe+Xf{*|nB*k$6< z+3m`}$kyoFf7Y)y{HGL!W}wP>`Dk1y^G+#?$+ zdH!AG&$msVMTuTtm~3jkswGZ5>bPG$RP$!@fXu^t^W5#GyB9g;F3xFOEOP#Rothfj F_%Eu&DTx38 literal 0 HcmV?d00001