Document TPROXY

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-01-17 08:20:15 -08:00 · 2010-01-17 08:20:15 -08:00 · 146a738e4c
commit 146a738e4c
parent f4102417ff
3 changed files with 43 additions and 0 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -4,6 +4,8 @@ Changes in Shorewall 4.4.7

 2)  Backport two new options from 4.5.

+3)  Backport TPROXY from 4.5
+
 Changes in Shorewall 4.4.6

 1)  Fix for rp_filter and kernel 2.6.31.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -56,6 +56,8 @@ Shorewall 4.4.7

 14) Additional ruleset optimization options are available.

+15) TPROXY support has been added.
+
 ----------------------------------------------------------------------------
                    M I G R A T I O N   I S S U E S
 ----------------------------------------------------------------------------
@ -254,6 +256,9 @@ None.
    particular provider. Simply specify '-' in the MARK column and
    Shorewall will automatically assign a mark value.

+5)  Support for TPROXY has been added. See
+    http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY.
+
 ----------------------------------------------------------------------------
        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 6
 ----------------------------------------------------------------------------
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@ -285,4 +285,40 @@ ACCEPT    loc      $FW    tcp      8080
 ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    </example>
  </section>
+
+  <section id="TPROXY">
+    <title>Transparent with TPROXY</title>
+
+    <para>Shorewall 4.4.7 contains support for TPROXY. TPROXY differs from
+    REDIRECT in that it does not modify the IP header. Because the IP header
+    stays intact, TPROXY requires policy routing to direct the packets to the
+    proxy server running on the firewall. This approach requires TPROXY
+    support in your kernel and iptables and Squid 3. See <ulink
+    url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para>
+
+    <para>The following configuration works with Squid running on the firewall
+    itself.</para>
+
+    <para><filename>/etc/shorewall/interfaces:</filename></para>
+
+    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
+-            lo               -                 -</programlisting>
+
+    <para><filename>/etc/shorewall/providers</filename>:</para>
+
+    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
+Tproxy    1        1        -           lo        -            local</programlisting>
+
+    <para><filename>/etc/shorewall/tcrules</filename> (assume Z interface is
+    eth1):</para>
+
+    <programlisting>MARK            SOURCE      DEST        PROTO      PORT(S)
+TPROXY(1,3128)  eth1        0.0.0.0/0   tcp        80</programlisting>
+
+    <para>/etc/shorewall/rules:</para>
+
+    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
+ACCEPT    Z        $FW    tcp     SP
+ACCEPT    $FW      net    tcp     80</programlisting>
+  </section>
 </article>