forked from extern/shorewall_code
Update the Squid document for 5.0
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
491d55b04a
commit
e60c230140
@ -163,8 +163,7 @@ httpd_accel_uses_host_header on</programlisting>
|
|||||||
|
|
||||||
<para>In <filename>/etc/shorewall/rules</filename>:</para>
|
<para>In <filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S) DEST
|
|
||||||
ACCEPT $FW net tcp www
|
ACCEPT $FW net tcp www
|
||||||
REDIRECT loc 3128 tcp www - !206.124.146.177
|
REDIRECT loc 3128 tcp www - !206.124.146.177
|
||||||
</programlisting>
|
</programlisting>
|
||||||
@ -177,8 +176,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
|
|||||||
<para>If needed, you may just add the additional hosts/networks to the
|
<para>If needed, you may just add the additional hosts/networks to the
|
||||||
ORIGINAL DEST column in your REDIRECT rule.</para>
|
ORIGINAL DEST column in your REDIRECT rule.</para>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S) DEST
|
|
||||||
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
|
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
|
||||||
|
|
||||||
<para>People frequently ask <emphasis>How can I exclude certain
|
<para>People frequently ask <emphasis>How can I exclude certain
|
||||||
@ -188,8 +186,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
|
|||||||
<para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
|
<para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
|
||||||
from the proxy. Your rules would then be:</para>
|
from the proxy. Your rules would then be:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S) DEST
|
|
||||||
ACCEPT $FW net tcp www
|
ACCEPT $FW net tcp www
|
||||||
REDIRECT loc:!192.168.1.5,192.168.1.33\
|
REDIRECT loc:!192.168.1.5,192.168.1.33\
|
||||||
3128 tcp www - !206.124.146.177,130.252.100.0/24
|
3128 tcp www - !206.124.146.177,130.252.100.0/24
|
||||||
@ -215,8 +212,7 @@ gateway:/etc/shorewall# </programlisting>
|
|||||||
role="bold">(squid)</emphasis> is running under the <emphasis
|
role="bold">(squid)</emphasis> is running under the <emphasis
|
||||||
role="bold">proxy</emphasis> user Id. We add these rules:</para>
|
role="bold">proxy</emphasis> user Id. We add these rules:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||||
# PORT(S) DEST LIMIT GROUP
|
|
||||||
ACCEPT $FW net tcp www
|
ACCEPT $FW net tcp www
|
||||||
REDIRECT $FW 3128 tcp www - - - <emphasis
|
REDIRECT $FW 3128 tcp www - - - <emphasis
|
||||||
role="bold"> !proxy</emphasis></programlisting>
|
role="bold"> !proxy</emphasis></programlisting>
|
||||||
@ -242,18 +238,16 @@ Squid 1 202 - eth1 192.168.1.3 loose,no
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>In <filename>/etc/shorewall/mangle</filename> add:</para>
|
<para>In <filename>/etc/shorewall/mangle</filename> add:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S)
|
|
||||||
MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
|
MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
|
||||||
|
|
||||||
<para>If you are still using a tcrules file, you should consider
|
<para>If you are still using a tcrules file, you should consider
|
||||||
switching to using a mangle file (<command>shorewall update
|
switching to using a mangle file (<command>shorewall update
|
||||||
-t</command> (<command>shorewall update</command> on
|
-t</command> (<command>shorewall update</command> on Shorewall 5.0
|
||||||
Shorewall 5.0 and later) will do that for you). Corresponding
|
and later) will do that for you). Corresponding
|
||||||
/etc/shorewall/tcrules entries are:</para>
|
/etc/shorewall/tcrules entries are:</para>
|
||||||
|
|
||||||
<programlisting>#MARK SOURCE DEST PROTO DEST
|
<programlisting>#MARK SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
|
202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -261,8 +255,8 @@ MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
|
|||||||
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
|
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
|
||||||
</filename>:</para>
|
</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE OPTIONS
|
||||||
loc eth1 detect <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting>
|
loc eth1 <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -294,8 +288,7 @@ loc eth1 detect <emphasis role="bold">routeback,routefilter=0,
|
|||||||
|
|
||||||
<para>In <filename>/etc/shorewall/rules</filename>:</para>
|
<para>In <filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT(S) DEST
|
|
||||||
DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177</programlisting>
|
DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177</programlisting>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -316,8 +309,7 @@ Squid 1 202 - eth2 192.0.2.177 loose,no
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>In <filename>/etc/shorewall/mangle</filename> add:</para>
|
<para>In <filename>/etc/shorewall/mangle</filename> add:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
|
MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||||
|
|
||||||
<para>Corresponding /etc/shorewall/tcrules entries are:</para>
|
<para>Corresponding /etc/shorewall/tcrules entries are:</para>
|
||||||
@ -331,8 +323,8 @@ MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
|
|||||||
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
|
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
|
||||||
</filename>:</para>
|
</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE OPTIONS
|
||||||
loc eth2 detect <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting>
|
loc eth2 <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -363,7 +355,7 @@ loc eth2 detect <emphasis role="bold">routefilter=0,logmartian
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
ACCEPT Z SZ tcp SP
|
ACCEPT Z SZ tcp SP
|
||||||
ACCEPT SZ net tcp 80,443</programlisting>
|
ACCEPT SZ net tcp 80,443</programlisting>
|
||||||
|
|
||||||
@ -371,7 +363,7 @@ ACCEPT SZ net tcp 80,443</programlisting>
|
|||||||
<title>Squid on the firewall listening on port 8080 with access from the
|
<title>Squid on the firewall listening on port 8080 with access from the
|
||||||
<quote>loc</quote> zone:</title>
|
<quote>loc</quote> zone:</title>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
ACCEPT loc $FW tcp 8080
|
ACCEPT loc $FW tcp 8080
|
||||||
ACCEPT $FW net tcp 80,443</programlisting></para>
|
ACCEPT $FW net tcp 80,443</programlisting></para>
|
||||||
</example>
|
</example>
|
||||||
@ -406,8 +398,8 @@ ACCEPT $FW net tcp 80,443</programlisting></para>
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/interfaces:</filename></para>
|
<para><filename>/etc/shorewall/interfaces:</filename></para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE OPTIONS
|
||||||
- lo - -</programlisting>
|
- lo -</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/providers</filename>:</para>
|
<para><filename>/etc/shorewall/providers</filename>:</para>
|
||||||
|
|
||||||
@ -422,17 +414,13 @@ Tproxy 1 - - lo - tproxy</programli
|
|||||||
<para><filename>/etc/shorewall/mangle</filename> (assume loc interface is
|
<para><filename>/etc/shorewall/mangle</filename> (assume loc interface is
|
||||||
eth1 and net interface is eth0):</para>
|
eth1 and net interface is eth0):</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||||
# PORT(S) PORT(S)
|
|
||||||
DIVERT eth0 0.0.0.0/0 tcp - 80
|
DIVERT eth0 0.0.0.0/0 tcp - 80
|
||||||
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
|
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||||
|
|
||||||
<para>Corresponding <filename>/etc/shorewall/tcrules</filename>
|
<para>Corresponding <filename>/etc/shorewall/mangle</filename> are:</para>
|
||||||
are:</para>
|
|
||||||
|
|
||||||
<programlisting><emphasis role="bold">FORMAT 2</emphasis>
|
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
|
||||||
#MARK SOURCE DEST PROTO DEST SOURCE
|
|
||||||
# PORT(S) PORT(S)
|
|
||||||
DIVERT eth0 0.0.0.0/0 tcp - 80
|
DIVERT eth0 0.0.0.0/0 tcp - 80
|
||||||
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
|
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||||
|
|
||||||
@ -445,16 +433,14 @@ TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
|
|||||||
on port 80, then you need to exclude it from TPROXY. Suppose that your
|
on port 80, then you need to exclude it from TPROXY. Suppose that your
|
||||||
web server listens on 192.0.2.144; then:</para>
|
web server listens on 192.0.2.144; then:</para>
|
||||||
|
|
||||||
<programlisting><emphasis role="bold">FORMAT 2</emphasis>
|
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
|
||||||
#MARK SOURCE DEST PROTO DEST SOURCE
|
|
||||||
# PORT(S) PORT(S)
|
|
||||||
DIVERT eth0 0.0.0.0/0 tcp - 80
|
DIVERT eth0 0.0.0.0/0 tcp - 80
|
||||||
TPROXY(3129) eth1 !192.0.2.144 tcp 80 -</programlisting>
|
TPROXY(3129) eth1 !192.0.2.144 tcp 80 -</programlisting>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
<para>/etc/shorewall/rules:</para>
|
<para>/etc/shorewall/rules:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
ACCEPT loc $FW tcp 80
|
ACCEPT loc $FW tcp 80
|
||||||
ACCEPT $FW net tcp 80</programlisting>
|
ACCEPT $FW net tcp 80</programlisting>
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user