Using Shorewall with Squid Tom Eastep 2003-10-17 2003 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This page covers Shorewall configuration to use with Squid running as a Transparent Proxy or as a Manual Proxy. If you are running Shorewall 1.3, please see this documentation.
Squid as a Transparent Proxy Please observe the following general requirements: In all cases, Squid should be configured to run as a transparent proxy as described at http://tldp.org/HOWTO/mini/TransparentProxy.html. The following instructions mention the files /etc/shorewall/start and /etc/shorewall/init -- if you don't have those files, siimply create them. When the Squid server is in the DMZ zone or in the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts file entries. That is because the packets being routed to the Squid server still have their original destination IP addresses. You must have iptables installed on your Squid server. If you run a Shorewall version earlier than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf file NAT_ENABLED=Yes MANGLE_ENABLED=Yes
Configurations Three different configurations are covered:
Squid (transparent) Running on the Firewall You want to redirect all local www connection requests EXCEPT those to your own http server (206.124.146.177) to a Squid transparent proxy running on the firewall and listening on port 3128. Squid will of course require access to remote web servers. In /etc/shorewall/rules: /etc/shorewall/rules ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) ORIGINAL DEST REDIRECT loc 3128 tcp www - !206.124.146.177 ACCEPT fw net tcp www
There may be a requirement to exclude additional destination hosts or networks from being redirected. For example, you might also want requests destined for 130.252.100.0/24 to not be routed to Squid. If you are running Shorewall version 1.4.5 or later, you may just add the additional hosts/networks to the ORIGINAL DEST column in your REDIRECT rule: /etc/shorewall/rules ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) ORIGINAL DEST REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24
If you are running a Shorewall version earlier than 1.4.5, you must add a manual rule in /etc/shorewall/start: run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN To exclude additional hosts or networks, just add additional similar rules.
Squid (transparent) Running in the local network You want to redirect all local www connection requests to a Squid transparent proxy running in your local zone at 192.168.1.3 and listening on port 3128. Your local interface is eth1. There may also be a web server running on 192.168.1.3. It is assumed that web access is already enabled from the local zone to the internet.. * On your firewall system, issue the following command echo 202 www.out >> /etc/iproute2/rt_tables In /etc/shorewall/init, put: if [ -z "`ip rule list | grep www.out`" ] ; then ip rule add fwmark 202 table www.out ip route add default via 192.168.1.3 dev eth1 table www.out ip route flush cache echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects fi If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please upgrade to Shorewall 1.4.2 or later. If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces: /etc/shorewall/interfaces ZONE INTERFACE BROADCAST OPTIONS loc eth1 detect routeback
In /etc/shorewall/rules: /etc/shorewall/rules ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) ORIGINAL DEST ACCEPT loc loc tcp www
Alternativfely, if you are running Shorewall 1.4.0 you can have the following policy in place of the above rule: /etc/shorewall/policy SOURCE DESTINATION POLICY LOG LEVEL BURST PARAMETERS loc loc ACCEPT
In /etc/shorewall/start add: iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202 On 192.168.1.3, arrange for the following command to be executed after networking has come up iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128 If you are running RedHat on the server, you can simply execute the following commands after you have typed the iptables command above: iptables-save > /etc/sysconfig/iptables chkconfig --level 35 iptables on
Squid (transparent) Running in the DMZ (This is what I do) You have a single Linux system in your DMZ with IP address 192.0.2.177. You want to run both a web server and Squid on that system. Your DMZ interface is eth1 and your local interface is eth2. On your firewall system, issue the following command echo 202 www.out >> /etc/iproute2/rt_tables In /etc/shorewall/init, put: if [ -z "`ip rule list | grep www.out`" ] ; then ip rule add fwmark 202 table www.out ip route add default via 192.0.2.177 dev eth1 table www.out ip route flush cache fi Do one of the following: In /etc/shorewall/start add iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202 Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf and add the following entry in /etc/shorewall/tcrules: /etc/shorewall/tcrules MARK SOURCE DESTINATION PROTOCOL PORT CLIENT PORT 202 eth2 0.0.0.0/0 tcp 80 -
Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules: /etc/shorewall/tcrules MARK SOURCE DESTINATION PROTOCOL PORT CLIENT PORT 202:P eth2 0.0.0.0/0 tcp 80 -
In /etc/shorewall/rules, you will need: /etc/shorewall/rules ACTION SOURCE DEST PROTO DEST PORT(S) CLIENT PORT(2) ORIGINAL DEST ACCEPT loc dmz tcp 80 ACCEPT dmz net tcp 80
On 192.0.2.177 (your Web/Squid server), arrange for the following command to be executed after networking has come up iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128 If you are running RedHat on the server, you can simply execute the following commands after you have typed the iptables command above: iptables-save > /etc/sysconfig/iptables chkconfig --level 35 iptables on
Squid as a Manual Proxy Assume that Squid is running in zone SZ and listening on port SP; all web sites that are to be accessed through Squid are in the net zone. Then for each zone Z that needs access to the Squid server: /etc/shorewall/rules ACTION SOURCE DEST PROTO DEST PORT(S) CLIENT PORT(2) ORIGINAL DEST ACCEPT Z SZ tcp SP ACCEPT SZ net tcp 80
Squid on the firewall listening on port 8080 with access from the <quote>loc</quote> zone: /etc/shorewall/rulesACTIONSOURCEDESTPROTODEST PORT(S)CLIENT PORT(2)ORIGINAL DESTACCEPTloc$FWtcp8080ACCEPT$FWnettcp80