<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="Shorewall_Squid_Usage">
  <!--$Id$-->

  <articleinfo>
    <title>Using Shorewall with Squid</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2003-2006</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled <quote>
      <ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink>
      </quote>.</para>
    </legalnotice>
  </articleinfo>

  <para>This page covers Shorewall configuration to use with <ulink
  url="http://www.squid-cache.org">Squid</ulink> running as a Transparent
  Proxy or as a Manual Proxy.</para>

  <caution>
    <para><emphasis role="bold">This article applies to Shorewall 3.0 and
    later. If you are running a version of Shorewall earlier than Shorewall
    3.0.0 then please see the documentation for that
    release.</emphasis></para>
  </caution>

  <section>
    <title>Squid as a Transparent Proxy</title>

    <important>
      <para>This section gives instructions for transparent proxying of HTTP.
      HTTPS (normally TCP port 443) <emphasis role="bold">cannot</emphasis> be
      proxied transparently (stop and think about it for a minute; if HTTPS
      could be transparently proxied, then how secure would it be?).</para>
    </important>

    <caution>
      <para>Please observe the following general requirements:</para>

      <itemizedlist>
        <listitem>
          <para>In all cases, Squid should be configured to run as a
	  transparent proxy as described at <ulink
          url="http://www.tldp.org/HOWTO/TransparentProxy.html">http://www.tldp.org/HOWTO/TransparentProxy.html</ulink>.</para>
        </listitem>

        <listitem>
          <para>Depending on your distribution, other Squid configuration
          changes may be required. These changes typically consist of:</para>

          <orderedlist>
            <listitem>
              <para>Adding an ACL that represents the clients on your local
              network.</para>

              <para>Example:</para>

              <programlisting>ACL my_networks src 192.168.1.0/24 192.168.2.0/24</programlisting>
            </listitem>

            <listitem>
              <para>Allowing HTTP access to that ACL.</para>

              <para>Example:</para>

              <programlisting>http_access allow my_networks</programlisting>
            </listitem>
          </orderedlist>

          <para>See your distribution's Squid documenation and <ulink
          url="http://www.squid-cache.org/">http://www.squid-cache.org/</ulink>
          for details.</para>

          <para>It is a good idea to get Squid working as a <link
          linkend="Manual">manual proxy</link> first before you try
          transparent proxying.</para>
        </listitem>

        <listitem>
          <para>The following instructions mention the files
          /etc/shorewall/start and /etc/shorewall/init -- if you don't have
          those files, siimply create them.</para>
        </listitem>

        <listitem>
          <para>When the Squid server is in the local zone, that zone must be
          defined ONLY by its interface -- no /etc/shorewall/hosts file
          entries. That is because the packets being routed to the Squid
          server still have their original destination IP addresses.</para>
        </listitem>

        <listitem>
          <para>You must have iptables installed on your Squid server.</para>
        </listitem>
      </itemizedlist>
    </caution>

    <caution>
      <para>In the instructions below, only TCP Port 80 is opened from the
      system running Squid to the Internet. If your users require browsing
      sites that use a port other than 80 (e.g.,
      http://www.domain.tld:<emphasis role="bold">8080</emphasis>) then you
      must open those ports as well.</para>
    </caution>
  </section>

  <section>
    <title>Configurations</title>

    <para>Three different configurations are covered:</para>

    <simplelist>
      <member>Squid (transparent) Running on the Firewall</member>

      <member>Squid (transparent) Running in the local Network</member>

      <member>Squid (transparent) Running in a DMZ</member>
    </simplelist>

    <section id="Firewall">
      <title>Squid (transparent) Running on the Firewall</title>

      <para>You want to redirect all local www connection requests EXCEPT
      those to your own http server (206.124.146.177) to a Squid transparent
      proxy running on the firewall and listening on port 3128. Squid will of
      course require access to remote web servers.</para>

      <para>In <filename>/etc/shorewall/rules</filename>:</para>

      <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
#                                                       PORT(S)    DEST
REDIRECT  loc        3128     tcp      www              -          !206.124.146.177
ACCEPT    $FW        net      tcp      www</programlisting>

      <para>There may be a requirement to exclude additional destination hosts
      or networks from being redirected. For example, you might also want
      requests destined for 130.252.100.0/24 to not be routed to Squid.</para>

      <para>If needed, you may just add the additional hosts/networks to the
      ORIGINAL DEST column in your REDIRECT rule.</para>

      <para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
#                                                       PORT(S)    DEST
REDIRECT  loc        3128     tcp      www              -          !206.124.146.177,130.252.100.0/24</programlisting></para>
    </section>

    <section id="Local">
      <title>Squid (transparent) Running in the local network</title>

      <para>You want to redirect all local www connection requests to a Squid
      transparent proxy running in your local zone at 192.168.1.3 and
      listening on port 3128. Your local interface is eth1. There may also be
      a web server running on 192.168.1.3. It is assumed that web access is
      already enabled from the local zone to the internet.</para>

      <orderedlist>
        <listitem>
          <para>Add this entry to your /etc/shorewall/providers file.</para>

          <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS
Squid   1       202     -               eth1            192.168.1.3     loose</programlisting>
        </listitem>

        <listitem>
          <para>In <filename>/etc/shorewall/start</filename> add:</para>

          <programlisting><command>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</command>         </programlisting>
        </listitem>

        <listitem>
          <para>In <filename> <filename>/etc/shorewall/interfaces</filename>
          </filename>:</para>

          <programlisting>#ZONE   INTERFACE    BROADCAST    OPTIONS
loc     eth1         detect       <emphasis role="bold">routeback</emphasis>          </programlisting>
        </listitem>

        <listitem>
          <para>On 192.168.1.3, arrange for the following command to be
          executed after networking has come up</para>

          <programlisting><command>iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</command>          </programlisting>

          <para>If you are running RedHat on the server, you can simply
          execute the following commands after you have typed the iptables
          command above:</para>

          <programlisting><command>iptables-save &gt; /etc/sysconfig/iptables
 chkconfig --level 35 iptables on</command>         </programlisting>
        </listitem>
      </orderedlist>
    </section>

    <section id="DMZ">
      <title>Squid (transparent) Running in the DMZ</title>

      <para>You have a single system in your DMZ with IP address 192.0.2.177.
      You want to run both a web server and Squid on that system.</para>

      <para>In <filename>/etc/shorewall/rules</filename>:</para>

      <programlisting>#ACTION  SOURCE   DEST                 PROTO    DEST PORT(S)    SOURCE     ORIGINAL
#                                                               PORT(S)    DEST
DNAT     loc      dmz:192.0.2.177:3128 tcp      80              -          !192.0.2.177</programlisting>
    </section>
  </section>

  <section id="Manual">
    <title>Squid as a Manual Proxy</title>

    <para>Assume that Squid is running in zone SZ and listening on port SP;
    all web sites that are to be accessed through Squid are in the
    <quote>net</quote> zone. Then for each zone Z that needs access to the
    Squid server.</para>

    <para><filename>/etc/shorewall/rules</filename>:</para>

    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
ACCEPT    Z        SZ     tcp     SP
ACCEPT    SZ       net    tcp     80,443</programlisting>

    <example>
      <title>Squid on the firewall listening on port 8080 with access from the
      <quote>loc</quote> zone:</title>

      <para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)
ACCEPT    loc      $FW    tcp      8080
ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    </example>
  </section>
</article>