<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Using Shorewall with Squid</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="Shorewall_Squid_Usage"></a>Using Shorewall with Squid</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2003-2008 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id286316"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled “<span class="quote">
<a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation License</a>
</span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Transparent">Squid as a Transparent (Interception) Proxy</a></span></dt><dt><span class="section"><a href="#Configurations">Configurations</a></span></dt><dd><dl><dt><span class="section"><a href="#Firewall">Squid (transparent) Running on the Firewall</a></span></dt><dt><span class="section"><a href="#Local">Squid (transparent) Running in the local network</a></span></dt><dt><span class="section"><a href="#DMZ">Squid (transparent) Running in the DMZ</a></span></dt></dl></dd><dt><span class="section"><a href="#Manual">Squid as a Manual Proxy</a></span></dt></dl></div><p>This page covers Shorewall configuration to use with <a class="ulink" href="http://www.squid-cache.org" target="_self">Squid</a> running as a Transparent
Proxy or as a Manual Proxy.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.0 and
later. If you are running a version of Shorewall earlier than Shorewall
4.0.0 then please see the documentation for that
release.</strong></span></p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Transparent"></a>Squid as a Transparent (Interception) Proxy</h2></div></div></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>This section gives instructions for transparent proxying of HTTP.
HTTPS (normally TCP port 443) <span class="bold"><strong>cannot</strong></span> be
proxied transparently (stop and think about it for a minute; if HTTPS
could be transparently proxied, then how secure would it be?).</p></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>Please observe the following general requirements:</p><div class="itemizedlist"><ul type="disc"><li><p>In all cases, Squid should be configured to run as a
transparent proxy as described at <a class="ulink" href="http://wiki.squid-cache.org/SquidFaq/InterceptionProxy" target="_self">http://wiki.squid-cache.org/SquidFaq/InterceptionProxy</a>.</p><p>The bottom line of that article is that if you are running
<span class="bold"><strong>Squid 2.6 or later</strong></span>, then you simply
need to add the word <em class="firstterm">transparent</em> to your
http_port specification:</p><pre class="programlisting">http_port 3128 transparent</pre><p>In <span class="bold"><strong>earlier Squid versions</strong></span>,
you need to set several options:</p><pre class="programlisting">http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on</pre></li><li><p>Depending on your distribution, other Squid configuration
changes may be required. These changes typically consist of:</p><div class="orderedlist"><ol type="1"><li><p>Adding an ACL that represents the clients on your local
network.</p><p>Example:</p><pre class="programlisting">ACL my_networks src 192.168.1.0/24 192.168.2.0/24</pre></li><li><p>Allowing HTTP access to that ACL.</p><p>Example:</p><pre class="programlisting">http_access allow my_networks</pre></li></ol></div><p>See your distribution's Squid documentation and <a class="ulink" href="http://www.squid-cache.org/" target="_self">http://www.squid-cache.org/</a>
for details.</p><p>It is a good idea to get Squid working as a <a class="link" href="#Manual" title="Squid as a Manual Proxy">manual proxy</a> first before you try
transparent proxying.</p></li><li><p>The following instructions mention the file
/etc/shorewall/start - if you don't have that file, simply create
it.</p></li><li><p>When the Squid server is in the local zone, that zone must be
defined ONLY by its interface -- no /etc/shorewall/hosts file
entries. That is because the packets being routed to the Squid
server still have their original destination IP addresses.</p></li><li><p>You must have iptables installed on your Squid server.</p></li></ul></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>In the instructions below, only TCP Port 80 is opened from the
system running Squid to the Internet. If your users require browsing
sites that use a port other than 80 (e.g.,
http://www.domain.tld:<span class="bold"><strong>8080</strong></span>) then you
must open those ports as well.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Configurations"></a>Configurations</h2></div></div></div><p>Three different configurations are covered:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>Squid (transparent) Running on the Firewall</td></tr><tr><td>Squid (transparent) Running in the local Network</td></tr><tr><td>Squid (transparent) Running in a DMZ</td></tr></table><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="Firewall"></a>Squid (transparent) Running on the Firewall</h3></div></div></div><p>You want to redirect all local www connection requests EXCEPT
those to your own http server (206.124.146.177) to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid will of
course require access to remote web servers.</p><p>In <code class="filename">/etc/shorewall/rules</code>:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
REDIRECT loc 3128 tcp www - !206.124.146.177
ACCEPT $FW net tcp www</pre><p>There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want
requests destined for 130.252.100.0/24 to not be routed to Squid.</p><p>If needed, you may just add the additional hosts/networks to the
ORIGINAL DEST column in your REDIRECT rule.</p><p><code class="filename">/etc/shorewall/rules</code>:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="Local"></a>Squid (transparent) Running in the local network</h3></div></div></div><p>You want to redirect all local www connection requests to a Squid
transparent proxy running in your local zone at 192.168.1.3 and
listening on port 3128. Your local interface is eth1. There may also be
a web server running on 192.168.1.3. It is assumed that web access is
already enabled from the local zone to the Internet.</p><div class="orderedlist"><ol type="1"><li><p>Add this entry to your /etc/shorewall/providers file.</p><pre class="programlisting">#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 202 - eth1 192.168.1.3 loose</pre></li><li><p>In <code class="filename">/etc/shorewall/tcrules</code> add:</p><pre class="programlisting">#MARK SOURCE DEST PROTO DEST
# PORT(S)
202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</pre></li><li><p>In <code class="filename"> <code class="filename">/etc/shorewall/interfaces</code>
</code>:</p><pre class="programlisting">#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect <span class="bold"><strong>routeback</strong></span> </pre></li><li><p>On 192.168.1.3, arrange for the following command to be
executed after networking has come up</p><pre class="programlisting"><span class="command"><strong>iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</strong></span> </pre><p>If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables
command above:</p><pre class="programlisting"><span class="command"><strong>iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables on</strong></span> </pre></li></ol></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="DMZ"></a>Squid (transparent) Running in the DMZ</h3></div></div></div><p>You have a single system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system.</p><p>In <code class="filename">/etc/shorewall/rules</code>:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177</pre></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Manual"></a>Squid as a Manual Proxy</h2></div></div></div><p>Assume that Squid is running in zone SZ and listening on port SP;
all web sites that are to be accessed through Squid are in the
“<span class="quote">net</span>” zone. Then for each zone Z that needs access to the
Squid server.</p><p><code class="filename">/etc/shorewall/rules</code>:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT Z SZ tcp SP
ACCEPT SZ net tcp 80,443</pre><div class="example"><a id="Example1"></a><p class="title"><b>Example 1. Squid on the firewall listening on port 8080 with access from the
“<span class="quote">loc</span>” zone:</b></p><div class="example-contents"><p><code class="filename">/etc/shorewall/rules:</code> </p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc $FW tcp 8080
ACCEPT $FW net tcp 80,443</pre></div></div><br class="example-break" /></div></div></body></html>
