|
Using Shorewall with Squid
|
|
This page covers Shorewall configuration to use with Squid running as a Transparent
Proxy. If you are running Shorewall 1.3, please see this documentation.
Please observe the following general requirements:
In all cases, Squid should be configured
to run as a transparent proxy as described at http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html.
The following instructions mention the files
/etc/shorewall/start and /etc/shorewall/init -- if you don't have those
files, siimply create them.
When the Squid server is in the DMZ zone
or in the local zone, that zone must be defined ONLY by its interface --
no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP addresses.
You must have iptables installed on your
Squid server.
You must have NAT and MANGLE enabled in
your /etc/shorewall/conf file
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
Three different configurations are covered:
- Squid running
on the Firewall.
- Squid running in
the local network
- Squid running in
the DMZ
Squid Running on the Firewall
You want to redirect all local www connection requests EXCEPT
those to your own
http server (206.124.146.177)
to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid
will of course require access to remote web servers.
In /etc/shorewall/rules:
ACTION |
SOURCE |
DEST |
PROTO |
DEST
PORT(S) |
SOURCE
PORT(S) |
ORIGINAL
DEST |
REDIRECT |
loc |
3128 |
tcp |
www |
-
|
!206.124.146.177 |
ACCEPT |
fw |
net |
tcp |
www |
|
|
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
must add a manual rule in /etc/shorewall/start:
run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN
To exclude additional hosts or networks, just add additional similar
rules.
Squid Running in the local network
You want to redirect all local www connection requests to a
Squid transparent
proxy running in your local zone at 192.168.1.3 and listening on port
3128. Your local interface is eth1. There may also be a web server running
on 192.168.1.3. It is assumed that web access is already enabled from the
local zone to the internet.
WARNING: This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping
and route redirection. For that reason, I don't recommend it.
- On your firewall system, issue the following command
echo 202 www.out >> /etc/iproute2/rt_tables
- In /etc/shorewall/init, put:
if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark 202 table www.out
ip route add default via 192.168.1.3 dev eth1 table www.out
ip route flush cache
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
fi
- If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
please upgrade to Shorewall 1.4.2 or later.
- If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:
ZONE
|
INTERFACE
|
BROADCAST
|
OPTIONS
|
loc
|
eth1
|
detect
|
routeback
|
- In /etc/shorewall/rules:
ACTION |
SOURCE |
DEST |
PROTO |
DEST
PORT(S) |
SOURCE
PORT(S) |
ORIGINAL
DEST |
ACCEPT
|
loc |
loc
|
tcp |
www |
|
|
- Alternativfely, if you are running Shorewall 1.4.0 you can have the
following policy in place of the above rule:
SOURCE
|
DESTINATION
|
POLICY
|
LOG LEVEL
|
BURST PARAMETERS
|
loc
|
loc
|
ACCEPT
|
|
|
- In /etc/shorewall/start add:
iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202
If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:
iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables start
Squid Running in the DMZ (This is what I do)
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface
is eth1 and your local interface is eth2.
- On your firewall system, issue the following command
echo 202 www.out >> /etc/iproute2/rt_tables
- In /etc/shorewall/init, put:
if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark 202 table www.out
ip route add default via 192.0.2.177 dev eth1 table www.out
ip route flush cache
fi
- Do one of the following:
A) In /etc/shorewall/start add
iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202
B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:
MARK
|
SOURCE
|
DESTINATION
|
PROTOCOL
|
PORT
|
CLIENT PORT
|
202
|
eth2
|
0.0.0.0/0
|
tcp
|
80
|
-
|
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:
MARK
|
SOURCE
|
DESTINATION
|
PROTOCOL
|
PORT
|
CLIENT PORT
|
202:P
|
eth2
|
0.0.0.0/0
|
tcp
|
80
|
-
|
- In /etc/shorewall/rules, you will need:
ACTION
|
SOURCE
|
DEST
|
PROTO
|
DEST
PORT(S)
|
CLIENT
PORT(2)
|
ORIGINAL
DEST
|
ACCEPT
|
loc
|
dmz
|
tcp
|
80
|
|
|
ACCEPT
|
dmz
|
net
|
tcp
|
80
|
|
|
If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:
iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables start
Updated 5/29/2003 - Tom Eastep
Copyright ©
2003 Thomas M. Eastep.