From 7e470435236e4226e17e27ab1f60745cfe379686 Mon Sep 17 00:00:00 2001 From: judas_iscariote Date: Fri, 27 May 2005 00:03:47 +0000 Subject: [PATCH] fixed ... (bye-bye kxml) git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2179 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/Shorewall_Squid_Usage.xml | 258 ++++++++++++++-------- 1 file changed, 163 insertions(+), 95 deletions(-) diff --git a/Shorewall-docs2/Shorewall_Squid_Usage.xml b/Shorewall-docs2/Shorewall_Squid_Usage.xml index 43efd192b..a0502b05b 100644 --- a/Shorewall-docs2/Shorewall_Squid_Usage.xml +++ b/Shorewall-docs2/Shorewall_Squid_Usage.xml @@ -1,78 +1,106 @@ - - -
- + + +
+ + + Using Shorewall with Squid + Tom + Eastep - 2005-05-19 + + 2005-05-26 + 2003-2005 + Thomas M. Eastep + Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled - - GNU Free Documentation - License - . + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License + . - This page covers Shorewall configuration to use with Squid running as a Transparent + + This page covers Shorewall configuration to use with Squid running as a Transparent Proxy or as a Manual Proxy. + This documentation assumes that you are running Shorewall 2.0.0 or later. +
Squid as a Transparent Proxy + This section gives instructions for transparent proxying of HTTP. - HTTPS (normally TCP port 443) cannot be + HTTPS (normally TCP port 443) cannot be proxied transparently (stop and think about it for a minute; if HTTPS could be transparently proxied, then how secure would it be?). + Please observe the following general requirements: + In all cases, Squid should be configured to run as a transrent - proxy as described at http://www.tldp.org/HOWTO/mini/TransparentProxy.html. + proxy as described at http://www.tldp.org/HOWTO/mini/TransparentProxy.html. + Depending on your distribution, other Squid configuration changes may be required. These changes typically consist of: + Adding an ACL that represents the clients on your local network. + Example: + ACL my_networks src 192.168.1.0/24 192.168.2.0/24 + Allowing HTTP access to that ACL. + Example: + http_access allow my_networks - See your distribution's Squid documenation and http://www.squid-cache.org/ + + See your distribution's Squid documenation and http://www.squid-cache.org/ for details. - It is a good idea to get Squid working as a manual proxy first before you try + + It is a good idea to get Squid working as a manual proxy first before you try transparent proxying. + The following instructions mention the files /etc/shorewall/start and /etc/shorewall/init -- if you don't have those files, siimply create them. + When the Squid server is in the DMZ zone or in the local zone, that zone must be defined ONLY by its interface -- no @@ -80,280 +108,320 @@ routed to the Squid server still have their original destination IP addresses. + You must have iptables installed on your Squid server. + In the instructions below, only TCP Port 80 is opened from the - system running Squid to the internet. If your users require browsing + system running Squid to the Internet. If your users require browsing sites that use a port other than 80 (e.g., - http://www.domain.tld:8080) then you + http://www.domain.tld:8080) then you must open those ports as well.
+
Configurations + Three different configurations are covered: + Squid (transparent) Running on the Firewall + Squid (transparent) Running in the local Network + Squid (transparent) Running in a DMZ -
+ +
Squid (transparent) Running on the Firewall + You want to redirect all local www connection requests EXCEPT those to your own http server (206.124.146.177) to a Squid transparent proxy running on the firewall and listening on port 3128. Squid will of course require access to remote web servers. + In /etc/shorewall/rules: + #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST REDIRECT loc 3128 tcp www - !206.124.146.177 ACCEPT fw net tcp www + There may be a requirement to exclude additional destination hosts or networks from being redirected. For example, you might also want requests destined for 130.252.100.0/24 to not be routed to Squid. + If needed, you may just add the additional hosts/networks to the ORIGINAL DEST column in your REDIRECT rule. - - /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL + + /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST -REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24 - +REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24
-
+ +
Squid (transparent) Running in the local network + You want to redirect all local www connection requests to a Squid transparent proxy running in your local zone at 192.168.1.3 and listening on port 3128. Your local interface is eth1. There may also be a web server running on 192.168.1.3. It is assumed that web access is already enabled from the local zone to the internet. + If you are running a Shorewall version earlier than 2.3.2 OR your - kernel and/or iptables do not have ROUTE target + kernel and/or iptables do not have ROUTE target support then: + On your firewall system, issue the following command - - echo 202 www.out >> /etc/iproute2/rt_tables - + + echo 202 www.out >> /etc/iproute2/rt_tables + Create /etc/shorewall/addroutes as follows: - - #!/bin/sh -if [ -z "`ip rule list | grep www.out`" ] ; then + #!/bin/sh + +if [ -z "`ip rule list | grep www.out`" ] ; then ip rule add fwmark 0xCA table www.out # Note 0xCA = 202 ip route add default via 192.168.1.3 dev eth1 table www.out ip route flush cache - echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects -fi - + echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects +fi + Make /etc/shorewall/addroutes executable via: - - chmod +x /etc/shorewall/addroutes - + + chmod +x /etc/shorewall/addroutes + In /etc/shorewall/init, put: - - run_and_save_command "/etc/shorewall/addroutes" - + + run_and_save_command "/etc/shorewall/addroutes" + If you are running Shorewall 2.3.2 or later: + Add this entry to your /etc/shorewall/providers file. + #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS Squid 1 202 - eth1 192.168.1.3 - + Regardless of your Shorewall version, you need the following: + In /etc/shorewall/start add: - - iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202 - + + iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202 + - In - - /etc/shorewall/interfaces - : + In /etc/shorewall/interfaces + : + #ZONE INTERFACE BROADCAST OPTIONS -loc eth1 detect routeback - +loc eth1 detect routeback + In /etc/shorewall/rules: + #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc loc tcp www - + + Alternatively, you can have the following policy in place of the above rule. - - /etc/shorewall/policy - + + /etc/shorewall/policy + #SOURCE DESTINATION POLICY loc loc ACCEPT + On 192.168.1.3, arrange for the following command to be executed after networking has come up - - iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128 - + + iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128 + If you are running RedHat on the server, you can simply execute the following commands after you have typed the iptables command above: - - iptables-save > /etc/sysconfig/iptables -chkconfig --level 35 iptables on - + + iptables-save > /etc/sysconfig/iptables + chkconfig --level 35 iptables on
-
+ +
Squid (transparent) Running in the DMZ + You have a single Linux system in your DMZ with IP address 192.0.2.177. You want to run both a web server and Squid on that system. Your DMZ interface is eth1 and your local interface is eth2. + If you are running a Shorewall version earlier than 2.3.2 OR your - kernel and/or iptables do not have ROUTE target + kernel and/or iptables do not have ROUTE target support then: + On your firewall system, issue the following command - - echo 202 www.out >> /etc/iproute2/rt_tables - + + echo 202 www.out >> /etc/iproute2/rt_tables + Create /etc/shorewall/addroutes as follows: - - #!/bin/sh -if [ -z "`ip rule list | grep www.out`" ] ; then + #!/bin/sh + +if [ -z "`ip rule list | grep www.out`" ] ; then ip rule add fwmark 0xCA table www.out # Note 0xCA = 202 ip route add default via 192.168.1.3 dev eth1 table www.out ip route flush cache - echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects + echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects fi + Make /etc/shorewall/addroutes executable via: - - chmod +x /etc/shorewall/addroutes - + + chmod +x /etc/shorewall/addroutes + In /etc/shorewall/init, put: - - run_and_save_command "/etc/shorewall/addroutes" - + + run_and_save_command "/etc/shorewall/addroutes" + If you are running Shorewall 2.3.2 or later: + Add this entry in /etc/shorewall/providers: +
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS Squid 1 202 - eth1 192.0.2.177 -
+ Regardless of your Shorewall version, you need the following: + - Do one of the + Do one of the following: - + + In /etc/shorewall/start add - - iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202 - + + iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202 + Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf and add the following entry in /etc/shorewall/tcrules: + #MARK SOURCE DESTINATION PROTOCOL PORT 202 eth2 0.0.0.0/0 tcp 80 + Add the following entry in /etc/shorewall/tcrules: + #MARK SOURCE DESTINATION PROTOCOL PORT 202:P eth2 0.0.0.0/0 tcp 80 + In /etc/shorewall/rules, you will need: + #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc dmz tcp 80 ACCEPT dmz net tcp 80 + On 192.0.2.177 (your Web/Squid server), arrange for the following command to be executed after networking has come up - - iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128 - + + iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128 + If you are running RedHat/Fedora on the server, you can simply execute the following commands after you have typed the iptables command above: - - iptables-save > /etc/sysconfig/iptables -chkconfig --level 35 iptables on - + + iptables-save > /etc/sysconfig/iptables +chkconfig --level 35 iptables on
-
+ +
Squid as a Manual Proxy + Assume that Squid is running in zone SZ and listening on port SP; all web sites that are to be accessed through Squid are in the net zone. Then for each zone Z that needs access to the Squid server. - - /etc/shorewall/rules: + + /etc/shorewall/rules: + #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT Z SZ tcp SP ACCEPT SZ net tcp 80,443 + Squid on the firewall listening on port 8080 with access from the <quote>loc</quote> zone: - - /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) + + /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc fw tcp 8080 -ACCEPT fw net tcp 80,443 - +ACCEPT fw net tcp 80,443
-
+
\ No newline at end of file