holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Re-organize Squid document

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-09-08 08:08:16 -07:00
parent c13bdbd316
commit 0dd7ad7920
1 changed files with 85 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
docs/Shorewall_Squid_Usage.xml
View File

@ -139,149 +139,151 @@ httpd_accel_uses_host_header on</programlisting>
http://www.domain.tld:<emphasis role="bold">8080</emphasis>) then you http://www.domain.tld:<emphasis role="bold">8080</emphasis>) then you
must open those ports as well.</para> must open those ports as well.</para>
</caution> </caution>
</section>
<section id="Configurations"> <section id="Configurations">
<title>Configurations</title> <title>Configurations</title>
<para>Three different configurations are covered:</para> <para>Three different configurations are covered:</para>
<simplelist> <simplelist>
<member>Squid (transparent) Running on the Firewall</member> <member>Squid (transparent) Running on the Firewall</member>
<member>Squid (transparent) Running in the local Network</member> <member>Squid (transparent) Running in the local Network</member>
<member>Squid (transparent) Running in a DMZ</member> <member>Squid (transparent) Running in a DMZ</member>
</simplelist> </simplelist>
<section id="Firewall"> <section id="Firewall">
<title>Squid (transparent) Running on the Firewall</title> <title>Squid (transparent) Running on the Firewall</title>
<para>You want to redirect all local www connection requests EXCEPT <para>You want to redirect all local www connection requests EXCEPT
those to your own http server (206.124.146.177) to a Squid transparent those to your own http server (206.124.146.177) to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid will of proxy running on the firewall and listening on port 3128. Squid will
course require access to remote web servers.</para> of course require access to remote web servers.</para>
<para>In <filename>/etc/shorewall/rules</filename>:</para> <para>In <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST # PORT(S) DEST
ACCEPT $FW net tcp www ACCEPT $FW net tcp www
REDIRECT loc 3128 tcp www - !206.124.146.177 REDIRECT loc 3128 tcp www - !206.124.146.177
</programlisting> </programlisting>
<para>There may be a requirement to exclude additional destination hosts <para>There may be a requirement to exclude additional destination
or networks from being redirected. For example, you might also want hosts or networks from being redirected. For example, you might also
requests destined for 130.252.100.0/24 to not be routed to Squid.</para> want requests destined for 130.252.100.0/24 to not be routed to
Squid.</para>
<para>If needed, you may just add the additional hosts/networks to the <para>If needed, you may just add the additional hosts/networks to the
ORIGINAL DEST column in your REDIRECT rule.</para> ORIGINAL DEST column in your REDIRECT rule.</para>
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST # PORT(S) DEST
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para> REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
<para>People frequently ask <emphasis>How can I exclude certain internal <para>People frequently ask <emphasis>How can I exclude certain
systems from using the proxy? I want to allow those systems to go internal systems from using the proxy? I want to allow those systems
directly to the net</emphasis>.</para> to go directly to the net</emphasis>.</para>
<para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33 from <para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
the proxy. Your rules would then be:</para> from the proxy. Your rules would then be:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST # PORT(S) DEST
ACCEPT $FW net tcp www ACCEPT $FW net tcp www
REDIRECT loc:!192.168.1.5,192.168.1.33\ REDIRECT loc:!192.168.1.5,192.168.1.33\
3128 tcp www - !206.124.146.177,130.252.100.0/24 3128 tcp www - !206.124.146.177,130.252.100.0/24
ACCEPT loc net tcp www</programlisting> ACCEPT loc net tcp www</programlisting>
<para>The last rule may be omitted if your loc-&gt;net policy is <para>The last rule may be omitted if your loc-&gt;net policy is
ACCEPT.</para> ACCEPT.</para>
<para>In some cases (when running an LTSP server on the Shorewall <para>In some cases (when running an LTSP server on the Shorewall
system), you might want to transparently proxy web connections that system), you might want to transparently proxy web connections that
originate on the firewall itself. This requires care to ensure that originate on the firewall itself. This requires care to ensure that
Squid's own web connections are not proxied.</para> Squid's own web connections are not proxied.</para>
<para>First, determine the user id that Squid is running under:</para> <para>First, determine the user id that Squid is running under:</para>
<programlisting>gateway:/etc/shorewall# <emphasis role="bold">ps aux | fgrep -i squid | fgrep -v fgrep</emphasis> <programlisting>gateway:/etc/shorewall# <emphasis role="bold">ps aux | fgrep -i squid | fgrep -v fgrep</emphasis>
root 10085 0.0 0.0 23864 700 ? Ss Apr22 0:00 /usr/sbin/squid -D -YC root 10085 0.0 0.0 23864 700 ? Ss Apr22 0:00 /usr/sbin/squid -D -YC
<emphasis role="bold">proxy</emphasis> 10088 0.0 0.9 40512 19192 ? S Apr22 10:58 <emphasis <emphasis role="bold">proxy</emphasis> 10088 0.0 0.9 40512 19192 ? S Apr22 10:58 <emphasis
role="bold">(squid)</emphasis> -D -YC role="bold">(squid)</emphasis> -D -YC
gateway:/etc/shorewall# </programlisting> gateway:/etc/shorewall# </programlisting>
<para>In this case, the proxy process <emphasis <para>In this case, the proxy process <emphasis
role="bold">(squid)</emphasis> is running under the <emphasis role="bold">(squid)</emphasis> is running under the <emphasis
role="bold">proxy</emphasis> user Id. We add these rules:</para> role="bold">proxy</emphasis> user Id. We add these rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/ <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/
# PORT(S) DEST LIMIT GROUP # PORT(S) DEST LIMIT GROUP
ACCEPT $FW net tcp www ACCEPT $FW net tcp www
REDIRECT $FW 3128 tcp www - - - <emphasis REDIRECT $FW 3128 tcp www - - - <emphasis
role="bold"> !proxy</emphasis></programlisting> role="bold"> !proxy</emphasis></programlisting>
</section> </section>
<section id="Local"> <section id="Local">
<title>Squid (transparent) Running in the local network</title> <title>Squid (transparent) Running in the local network</title>
<para>You want to redirect all local www connection requests to a Squid <para>You want to redirect all local www connection requests to a
transparent proxy running in your local zone at 192.168.1.3 and Squid transparent proxy running in your local zone at 192.168.1.3 and
listening on port 3128. Your local interface is eth1. There may also be listening on port 3128. Your local interface is eth1. There may also
a web server running on 192.168.1.3. It is assumed that web access is be a web server running on 192.168.1.3. It is assumed that web access
already enabled from the local zone to the Internet.</para> is already enabled from the local zone to the Internet.</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>Add this entry to your /etc/shorewall/providers file.</para> <para>Add this entry to your /etc/shorewall/providers file.</para>
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS <programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 202 - eth1 192.168.1.3 loose,notrack</programlisting> Squid 1 202 - eth1 192.168.1.3 loose,notrack</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>In <filename>/etc/shorewall/tcrules</filename> add:</para> <para>In <filename>/etc/shorewall/tcrules</filename> add:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST <programlisting>#MARK SOURCE DEST PROTO DEST
# PORT(S) # PORT(S)
202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting> 202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>In <filename> <filename>/etc/shorewall/interfaces</filename> <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
</filename>:</para> </filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect <emphasis role="bold">routeback</emphasis> </programlisting> loc eth1 detect <emphasis role="bold">routeback</emphasis> </programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>On 192.168.1.3, arrange for the following command to be <para>On 192.168.1.3, arrange for the following command to be
executed after networking has come up</para> executed after networking has come up</para>
<programlisting><command>iptables -t nat -A PREROUTING -i eth0 ! -d 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</command> </programlisting> <programlisting><command>iptables -t nat -A PREROUTING -i eth0 ! -d 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</command> </programlisting>
<para>If you are running RedHat on the server, you can simply <para>If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables execute the following commands after you have typed the iptables
command above:</para> command above:</para>
<programlisting><command>iptables-save &gt; /etc/sysconfig/iptables <programlisting><command>iptables-save &gt; /etc/sysconfig/iptables
chkconfig --level 35 iptables on</command> </programlisting> chkconfig --level 35 iptables on</command> </programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>
<section id="DMZ"> <section id="DMZ">
<title>Squid (transparent) Running in the DMZ</title> <title>Squid (transparent) Running in the DMZ</title>
<para>You have a single system in your DMZ with IP address 192.0.2.177. <para>You have a single system in your DMZ with IP address
You want to run both a web server and Squid on that system.</para> 192.0.2.177. You want to run both a web server and Squid on that
system.</para>
<para>In <filename>/etc/shorewall/rules</filename>:</para> <para>In <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST # PORT(S) DEST
DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177</programlisting> DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177</programlisting>
</section>
</section> </section>
</section> </section>
@ -310,7 +312,7 @@ ACCEPT $FW net tcp 80,443</programlisting></para>
</section> </section>
<section id="TPROXY"> <section id="TPROXY">
<title>Transparent with TPROXY</title> <title>Squid3 as a Transparent Proxy with TPROXY</title>
<para>Shorewall 4.5.4 contains support for TPROXY. TPROXY differs from <para>Shorewall 4.5.4 contains support for TPROXY. TPROXY differs from
REDIRECT in that it does not modify the IP header and requires Squid 3 or REDIRECT in that it does not modify the IP header and requires Squid 3 or