Using Shorewall with SquidTomEastep2003-2008Thomas M. EastepPermission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled GNU Free Documentation License.This page covers Shorewall configuration to use with Squid running as a Transparent
Proxy or as a Manual Proxy.This article applies to Shorewall 4.0 and
later. If you are running a version of Shorewall earlier than Shorewall
4.0.0 then please see the documentation for that
release.Squid as a Transparent (Interception) ProxyThis section gives instructions for transparent proxying of HTTP.
HTTPS (normally TCP port 443) cannot be
proxied transparently (stop and think about it for a minute; if HTTPS
could be transparently proxied, then how secure would it be?).Please observe the following general requirements:In all cases, Squid should be configured to run as a
transparent proxy as described at http://wiki.squid-cache.org/SquidFaq/InterceptionProxy.The bottom line of that article is that if you are running
Squid 2.6 or later, then you simply
need to add the word transparent to your
http_port specification:http_port 3128 transparentIn earlier Squid versions,
you need to set several options:http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header onDepending on your distribution, other Squid configuration
changes may be required. These changes typically consist of:Adding an ACL that represents the clients on your local
network.Example:ACL my_networks src 192.168.1.0/24 192.168.2.0/24Allowing HTTP access to that ACL.Example:http_access allow my_networksSee your distribution's Squid documentation and http://www.squid-cache.org/
for details.It is a good idea to get Squid working as a manual proxy first before you try
transparent proxying.The following instructions mention the file
/etc/shorewall/start - if you don't have that file, simply create
it.When the Squid server is in the local zone, that zone must be
defined ONLY by its interface -- no /etc/shorewall/hosts file
entries. That is because the packets being routed to the Squid
server still have their original destination IP addresses.You must have iptables installed on your Squid server.In the instructions below, only TCP Port 80 is opened from the
system running Squid to the Internet. If your users require browsing
sites that use a port other than 80 (e.g.,
http://www.domain.tld:8080) then you
must open those ports as well.ConfigurationsThree different configurations are covered:Squid (transparent) Running on the FirewallSquid (transparent) Running in the local NetworkSquid (transparent) Running in a DMZSquid (transparent) Running on the FirewallYou want to redirect all local www connection requests EXCEPT
those to your own http server (206.124.146.177) to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid will of
course require access to remote web servers.In /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
ACCEPT $FW net tcp www
REDIRECT loc 3128 tcp www - !206.124.146.177
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want
requests destined for 130.252.100.0/24 to not be routed to Squid.If needed, you may just add the additional hosts/networks to the
ORIGINAL DEST column in your REDIRECT rule./etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24People frequently ask How can I exclude certain internal
systems from using the proxy? I want to allow those systems to go
directly to the net.Suppose that you want to exclude 192.168.1.5 and 192.168.1.33 from
the proxy. Your rules would then be:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
ACCEPT $FW net tcp www
REDIRECT loc:!192.168.1.5,192.168.1.33\
3128 tcp www - !206.124.146.177,130.252.100.0/24
ACCEPT loc net tcp wwwThe last rule may be omitted if your loc->net policy is
ACCEPT.In some cases (when running an LTSP server on the Shorewall
system), you might want to transparently proxy web connections that
originate on the firewall itself. This requires care to ensure that
Squid's own web connections are not proxied.First, determine the user id that Squid is running under:gateway:/etc/shorewall# ps aux | fgrep -i squid | fgrep -v fgrep
root 10085 0.0 0.0 23864 700 ? Ss Apr22 0:00 /usr/sbin/squid -D -YC
proxy 10088 0.0 0.9 40512 19192 ? S Apr22 10:58 (squid) -D -YC
gateway:/etc/shorewall# In this case, the proxy process (squid) is running under the proxy user Id. We add these rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/
# PORT(S) DEST LIMIT GROUP
ACCEPT $FW net tcp www
REDIRECT $FW 3128 tcp www - - - !proxySquid (transparent) Running in the local networkYou want to redirect all local www connection requests to a Squid
transparent proxy running in your local zone at 192.168.1.3 and
listening on port 3128. Your local interface is eth1. There may also be
a web server running on 192.168.1.3. It is assumed that web access is
already enabled from the local zone to the Internet.Add this entry to your /etc/shorewall/providers file.#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 202 - eth1 192.168.1.3 looseIn /etc/shorewall/tcrules add:#MARK SOURCE DEST PROTO DEST
# PORT(S)
202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80In /etc/shorewall/interfaces:#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect routebackOn 192.168.1.3, arrange for the following command to be
executed after networking has come upiptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables
command above:iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables onSquid (transparent) Running in the DMZYou have a single system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system.In /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177Squid as a Manual ProxyAssume that Squid is running in zone SZ and listening on port SP;
all web sites that are to be accessed through Squid are in the
net zone. Then for each zone Z that needs access to the
Squid server./etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT Z SZ tcp SP
ACCEPT SZ net tcp 80,443Squid on the firewall listening on port 8080 with access from the
loc zone:/etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc $FW tcp 8080
ACCEPT $FW net tcp 80,443Transparent with TPROXYShorewall 4.4.7 contains support for TPROXY. TPROXY differs from
REDIRECT in that it does not modify the IP header. Because the IP header
stays intact, TPROXY requires policy routing to direct the packets to the
proxy server running on the firewall. This approach requires TPROXY
support in your kernel and iptables and Squid 3. See http://wiki.squid-cache.org/Features/Tproxy4.The following configuration works with Squid running on the firewall
itself (assume that Squid is listening on port 3128)./etc/shorewall/interfaces:#ZONE INTERFACE BROADCAST OPTIONS
- lo - -/etc/shorewall/providers:#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
Tproxy 1 1 - lo - local/etc/shorewall/tcrules (assume loc interface is
eth1):MARK SOURCE DEST PROTO PORT(S)
TPROXY(1,3128) eth1 0.0.0.0/0 tcp 80/etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc $FW tcp 80
ACCEPT $FW net tcp 80