<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <article id="Shorewall_Squid_Usage"> <!--$Id$--> <articleinfo> <title>Using Shorewall with Squid</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate>2004-04-19</pubdate> <copyright> <year>2003-2004</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <para></para> <para>This page covers Shorewall configuration to use with <ulink url="http://www.squid-cache.org">Squid</ulink> running as a Transparent Proxy or as a Manual Proxy.</para> <para>If you are running Shorewall 1.3, please see <ulink url="1.3/Shorewall_Squid_Usage.html">this documentation</ulink>.</para> <section> <title>Squid as a Transparent Proxy</title> <caution> <para>Please observe the following general requirements:</para> <itemizedlist> <listitem> <para>In all cases, Squid should be configured to run as a transrent proxy as described at <ulink url="http://tldp.org/HOWTO/mini/TransparentProxy.html">http://tldp.org/HOWTO/mini/TransparentProxy.html</ulink>.</para> </listitem> <listitem> <para>The following instructions mention the files /etc/shorewall/start and /etc/shorewall/init -- if you don't have those files, siimply create them.</para> </listitem> <listitem> <para>When the Squid server is in the DMZ zone or in the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts file entries. That is because the packets being routed to the Squid server still have their original destination IP addresses.</para> </listitem> <listitem> <para>You must have iptables installed on your Squid server.</para> </listitem> <listitem> <para>If you run a Shorewall version earlier than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf file</para> <programlisting>NAT_ENABLED=Yes MANGLE_ENABLED=Yes</programlisting> </listitem> </itemizedlist> </caution> </section> <section> <title>Configurations</title> <para>Three different configurations are covered:</para> <simplelist> <member>Squid (transparent) Running on the Firewall</member> <member>Squid (transparent) Running in the local Network</member> <member>Squid (transparent) Running in a DMZ</member> </simplelist> <section id="Firewall"> <title>Squid (transparent) Running on the Firewall</title> <para>You want to redirect all local www connection requests EXCEPT those to your own http server (206.124.146.177) to a Squid transparent proxy running on the firewall and listening on port 3128. Squid will of course require access to remote web servers.</para> <para>In <filename>/etc/shorewall/rules</filename>:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST REDIRECT loc 3228 tcp www - !206.124.146.177 ACCEPT fw net tcp www</programlisting> <para>There may be a requirement to exclude additional destination hosts or networks from being redirected. For example, you might also want requests destined for 130.252.100.0/24 to not be routed to Squid.</para> <para>If you are running Shorewall version 1.4.5 or later, you may just add the additional hosts/networks to the ORIGINAL DEST column in your REDIRECT rule.</para> <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST REDIRECT loc 3228 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para> <para>If you are running a Shorewall version earlier than 1.4.5, you must add a manual rule in /etc/shorewall/start:</para> <programlisting><command>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN</command></programlisting> <para>To exclude additional hosts or networks, just add additional similar rules.</para> </section> <section id="Local"> <title>Squid (transparent) Running in the local network</title> <para>You want to redirect all local www connection requests to a Squid transparent proxy running in your local zone at 192.168.1.3 and listening on port 3128. Your local interface is eth1. There may also be a web server running on 192.168.1.3. It is assumed that web access is already enabled from the local zone to the internet..</para> <orderedlist> <listitem> <para>* On your firewall system, issue the following command</para> <programlisting><command>echo 202 www.out >> /etc/iproute2/rt_tables</command></programlisting> </listitem> <listitem> <para>In /etc/shorewall/init, put:</para> <programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then ip rule add fwmark CA table www.out # Note 0xCA = 202 ip route add default via 192.168.1.3 dev eth1 table www.out ip route flush cache echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects fi</command></programlisting> </listitem> <listitem> <important> <para>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please upgrade to Shorewall 1.4.2 or later.</para> </important> <para>If you are running Shorewall 1.4.2 or later, then in <filename>/etc/shorewall/interfaces</filename>:</para> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS loc eth1 detect <emphasis role="bold">routeback</emphasis> </programlisting> </listitem> <listitem> <para>In /etc/shorewall/rules:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc loc tcp www</programlisting> <orderedlist numeration="loweralpha"> <listitem> <para>Alternativfely, if you are running Shorewall 1.4.0 you can have the following policy in place of the above rule.</para> <para><filename>/etc/shorewall/policy</filename></para> <programlisting>#SOURCE DESTINATION POLICY loc loc ACCEPT</programlisting> </listitem> </orderedlist> </listitem> <listitem> <para>In <filename>/etc/shorewall/start</filename> add:</para> <programlisting><command>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</command></programlisting> </listitem> <listitem> <para>On 192.168.1.3, arrange for the following command to be executed after networking has come up</para> <programlisting><command>iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</command></programlisting> <para>If you are running RedHat on the server, you can simply execute the following commands after you have typed the iptables command above:</para> <programlisting><command>iptables-save > /etc/sysconfig/iptables chkconfig --level 35 iptables on</command></programlisting> </listitem> </orderedlist> </section> <section id="DMZ"> <title>Squid (transparent) Running in the DMZ</title> <para>You have a single Linux system in your DMZ with IP address 192.0.2.177. You want to run both a web server and Squid on that system. Your DMZ interface is eth1 and your local interface is eth2.</para> <orderedlist> <listitem> <para>On your firewall system, issue the following command</para> <programlisting><command>echo 202 www.out >> /etc/iproute2/rt_tables</command></programlisting> </listitem> <listitem> <para>In /etc/shorewall/init, put:</para> <programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then ip rule add fwmark CA table www.out # Note 0xCA = 202 ip route add default via 192.0.2.177 dev eth1 table www.out ip route flush cache fi</command></programlisting> </listitem> <listitem> <para>Do <emphasis role="bold">one</emphasis> of the following:</para> <orderedlist numeration="loweralpha"> <listitem> <para>In <filename>/etc/shorewall/start</filename> add</para> <programlisting><command>iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</command></programlisting> </listitem> <listitem> <para>Set MARK_IN_FORWARD_CHAIN=No in <filename>/etc/shorewall/shorewall.conf</filename> and add the following entry in <filename>/etc/shorewall/tcrules</filename>:</para> <programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT 202 eth2 0.0.0.0 tcp 80</programlisting> </listitem> <listitem> <para>Run Shorewall 1.3.14 or later and add the following entry in <filename>/etc/shorewall/tcrules</filename>:</para> <programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT 202:P eth2 0.0.0.0 tcp 80</programlisting> </listitem> </orderedlist> </listitem> <listitem> <para>In <filename>/etc/shorewall/rules</filename>, you will need:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc dmz tcp 80 ACCEPT dmz net tcp 80</programlisting> </listitem> <listitem> <para>On 192.0.2.177 (your Web/Squid server), arrange for the following command to be executed after networking has come up</para> <programlisting><command>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</command></programlisting> <para>If you are running RedHat on the server, you can simply execute the following commands after you have typed the iptables command above:</para> <programlisting><command>iptables-save > /etc/sysconfig/iptables chkconfig --level 35 iptables on</command></programlisting> </listitem> </orderedlist> </section> </section> <section> <title>Squid as a Manual Proxy</title> <para>Assume that Squid is running in zone SZ and listening on port SP; all web sites that are to be accessed through Squid are in the <quote>net</quote> zone. Then for each zone Z that needs access to the Squid server.</para> <para><filename>/etc/shorewall/rules</filename>:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT Z SZ tcp SP ACCEPT SZ net tcp 80</programlisting> <example> <title>Squid on the firewall listening on port 8080 with access from the <quote>loc</quote> zone:</title> <para><filename>/etc/shorewall/rules:</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc fw tcp 8080 ACCEPT fw net tcp 80</programlisting></para> </example> </section> </article>