Using Shorewall with Squid

This page covers Shorewall configuration to use with Squid running as a Transparent Proxy. If you are running Shorewall 1.3, please see this documentation.

Caution

    Please observe the following general requirements:

    In all cases, Squid should be configured to run as a transparent proxy as described at http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html.

    The following instructions mention the files /etc/shorewall/start and /etc/shorewall/init -- if you don't have those files, siimply create them.

    When the Squid server is in the DMZ zone or in the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts file entries. That is because the packets being routed to the Squid server still have their original destination IP addresses.

    You must have iptables installed on your Squid server.

    If you run a Shorewall version earlier than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf file

        NAT_ENABLED=Yes
        MANGLE_ENABLED=Yes

Three different configurations are covered:

Squid Running on the Firewall

You want to redirect all local www connection requests EXCEPT those to your own http server (206.124.146.177) to a Squid transparent proxy running on the firewall and listening on port 3128. Squid will of course require access to remote web servers.

In /etc/shorewall/rules:

ACTION SOURCE DEST PROTO DEST
PORT(S) SOURCE
PORT(S) ORIGINAL
DEST

REDIRECT loc 3128 tcp www -
!206.124.146.177

ACCEPT fw net tcp www

There may be a requirement to exclude additional destination hosts or networks from being redirected. For example, you might also want requests destined for 130.252.100.0/24 to not be routed to Squid. In that case, you must add a manual rule in /etc/shorewall/start:

run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN

To exclude additional hosts or networks, just add additional similar rules.

Squid Running in the local network

You want to redirect all local www connection requests to a Squid transparent proxy running in your local zone at 192.168.1.3 and listening on port 3128. Your local interface is eth1. There may also be a web server running on 192.168.1.3. It is assumed that web access is already enabled from the local zone to the internet.

WARNING: This setup may conflict with other aspects of your gateway including but not limited to traffic shaping and route redirection. For that reason, I don't recommend it.

On your firewall system, issue the following command

echo 202 www.out >> /etc/iproute2/rt_tables

In /etc/shorewall/init, put:

if [ -z "`ip rule list | grep www.out`" ] ; then
	ip rule add fwmark 202 table www.out
	ip route add default via 192.168.1.3 dev eth1 table www.out
	ip route flush cache
	echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
fi

If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please upgrade to Shorewall 1.4.2 or later.

If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:

ZONE	INTERFACE	BROADCAST	OPTIONS
loc	eth1	detect	routeback

In /etc/shorewall/rules:

ACTION	SOURCE	DEST	PROTO	DEST PORT(S)	SOURCE PORT(S)	ORIGINAL DEST
ACCEPT	loc	loc	tcp	www

Alternativfely, if you are running Shorewall 1.4.0 you can have the following policy in place of the above rule:

SOURCE	DESTINATION	POLICY	LOG LEVEL	BURST PARAMETERS
loc	loc	ACCEPT

In /etc/shorewall/start add:

iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202

On 192.168.1.3, arrange for the following command to be executed after networking has come up
```
iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128
```

If you are running RedHat on the server, you can simply execute the following commands after you have typed the iptables command above:

iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables on

Squid Running in the DMZ (This is what I do)

You have a single Linux system in your DMZ with IP address 192.0.2.177. You want to run both a web server and Squid on that system. Your DMZ interface is eth1 and your local interface is eth2.

On your firewall system, issue the following command

echo 202 www.out >> /etc/iproute2/rt_tables

In /etc/shorewall/init, put:

if [ -z "`ip rule list | grep www.out`" ] ; then
	ip rule add fwmark 202 table www.out
	ip route add default via 192.0.2.177 dev eth1 table www.out
	ip route flush cache
fi

Do one of the following:

A) In /etc/shorewall/start add

	iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202

B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf and add the following entry in /etc/shorewall/tcrules:

MARK
SOURCE
DESTINATION
PROTOCOL
PORT
CLIENT PORT

202
eth2
0.0.0.0/0
tcp
80
-

C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:

MARK
SOURCE
DESTINATION
PROTOCOL
PORT
CLIENT PORT

202:P
eth2
0.0.0.0/0
tcp
80
-

In /etc/shorewall/rules, you will need:

ACTION
SOURCE
DEST
PROTO
DEST
PORT(S)
CLIENT
PORT(2)
ORIGINAL
DEST

ACCEPT
loc
dmz
tcp
80

ACCEPT
dmz
net
tcp
80

On 192.0.2.177 (your Web/Squid server), arrange for the following command to be executed after networking has come up
```
iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128
```

If you are running RedHat on the server, you can simply execute the following commands after you have typed the iptables command above:

iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables on

Updated 7/18/2003 - Tom Eastep

MARK	SOURCE	DESTINATION	PROTOCOL	PORT	CLIENT PORT
202	eth2	0.0.0.0/0	tcp	80	-

ACTION	SOURCE	DEST	PROTO	DEST PORT(S)	CLIENT PORT(2)	ORIGINAL DEST
ACCEPT	loc	dmz	tcp	80
ACCEPT	dmz	net	tcp	80