From 03593766042756f2ba5bb5fb98737fa304d09f08 Mon Sep 17 00:00:00 2001 From: mhnoyes Date: Tue, 23 Dec 2003 20:08:58 +0000 Subject: [PATCH] Content moved to Shorewall_Squid_Usage.xml git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@920 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/Shorewall_Squid_Usage.html | 631 ---------------------- 1 file changed, 631 deletions(-) delete mode 100644 Shorewall-docs/Shorewall_Squid_Usage.html diff --git a/Shorewall-docs/Shorewall_Squid_Usage.html b/Shorewall-docs/Shorewall_Squid_Usage.html deleted file mode 100644 index e4046acad..000000000 --- a/Shorewall-docs/Shorewall_Squid_Usage.html +++ /dev/null @@ -1,631 +0,0 @@ - - - - Shorewall Squid Usage - - - - - - - - - - - - -

-
-

Using Shorewall with Squid

-

-

-
-
-This page covers Shorewall configuration to use with Squid running as a Transparent -Proxy or as a Manual Proxy.
-
-If you are running Shorewall 1.3, please see this documentation.
-

Squid as a Transparent Proxy
-

-Caution     Please observe the -following general requirements:
-
- -    In all cases, Squid should be configured to run -as a transparent proxy as described at http://tldp.org/HOWTO/mini/TransparentProxy.html.
-
-
-    The following instructions mention -the files /etc/shorewall/start and /etc/shorewall/init -- if you don't -have those files, siimply create them.
-
-     -When the Squid server is in the DMZ zone or in the local zone, that -zone must be defined ONLY by its interface -- no /etc/shorewall/hosts -file entries. That is because the packets being routed to the Squid -server still have their original destination IP addresses.
-
-     -You must have iptables installed on your Squid server.
-
-     -If you run a Shorewall version earlier than 1.4.6, you must have NAT -and MANGLE enabled in your /etc/shorewall/conf file
-
-        -NAT_ENABLED=Yes
-
        MANGLE_ENABLED=Yes
-
-Three different configurations are covered:
-
    -
  1. Squid -running on the Firewall.
  2. -
  3. Squid running in the -local network
  4. -
  5. Squid running in the DMZ
  6. -
-

Squid (transparent) Running on the Firewall

-You want to redirect all local www connection requests -EXCEPT those to your own http server (206.124.146.177) to a Squid -transparent proxy running on the firewall -and listening on port 3128. Squid will of course require access -to remote web servers.
-
-In /etc/shorewall/rules:
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ACTIONSOURCEDEST PROTODEST
-PORT(S)
SOURCE
-PORT(S)
ORIGINAL
-DEST
REDIRECTloc3128tcpwww -
-
!206.124.146.177
ACCEPTfwnettcpwww
-

-
-
-
-There may be a requirement to exclude additional destination -hosts or networks from being redirected. For example, you might also -want -requests destined for 130.252.100.0/24 to not be routed to Squid.
-
-If you are running Shorewall version 1.4.5 or later, you may just add -the additional hosts/networks to the ORIGINAL DEST column in your -REDIRECT rule:
-
-
- - - - - - - - - - - - - - - - - - - - - -
ACTIONSOURCEDEST PROTODEST
-PORT(S)
SOURCE
-PORT(S)
ORIGINAL
-DEST
REDIRECTloc3128tcpwww -
-
!206.124.146.177,130.252.100.0/24
-
-
-If you are running a Shorewall version earlier than 1.4.5, you must add -a manual rule in /etc/shorewall/start:
-
-
run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN
-
- To exclude additional hosts or networks, just add additional -similar rules.
-

Squid (transparent) Running in the local network

-You want to redirect all local www connection requests to a Squid -transparent proxy running in your local zone at 192.168.1.3 and -listening -on port 3128. Your local interface is eth1. There may also be a web -server running on 192.168.1.3. It is assumed that web access is already -enabled from the local zone to the internet..
- -
-
echo 202 www.out >> /etc/iproute2/rt_tables
-
- -
-
if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark 202 table www.out
ip route add default via 192.168.1.3 dev eth1 table www.out
ip route flush cache
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
fi
-
- -
-
iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202
-
- -
If you are running RedHat on the server, you can simply -execute the following commands after you have typed the iptables -command above:
-
-
-
-
iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables on
-
-
-

Squid (transparent) Running in the DMZ (This is -what I do)

-You have a single Linux system in your DMZ with IP address 192.0.2.177. -You want to run both a web server and Squid on that system. Your DMZ -interface is eth1 and your local interface is eth2.
- -
-
echo 202 www.out >> /etc/iproute2/rt_tables
-
- -
-
if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark 202 table www.out
ip route add default via 192.0.2.177 dev eth1 table www.out
ip route flush cache
fi

-
- -
-
	iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202
-
-
B) Set MARK_IN_FORWARD_CHAIN=No in -/etc/shorewall/shorewall.conf and add the following entry in -/etc/shorewall/tcrules:
-
-
-
- - - - - - - - - - - - - - - - - - - -
MARK
-
SOURCE
-
DESTINATION
-
PROTOCOL
-
PORT
-
CLIENT PORT
-
202
-
eth2
-
0.0.0.0/0
-
tcp
-
80
-
-
-
-
-C) Run Shorewall 1.3.14 or later and add the following entry -in /etc/shorewall/tcrules:
-
-
-
- - - - - - - - - - - - - - - - - - - -
MARK
-
SOURCE
-
DESTINATION
-
PROTOCOL
-
PORT
-
CLIENT PORT
-
202:P
-
eth2
-
0.0.0.0/0
-
tcp
-
80
-
-
-
-
-
- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ACTION
-
SOURCE
-
DEST
-
PROTO
-
DEST
-PORT(S)
-
CLIENT
-PORT(2)
-
ORIGINAL
-DEST
-
ACCEPT
-
loc
-
dmz
-
tcp
-
80
-

-

-
ACCEPT
-
dmz
-
net
-
tcp
-
80
-

-

-
-
-
- -
If you are running RedHat on the server, you can simply -execute the following commands after you have typed the iptables -command above:
-
-
-
-
iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables on
-
-
-

Squid as a Manual Proxy

-Assume that Squid is running in zone SZ and listening on port SP; all -web sites that are to be accessed through Squid are in the 'net' zone. -Then for each zone Z that needs access to the Squid server:
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ACTION
-
SOURCE
-
DEST
-
PROTO
-
DEST
-PORT(S)
-
CLIENT
-PORT(2)
-
ORIGINAL
-DEST
-
ACCEPT
-
Z
-
SZ
-
tcp
-
SP
-

-

-
ACCEPT
-
SZ
-
net
-
tcp
-
80
-

-

-
-
-
-Example:
-
-
Squid on the firewall listening on port -8080 with access from the 'loc' zone:
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ACTION
-
SOURCE
-
DEST
-
PROTO
-
DEST
-PORT(S)
-
CLIENT
-PORT(2)
-
ORIGINAL
-DEST
-
ACCEPT
-
loc
-
$FW
-
tcp
-
8080
-

-

-
ACCEPT
-
$FW
-
net
-
tcp
-
80
-

-

-
-
-
-

Updated 1017/2003 - Tom -Eastep -

-Copyright © 2003 Thomas M. Eastep.
- -