Using Shorewall with Squid
Tom
Eastep
2003-10-17
2003
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation License
.
This page covers Shorewall configuration to use with Squid running as
a Transparent Proxy or as a Manual Proxy.
If you are running Shorewall 1.3, please see this documentation.
Squid as a Transparent Proxy
Please observe the following general requirements:
In all cases, Squid should be configured to run as a
transparent proxy as described at
http://tldp.org/HOWTO/mini/TransparentProxy.html.
The following instructions mention the files
/etc/shorewall/start and /etc/shorewall/init -- if you don't
have those files, siimply create them.
When the Squid server is in the DMZ zone or in the local zone,
that zone must be defined ONLY by its interface -- no
/etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP
addresses.
You must have iptables installed on your Squid server.
If you run a Shorewall version earlier than 1.4.6, you must
have NAT and MANGLE enabled in your /etc/shorewall/conf file
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
Configurations
Three different configurations are covered:
Squid (transparent) Running on the Firewall
You want to redirect all local www connection requests EXCEPT
those to your own http server (206.124.146.177) to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid will of
course require access to remote web servers.
In /etc/shorewall/rules:
/etc/shorewall/rules
ACTION
SOURCE
DEST
PROTO
DEST PORT(S)
SOURCE PORT(S)
ORIGINAL DEST
REDIRECT
loc
3128
tcp
www
-
!206.124.146.177
ACCEPT
fw
net
tcp
www
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want
requests destined for 130.252.100.0/24 to not be routed to Squid.
If you are running Shorewall version 1.4.5 or later, you may just
add the additional hosts/networks to the ORIGINAL DEST column in your
REDIRECT rule:
/etc/shorewall/rules
ACTION
SOURCE
DEST
PROTO
DEST PORT(S)
SOURCE PORT(S)
ORIGINAL DEST
REDIRECT
loc
3128
tcp
www
-
!206.124.146.177,130.252.100.0/24
If you are running a Shorewall version earlier than 1.4.5, you
must add a manual rule in /etc/shorewall/start:
run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN
To exclude additional hosts or networks, just add additional
similar rules.
Squid (transparent) Running in the local network
You want to redirect all local www connection requests to a Squid
transparent proxy running in your local zone at 192.168.1.3 and
listening on port 3128. Your local interface is eth1. There may also be
a web server running on 192.168.1.3. It is assumed that web access is
already enabled from the local zone to the internet..
* On your firewall system, issue the following command
echo 202 www.out >> /etc/iproute2/rt_tables
In /etc/shorewall/init, put:
if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark 202 table www.out
ip route add default via 192.168.1.3 dev eth1 table www.out
ip route flush cache
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
fi
If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
please upgrade to Shorewall 1.4.2 or later.
If you are running Shorewall 1.4.2 or later, then in
/etc/shorewall/interfaces:
/etc/shorewall/interfaces
ZONE
INTERFACE
BROADCAST
OPTIONS
loc
eth1
detect
routeback
In /etc/shorewall/rules:
/etc/shorewall/rules
ACTION
SOURCE
DEST
PROTO
DEST PORT(S)
SOURCE PORT(S)
ORIGINAL DEST
ACCEPT
loc
loc
tcp
www
Alternativfely, if you are running Shorewall 1.4.0 you can
have the following policy in place of the above rule:
/etc/shorewall/policy
SOURCE
DESTINATION
POLICY
LOG LEVEL
BURST PARAMETERS
loc
loc
ACCEPT
In /etc/shorewall/start add:
iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202
On 192.168.1.3, arrange for the following command to be
executed after networking has come up
iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128
If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables
command above:
iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables on
Squid (transparent) Running in the DMZ (This is what I do)
You have a single Linux system in your DMZ with IP address
192.0.2.177. You want to run both a web server and Squid on that system.
Your DMZ interface is eth1 and your local interface is eth2.
On your firewall system, issue the following command
echo 202 www.out >> /etc/iproute2/rt_tables
In /etc/shorewall/init, put:
if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark 202 table www.out
ip route add default via 192.0.2.177 dev eth1 table www.out
ip route flush cache
fi
Do one of the following:
In /etc/shorewall/start add
iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202
Set MARK_IN_FORWARD_CHAIN=No in
/etc/shorewall/shorewall.conf and add the following entry in
/etc/shorewall/tcrules:
/etc/shorewall/tcrules
MARK
SOURCE
DESTINATION
PROTOCOL
PORT
CLIENT PORT
202
eth2
0.0.0.0/0
tcp
80
-
Run Shorewall 1.3.14 or later and add the following entry
in /etc/shorewall/tcrules:
/etc/shorewall/tcrules
MARK
SOURCE
DESTINATION
PROTOCOL
PORT
CLIENT PORT
202:P
eth2
0.0.0.0/0
tcp
80
-
In /etc/shorewall/rules, you will need:
/etc/shorewall/rules
ACTION
SOURCE
DEST
PROTO
DEST PORT(S)
CLIENT PORT(2)
ORIGINAL DEST
ACCEPT
loc
dmz
tcp
80
ACCEPT
dmz
net
tcp
80
On 192.0.2.177 (your Web/Squid server), arrange for the
following command to be executed after networking has come up
iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128
If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables
command above:
iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables on
Squid as a Manual Proxy
Assume that Squid is running in zone SZ and listening on port SP;
all web sites that are to be accessed through Squid are in the
net
zone. Then for each zone Z that needs access to the
Squid server:
/etc/shorewall/rules
ACTION
SOURCE
DEST
PROTO
DEST PORT(S)
CLIENT PORT(2)
ORIGINAL DEST
ACCEPT
Z
SZ
tcp
SP
ACCEPT
SZ
net
tcp
80
Squid on the firewall listening on port 8080 with access from the
loc
zone:
/etc/shorewall/rulesACTIONSOURCEDESTPROTODEST PORT(S)CLIENT PORT(2)ORIGINAL DEST
ACCEPTloc$FWtcp8080
ACCEPT$FWnettcp80