Using Shorewall with Squid

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “ GNU Free Documentation License ”.

2005-09-08


Table of Contents

Squid as a Transparent Proxy
Configurations
Squid (transparent) Running on the Firewall
Squid (transparent) Running in the local network
Squid (transparent) Running in the DMZ
Squid as a Manual Proxy

This page covers Shorewall configuration to use with Squid running as a Transparent Proxy or as a Manual Proxy.

Warning

This documentation assumes that you are running Shorewall 2.0.0 or later.

Squid as a Transparent Proxy

Important

This section gives instructions for transparent proxying of HTTP. HTTPS (normally TCP port 443) cannot be proxied transparently (stop and think about it for a minute; if HTTPS could be transparently proxied, then how secure would it be?).

Caution

Please observe the following general requirements:

  • In all cases, Squid should be configured to run as a transrent proxy as described at http://www.tldp.org/HOWTO/mini/TransparentProxy.html.

  • Depending on your distribution, other Squid configuration changes may be required. These changes typically consist of:

    1. Adding an ACL that represents the clients on your local network.

      Example:

      ACL my_networks src 192.168.1.0/24 192.168.2.0/24
    2. Allowing HTTP access to that ACL.

      Example:

      http_access allow my_networks

    See your distribution's Squid documenation and http://www.squid-cache.org/ for details.

    It is a good idea to get Squid working as a manual proxy first before you try transparent proxying.

  • The following instructions mention the files /etc/shorewall/start and /etc/shorewall/init -- if you don't have those files, siimply create them.

  • When the Squid server is in the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts file entries. That is because the packets being routed to the Squid server still have their original destination IP addresses.

  • You must have iptables installed on your Squid server.

Caution

In the instructions below, only TCP Port 80 is opened from the system running Squid to the Internet. If your users require browsing sites that use a port other than 80 (e.g., http://www.domain.tld:8080) then you must open those ports as well.

Configurations

Three different configurations are covered:

Squid (transparent) Running on the Firewall
Squid (transparent) Running in the local Network
Squid (transparent) Running in a DMZ

Squid (transparent) Running on the Firewall

You want to redirect all local www connection requests EXCEPT those to your own http server (206.124.146.177) to a Squid transparent proxy running on the firewall and listening on port 3128. Squid will of course require access to remote web servers.

In /etc/shorewall/rules:

#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
#                                                       PORT(S)    DEST
REDIRECT  loc        3128     tcp      www              -          !206.124.146.177
ACCEPT    fw         net      tcp      www

There may be a requirement to exclude additional destination hosts or networks from being redirected. For example, you might also want requests destined for 130.252.100.0/24 to not be routed to Squid.

If needed, you may just add the additional hosts/networks to the ORIGINAL DEST column in your REDIRECT rule.

/etc/shorewall/rules:

#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
#                                                       PORT(S)    DEST
REDIRECT  loc        3128     tcp      www              -          !206.124.146.177,130.252.100.0/24

Squid (transparent) Running in the local network

You want to redirect all local www connection requests to a Squid transparent proxy running in your local zone at 192.168.1.3 and listening on port 3128. Your local interface is eth1. There may also be a web server running on 192.168.1.3. It is assumed that web access is already enabled from the local zone to the internet.

If you are running a Shorewall version earlier than 2.3.2 then:

  1. On your firewall system, issue the following command

    echo 202 www.out >> /etc/iproute2/rt_tables         
  2. Create /etc/shorewall/addroutes as follows:

    #!/bin/sh
    
    if [ -z "`ip rule list | grep www.out`" ] ; then
            ip rule add fwmark 0xCA table www.out # Note 0xCA = 202
            ip route add default via 192.168.1.3 dev eth1 table www.out
            ip route flush cache
            echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
    fi          
  3. Make /etc/shorewall/addroutes executable via:

    chmod +x /etc/shorewall/addroutes   
  4. In /etc/shorewall/init, put:

    run_and_save_command "/etc/shorewall/addroutes"    

If you are running Shorewall 2.3.2 or later:

  1. Add this entry to your /etc/shorewall/providers file.

    #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS
    Squid   1       202     -               eth1            192.168.1.3     loose

Regardless of your Shorewall version, you need the following:

  1. In /etc/shorewall/start add:

    iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202         
  2. In /etc/shorewall/interfaces :

    #ZONE   INTERFACE    BROADCAST    OPTIONS
    loc     eth1         detect       routeback          
  3. In /etc/shorewall/rules:

    #ACTION   SOURCE    DEST     PROTO   DEST PORT(S)
    ACCEPT    loc       loc      tcp     www
    1. Alternatively, you can have the following policy in place of the above rule.

      /etc/shorewall/policy

      #SOURCE   DESTINATION   POLICY
      loc       loc           ACCEPT
  4. On 192.168.1.3, arrange for the following command to be executed after networking has come up

    iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128          

    If you are running RedHat on the server, you can simply execute the following commands after you have typed the iptables command above:

    iptables-save > /etc/sysconfig/iptables
     chkconfig --level 35 iptables on         

Squid (transparent) Running in the DMZ

You have a single system in your DMZ with IP address 192.0.2.177. You want to run both a web server and Squid on that system.

In /etc/shorewall/rules:

#ACTION  SOURCE   DEST                 PROTO    DEST PORT(S)    SOURCE     ORIGINAL
#                                                               PORT(S)    DEST
DNAT     loc      dmz:192.0.2.177:3128 tcp      80              -          !192.0.2.177

Squid as a Manual Proxy

Assume that Squid is running in zone SZ and listening on port SP; all web sites that are to be accessed through Squid are in the “net” zone. Then for each zone Z that needs access to the Squid server.

/etc/shorewall/rules:

#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
ACCEPT    Z        SZ     tcp     SP
ACCEPT    SZ       net    tcp     80,443

Example 1. Squid on the firewall listening on port 8080 with access from the “loc” zone:

/etc/shorewall/rules:

#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)
ACCEPT    loc      fw     tcp      8080
ACCEPT    fw       net    tcp      80,443