diff --git a/Shorewall-docs2/Shorewall_Squid_Usage.xml b/Shorewall-docs2/Shorewall_Squid_Usage.xml index a97f9abf6..43efd192b 100644 --- a/Shorewall-docs2/Shorewall_Squid_Usage.xml +++ b/Shorewall-docs2/Shorewall_Squid_Usage.xml @@ -1,106 +1,78 @@ - - -
- - - + + +
+ Using Shorewall with Squid - Tom - Eastep - 2005-05-19 - 2003-2005 - Thomas M. Eastep - Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation - License. + + GNU Free Documentation + License + . - - This page covers Shorewall configuration to use with Squid running as a Transparent + This page covers Shorewall configuration to use with Squid running as a Transparent Proxy or as a Manual Proxy. - This documentation assumes that you are running Shorewall 2.0.0 or later. -
Squid as a Transparent Proxy - This section gives instructions for transparent proxying of HTTP. - HTTPS (normally TCP port 443) cannot be + HTTPS (normally TCP port 443) cannot be proxied transparently (stop and think about it for a minute; if HTTPS could be transparently proxied, then how secure would it be?). - Please observe the following general requirements: - In all cases, Squid should be configured to run as a transrent - proxy as described at http://www.tldp.org/HOWTO/mini/TransparentProxy.html. + proxy as described at http://www.tldp.org/HOWTO/mini/TransparentProxy.html. - Depending on your distribution, other Squid configuration changes may be required. These changes typically consist of: - Adding an ACL that represents the clients on your local network. - Example: - ACL my_networks src 192.168.1.0/24 192.168.2.0/24 - Allowing HTTP access to that ACL. - Example: - http_access allow my_networks - - See your distribution's Squid documenation and http://www.squid-cache.org/ + See your distribution's Squid documenation and http://www.squid-cache.org/ for details. - - It is a good idea to get Squid working as a manual proxy first before you try + It is a good idea to get Squid working as a manual proxy first before you try transparent proxying. - The following instructions mention the files /etc/shorewall/start and /etc/shorewall/init -- if you don't have those files, siimply create them. - When the Squid server is in the DMZ zone or in the local zone, that zone must be defined ONLY by its interface -- no @@ -108,319 +80,280 @@ routed to the Squid server still have their original destination IP addresses. - You must have iptables installed on your Squid server. - In the instructions below, only TCP Port 80 is opened from the system running Squid to the internet. If your users require browsing sites that use a port other than 80 (e.g., - http://www.domain.tld:8080) then you + http://www.domain.tld:8080) then you must open those ports as well.
-
Configurations - Three different configurations are covered: - Squid (transparent) Running on the Firewall - Squid (transparent) Running in the local Network - Squid (transparent) Running in a DMZ - -
+
Squid (transparent) Running on the Firewall - You want to redirect all local www connection requests EXCEPT those to your own http server (206.124.146.177) to a Squid transparent proxy running on the firewall and listening on port 3128. Squid will of course require access to remote web servers. - In /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST REDIRECT loc 3128 tcp www - !206.124.146.177 ACCEPT fw net tcp www - There may be a requirement to exclude additional destination hosts or networks from being redirected. For example, you might also want requests destined for 130.252.100.0/24 to not be routed to Squid. - If needed, you may just add the additional hosts/networks to the ORIGINAL DEST column in your REDIRECT rule. - - /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL + + /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST -REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24 +REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24 +
- -
+
Squid (transparent) Running in the local network - You want to redirect all local www connection requests to a Squid transparent proxy running in your local zone at 192.168.1.3 and listening on port 3128. Your local interface is eth1. There may also be a web server running on 192.168.1.3. It is assumed that web access is already enabled from the local zone to the internet. - If you are running a Shorewall version earlier than 2.3.2 OR your - kernel and/or iptables do not have ROUTE target + kernel and/or iptables do not have ROUTE target support then: - On your firewall system, issue the following command - - echo 202 www.out >> /etc/iproute2/rt_tables + + echo 202 www.out >> /etc/iproute2/rt_tables + - Create /etc/shorewall/addroutes as follows: + + #!/bin/sh - #!/bin/sh - -if [ -z "`ip rule list | grep www.out`" ] ; then +if [ -z "`ip rule list | grep www.out`" ] ; then ip rule add fwmark 0xCA table www.out # Note 0xCA = 202 ip route add default via 192.168.1.3 dev eth1 table www.out ip route flush cache - echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects -fi + echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects +fi + - Make /etc/shorewall/addroutes executable via: - - chmod +x /etc/shorewall/addroutes + + chmod +x /etc/shorewall/addroutes + - In /etc/shorewall/init, put: - - run_and_save_command "/etc/shorewall/addroutes" + + run_and_save_command "/etc/shorewall/addroutes" + - If you are running Shorewall 2.3.2 or later: - Add this entry to your /etc/shorewall/providers file. - #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS Squid 1 202 - eth1 192.168.1.3 - - Regardless of your Shorewall version, you need the following: - In /etc/shorewall/start add: - - iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202 + + iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202 + - In - /etc/shorewall/interfaces: - + + /etc/shorewall/interfaces + : #ZONE INTERFACE BROADCAST OPTIONS -loc eth1 detect routeback +loc eth1 detect routeback + - In /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc loc tcp www - - + - Alternativfely, you can have the following policy in place + Alternatively, you can have the following policy in place of the above rule. - - /etc/shorewall/policy - + + /etc/shorewall/policy + #SOURCE DESTINATION POLICY loc loc ACCEPT - On 192.168.1.3, arrange for the following command to be executed after networking has come up - - iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128 - + + iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128 + If you are running RedHat on the server, you can simply execute the following commands after you have typed the iptables command above: - - iptables-save > /etc/sysconfig/iptables -chkconfig --level 35 iptables on + + iptables-save > /etc/sysconfig/iptables +chkconfig --level 35 iptables on +
- -
+
Squid (transparent) Running in the DMZ - You have a single Linux system in your DMZ with IP address 192.0.2.177. You want to run both a web server and Squid on that system. Your DMZ interface is eth1 and your local interface is eth2. - If you are running a Shorewall version earlier than 2.3.2 OR your - kernel and/or iptables do not have ROUTE target + kernel and/or iptables do not have ROUTE target support then: - On your firewall system, issue the following command - - echo 202 www.out >> /etc/iproute2/rt_tables + + echo 202 www.out >> /etc/iproute2/rt_tables + - Create /etc/shorewall/addroutes as follows: + + #!/bin/sh - #!/bin/sh - -if [ -z "`ip rule list | grep www.out`" ] ; then +if [ -z "`ip rule list | grep www.out`" ] ; then ip rule add fwmark 0xCA table www.out # Note 0xCA = 202 ip route add default via 192.168.1.3 dev eth1 table www.out ip route flush cache - echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects -fi + echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects +fi + - Make /etc/shorewall/addroutes executable via: - - chmod +x /etc/shorewall/addroutes + + chmod +x /etc/shorewall/addroutes + - In /etc/shorewall/init, put: - - run_and_save_command "/etc/shorewall/addroutes" + + run_and_save_command "/etc/shorewall/addroutes" + - If you are running Shorewall 2.3.2 or later: - Add this entry in /etc/shorewall/providers: -
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS Squid 1 202 - eth1 192.0.2.177 -
- Regardless of your Shorewall version, you need the following: - - Do one of the + Do one of the following: - - + In /etc/shorewall/start add - - iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202 + + iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202 + - Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf and add the following entry in /etc/shorewall/tcrules: - #MARK SOURCE DESTINATION PROTOCOL PORT 202 eth2 0.0.0.0/0 tcp 80 - Add the following entry in /etc/shorewall/tcrules: - #MARK SOURCE DESTINATION PROTOCOL PORT 202:P eth2 0.0.0.0/0 tcp 80 - In /etc/shorewall/rules, you will need: - #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc dmz tcp 80 ACCEPT dmz net tcp 80 - On 192.0.2.177 (your Web/Squid server), arrange for the following command to be executed after networking has come up - - iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128 - + + iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128 + If you are running RedHat/Fedora on the server, you can simply execute the following commands after you have typed the iptables command above: - - iptables-save > /etc/sysconfig/iptables -chkconfig --level 35 iptables on + + iptables-save > /etc/sysconfig/iptables +chkconfig --level 35 iptables on +
- -
+
Squid as a Manual Proxy - Assume that Squid is running in zone SZ and listening on port SP; all web sites that are to be accessed through Squid are in the net zone. Then for each zone Z that needs access to the Squid server. - - /etc/shorewall/rules: - + + /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT Z SZ tcp SP ACCEPT SZ net tcp 80,443 - Squid on the firewall listening on port 8080 with access from the <quote>loc</quote> zone: - - /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) + + /etc/shorewall/rules: + #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc fw tcp 8080 -ACCEPT fw net tcp 80,443 +ACCEPT fw net tcp 80,443 +
-
\ No newline at end of file +