diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml
index 49f0daad2..af1147885 100644
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -139,149 +139,151 @@ httpd_accel_uses_host_header on
http://www.domain.tld:8080) then you
must open those ports as well.
-
-
- Configurations
+
+ Configurations
- Three different configurations are covered:
+ Three different configurations are covered:
-
- Squid (transparent) Running on the Firewall
+
+ Squid (transparent) Running on the Firewall
- Squid (transparent) Running in the local Network
+ Squid (transparent) Running in the local Network
- Squid (transparent) Running in a DMZ
-
+ Squid (transparent) Running in a DMZ
+
-
- Squid (transparent) Running on the Firewall
+
+ Squid (transparent) Running on the Firewall
- You want to redirect all local www connection requests EXCEPT
- those to your own http server (206.124.146.177) to a Squid transparent
- proxy running on the firewall and listening on port 3128. Squid will of
- course require access to remote web servers.
+ You want to redirect all local www connection requests EXCEPT
+ those to your own http server (206.124.146.177) to a Squid transparent
+ proxy running on the firewall and listening on port 3128. Squid will
+ of course require access to remote web servers.
- In /etc/shorewall/rules:
+ In /etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
+ #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
ACCEPT $FW net tcp www
REDIRECT loc 3128 tcp www - !206.124.146.177
- There may be a requirement to exclude additional destination hosts
- or networks from being redirected. For example, you might also want
- requests destined for 130.252.100.0/24 to not be routed to Squid.
+ There may be a requirement to exclude additional destination
+ hosts or networks from being redirected. For example, you might also
+ want requests destined for 130.252.100.0/24 to not be routed to
+ Squid.
- If needed, you may just add the additional hosts/networks to the
- ORIGINAL DEST column in your REDIRECT rule.
+ If needed, you may just add the additional hosts/networks to the
+ ORIGINAL DEST column in your REDIRECT rule.
- /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
+ /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24
- People frequently ask How can I exclude certain internal
- systems from using the proxy? I want to allow those systems to go
- directly to the net.
+ People frequently ask How can I exclude certain
+ internal systems from using the proxy? I want to allow those systems
+ to go directly to the net.
- Suppose that you want to exclude 192.168.1.5 and 192.168.1.33 from
- the proxy. Your rules would then be:
+ Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
+ from the proxy. Your rules would then be:
- #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
+ #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
ACCEPT $FW net tcp www
REDIRECT loc:!192.168.1.5,192.168.1.33\
3128 tcp www - !206.124.146.177,130.252.100.0/24
ACCEPT loc net tcp www
- The last rule may be omitted if your loc->net policy is
- ACCEPT.
+ The last rule may be omitted if your loc->net policy is
+ ACCEPT.
- In some cases (when running an LTSP server on the Shorewall
- system), you might want to transparently proxy web connections that
- originate on the firewall itself. This requires care to ensure that
- Squid's own web connections are not proxied.
+ In some cases (when running an LTSP server on the Shorewall
+ system), you might want to transparently proxy web connections that
+ originate on the firewall itself. This requires care to ensure that
+ Squid's own web connections are not proxied.
- First, determine the user id that Squid is running under:
+ First, determine the user id that Squid is running under:
- gateway:/etc/shorewall# ps aux | fgrep -i squid | fgrep -v fgrep
+ gateway:/etc/shorewall# ps aux | fgrep -i squid | fgrep -v fgrep
root 10085 0.0 0.0 23864 700 ? Ss Apr22 0:00 /usr/sbin/squid -D -YC
proxy 10088 0.0 0.9 40512 19192 ? S Apr22 10:58 (squid) -D -YC
+ role="bold">(squid) -D -YC
gateway:/etc/shorewall#
- In this case, the proxy process (squid) is running under the proxy user Id. We add these rules:
+ In this case, the proxy process (squid) is running under the proxy user Id. We add these rules:
- #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/
+ #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/
# PORT(S) DEST LIMIT GROUP
ACCEPT $FW net tcp www
REDIRECT $FW 3128 tcp www - - - !proxy
-
+ role="bold"> !proxy
+
-
- Squid (transparent) Running in the local network
+
+ Squid (transparent) Running in the local network
- You want to redirect all local www connection requests to a Squid
- transparent proxy running in your local zone at 192.168.1.3 and
- listening on port 3128. Your local interface is eth1. There may also be
- a web server running on 192.168.1.3. It is assumed that web access is
- already enabled from the local zone to the Internet.
+ You want to redirect all local www connection requests to a
+ Squid transparent proxy running in your local zone at 192.168.1.3 and
+ listening on port 3128. Your local interface is eth1. There may also
+ be a web server running on 192.168.1.3. It is assumed that web access
+ is already enabled from the local zone to the Internet.
-
-
- Add this entry to your /etc/shorewall/providers file.
+
+
+ Add this entry to your /etc/shorewall/providers file.
- #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
+ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 202 - eth1 192.168.1.3 loose,notrack
-
+
-
- In /etc/shorewall/tcrules add:
+
+ In /etc/shorewall/tcrules add:
- #MARK SOURCE DEST PROTO DEST
+ #MARK SOURCE DEST PROTO DEST
# PORT(S)
202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80
-
+
-
- In /etc/shorewall/interfaces
- :
+
+ In /etc/shorewall/interfaces
+ :
- #ZONE INTERFACE BROADCAST OPTIONS
+ #ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect routeback
-
+
-
- On 192.168.1.3, arrange for the following command to be
- executed after networking has come up
+
+ On 192.168.1.3, arrange for the following command to be
+ executed after networking has come up
- iptables -t nat -A PREROUTING -i eth0 ! -d 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128
+ iptables -t nat -A PREROUTING -i eth0 ! -d 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128
- If you are running RedHat on the server, you can simply
- execute the following commands after you have typed the iptables
- command above:
+ If you are running RedHat on the server, you can simply
+ execute the following commands after you have typed the iptables
+ command above:
- iptables-save > /etc/sysconfig/iptables
+ iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables on
-
-
-
+
+
+
-
- Squid (transparent) Running in the DMZ
+
+ Squid (transparent) Running in the DMZ
- You have a single system in your DMZ with IP address 192.0.2.177.
- You want to run both a web server and Squid on that system.
+ You have a single system in your DMZ with IP address
+ 192.0.2.177. You want to run both a web server and Squid on that
+ system.
- In /etc/shorewall/rules:
+ In /etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
+ #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177
+
@@ -310,7 +312,7 @@ ACCEPT $FW net tcp 80,443
- Transparent with TPROXY
+ Squid3 as a Transparent Proxy with TPROXY
Shorewall 4.5.4 contains support for TPROXY. TPROXY differs from
REDIRECT in that it does not modify the IP header and requires Squid 3 or