diff --git a/Shorewall-docs/Shorewall_Squid_Usage.xml b/Shorewall-docs/Shorewall_Squid_Usage.xml new file mode 100644 index 000000000..9813458f3 --- /dev/null +++ b/Shorewall-docs/Shorewall_Squid_Usage.xml @@ -0,0 +1,681 @@ + + +
+ + Using Shorewall with Squid + + + + Tom + + Eastep + + + + 2003-10-17 + + + 2003 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + + + + + + + This page covers Shorewall configuration to use with Squid running as + a Transparent Proxy or as a Manual Proxy. + + If you are running Shorewall 1.3, please see this documentation. + +
+ Squid as a Transparent Proxy + + + Please observe the following general requirements: + + + + In all cases, Squid should be configured to run as a + transparent proxy as described at + http://tldp.org/HOWTO/mini/TransparentProxy.html. + + + + The following instructions mention the files + /etc/shorewall/start and /etc/shorewall/init -- if you don't + have those files, siimply create them. + + + + When the Squid server is in the DMZ zone or in the local zone, + that zone must be defined ONLY by its interface -- no + /etc/shorewall/hosts file entries. That is because the packets being + routed to the Squid server still have their original destination IP + addresses. + + + + You must have iptables installed on your Squid server. + + + + If you run a Shorewall version earlier than 1.4.6, you must + have NAT and MANGLE enabled in your /etc/shorewall/conf file + + NAT_ENABLED=Yes +MANGLE_ENABLED=Yes + + + +
+ +
+ Configurations + + Three different configurations are covered: + + + + + + + + + +
+ Squid (transparent) Running on the Firewall + + You want to redirect all local www connection requests EXCEPT + those to your own http server (206.124.146.177) to a Squid transparent + proxy running on the firewall and listening on port 3128. Squid will of + course require access to remote web servers. + + In /etc/shorewall/rules: + + + /etc/shorewall/rules + + + + + ACTION + + SOURCE + + DEST + + PROTO + + DEST PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + REDIRECT + + loc + + 3128 + + tcp + + www + + - + + !206.124.146.177 + + + + ACCEPT + + fw + + net + + tcp + + www + + + + + + + +
+ + There may be a requirement to exclude additional destination hosts + or networks from being redirected. For example, you might also want + requests destined for 130.252.100.0/24 to not be routed to Squid. + + If you are running Shorewall version 1.4.5 or later, you may just + add the additional hosts/networks to the ORIGINAL DEST column in your + REDIRECT rule: + + + /etc/shorewall/rules + + + + + ACTION + + SOURCE + + DEST + + PROTO + + DEST PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + REDIRECT + + loc + + 3128 + + tcp + + www + + - + + !206.124.146.177,130.252.100.0/24 + + + +
+ + If you are running a Shorewall version earlier than 1.4.5, you + must add a manual rule in /etc/shorewall/start: + + run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN + + To exclude additional hosts or networks, just add additional + similar rules. +
+ +
+ Squid (transparent) Running in the local network + + You want to redirect all local www connection requests to a Squid + transparent proxy running in your local zone at 192.168.1.3 and + listening on port 3128. Your local interface is eth1. There may also be + a web server running on 192.168.1.3. It is assumed that web access is + already enabled from the local zone to the internet.. + + + + * On your firewall system, issue the following command + + echo 202 www.out >> /etc/iproute2/rt_tables + + + + In /etc/shorewall/init, put: + + if [ -z "`ip rule list | grep www.out`" ] ; then + ip rule add fwmark 202 table www.out + ip route add default via 192.168.1.3 dev eth1 table www.out + ip route flush cache + echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects +fi + + + + + If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, + please upgrade to Shorewall 1.4.2 or later. + + + If you are running Shorewall 1.4.2 or later, then in + /etc/shorewall/interfaces: + + + /etc/shorewall/interfaces + + + + + ZONE + + INTERFACE + + BROADCAST + + OPTIONS + + + + + + loc + + eth1 + + detect + + routeback + + + +
+ + + + In /etc/shorewall/rules: + + + /etc/shorewall/rules + + + + + ACTION + + SOURCE + + DEST + + PROTO + + DEST PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + ACCEPT + + loc + + loc + + tcp + + www + + + + + + + +
+ + + + Alternativfely, if you are running Shorewall 1.4.0 you can + have the following policy in place of the above rule: + + + /etc/shorewall/policy + + + + + SOURCE + + DESTINATION + + POLICY + + LOG LEVEL + + BURST PARAMETERS + + + + + + loc + + loc + + ACCEPT + + + + + + + +
+ + + + + + In /etc/shorewall/start add: + + iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202 + + + + On 192.168.1.3, arrange for the following command to be + executed after networking has come up + + iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128 + + If you are running RedHat on the server, you can simply + execute the following commands after you have typed the iptables + command above: + + iptables-save > /etc/sysconfig/iptables +chkconfig --level 35 iptables on + + +
+ +
+ Squid (transparent) Running in the DMZ (This is what I do) + + You have a single Linux system in your DMZ with IP address + 192.0.2.177. You want to run both a web server and Squid on that system. + Your DMZ interface is eth1 and your local interface is eth2. + + + + On your firewall system, issue the following command + + echo 202 www.out >> /etc/iproute2/rt_tables + + + + In /etc/shorewall/init, put: + + if [ -z "`ip rule list | grep www.out`" ] ; then + ip rule add fwmark 202 table www.out + ip route add default via 192.0.2.177 dev eth1 table www.out + ip route flush cache +fi + + + + Do one of the following: + + + + In /etc/shorewall/start add + + iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202 + + + + Set MARK_IN_FORWARD_CHAIN=No in + /etc/shorewall/shorewall.conf and add the following entry in + /etc/shorewall/tcrules: + + + /etc/shorewall/tcrules + + + + + MARK + + SOURCE + + DESTINATION + + PROTOCOL + + PORT + + CLIENT PORT + + + + + + 202 + + eth2 + + 0.0.0.0/0 + + tcp + + 80 + + - + + + +
+ + + + Run Shorewall 1.3.14 or later and add the following entry + in /etc/shorewall/tcrules: + + + /etc/shorewall/tcrules + + + + + MARK + + SOURCE + + DESTINATION + + PROTOCOL + + PORT + + CLIENT PORT + + + + + + 202:P + + eth2 + + 0.0.0.0/0 + + tcp + + 80 + + - + + + +
+ + + + + + In /etc/shorewall/rules, you will need: + + + /etc/shorewall/rules + + + + + ACTION + + SOURCE + + DEST + + PROTO + + DEST PORT(S) + + CLIENT PORT(2) + + ORIGINAL DEST + + + + + + ACCEPT + + loc + + dmz + + tcp + + 80 + + + + + + + + ACCEPT + + dmz + + net + + tcp + + 80 + + + + + + + +
+ + + + On 192.0.2.177 (your Web/Squid server), arrange for the + following command to be executed after networking has come up + + iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128 + + If you are running RedHat on the server, you can simply + execute the following commands after you have typed the iptables + command above: + + iptables-save > /etc/sysconfig/iptables +chkconfig --level 35 iptables on + + +
+
+ +
+ Squid as a Manual Proxy + + Assume that Squid is running in zone SZ and listening on port SP; + all web sites that are to be accessed through Squid are in the + 'net' zone. Then for each zone Z that needs access to the Squid + server: + + + /etc/shorewall/rules + + + + + ACTION + + SOURCE + + DEST + + PROTO + + DEST PORT(S) + + CLIENT PORT(2) + + ORIGINAL DEST + + + + + + ACCEPT + + Z + + SZ + + tcp + + SP + + + + + + + + ACCEPT + + SZ + + net + + tcp + + 80 + + + + + + + +
+ + + Squid on the firewall listening on port 8080 with access from the + 'loc' zone: + + /etc/shorewall/rulesACTIONSOURCEDESTPROTODEST PORT(S)CLIENT PORT(2)ORIGINAL DESTACCEPTloc$FWtcp8080ACCEPT$FWnettcp80
 + +
+
\ No newline at end of file