The usual way of working with proxy servers is the following: the Web browser sends requests to a certain port in the proxy server and the proxy provides these required objects, whether they are in its cache or not. When working in a network, several situations may arise:
For security reasons, it is recommended that all clients use a proxy to surf the Internet.
All clients must use a proxy, regardless of whether they are aware of it.
The proxy in a network is moved, but the existing clients should retain their old configuration.
In all these cases, a transparent proxy may be used. The principle is very easy: the proxy intercepts and answers the requests of the Web browser, so the Web browser receives the requested pages without knowing from where they are coming. As the name indicates, the entire process is done transparently.
First, make sure that the kernel of the proxy server supports a transparent proxy. The kernel delivered with SUSE LINUX is already configured accordingly. If not, add these options to the kernel and recompile it. For more details, refer to Chapter 9, The Linux Kernel.
The options to activate in the /etc/squid/squid.conf
file to get the transparent proxy up and running are:
httpd_accel_host
virtual
httpd_accel_port
80
The port number where the actual HTTP server is located
httpd_accel_with_proxy
on
httpd_accel_uses_host_header
on
Now redirect all incoming requests via the firewall with help of a port
forwarding rule to the Squid port. To do this,
use the enclosed tool SuSEfirewall2. Its
configuration file can be found in
/etc/sysconfig/SuSEfirewall2
. The configuration
file consists of well-documented entries. Even to set only a transparent
proxy, you must configure some firewall options:
Device pointing to the Internet:
FW_DEV_EXT
="eth1"
Device pointing to the network:
FW_DEV_INT
="eth0"
Define ports and services (see /etc/services
)
on the firewall that are accessed from untrusted (external) networks
such as the Internet. In this example, only Web services are offered to the
outside:
FW_SERVICES_EXT_TCP="www"
Define ports or services (see /etc/services
) on the
firewall that are accessed from the secure (internal) network, both via TCP
and UDP:
FW_SERVICES_INT_TCP="domain www 3128" FW_SERVICES_INT_UDP="domain"
This allows accessing Web services and Squid
(whose default port is 3128
).
The service “domain” stands for DNS (domain name service). This
service is commonly used. Otherwise, simply take it out of the above
entries and set the following option to no
:
FW_SERVICE_DNS="yes"
The most important option is option number 15
:
Example 33.1. Firewall Configuration: Option 15
# # 15.) # Which accesses to services should be redirected to a local port # on the firewall machine? # # This can be used to force all internal users to surf via your # Squid proxy, or transparently redirect incoming Web traffic to # a secure Web server. # # Choice: leave empty or use the following explained syntax of # redirecting rules, separated with spaces. # A redirecting rule consists of 1) source IP/net, # 2) destination IP/net, 3) original destination port and # 4) local port to redirect the traffic to, separated by a colon, # e.g. "10.0.0.0/8,0/0,80,3128 0/0,172.20.1.1,80,8080" #
The comments above show the syntax to follow. First, enter the IP address
and the netmask of the internal networks accessing the proxy firewall.
Second, enter the IP address and the netmask to which these clients send
their requests. In the case of Web browsers, specify the networks
0/0
, a wild card that means “to
everywhere.” After that, enter the original port to which these
requests are sent and, finally, the port to which all these requests are
redirected. Because Squid supports protocols other than HTTP,
redirect requests
from other ports to the proxy, such as FTP (port 21), HTTPS, or SSL (port
443). In this example, Web services (port 80
) are
redirected to the proxy port (port 3128
). If there are
more networks or services to add, they must be separated by a blank space
in the respective entry.
FW_REDIRECT_TCP="192.168.0.0/16,0/0,80,3128 192.168.0.0/16,0/0,21,3128" FW_REDIRECT_UDP="192.168.0.0/16,0/0,80,3128 192.168.0.0/16,0/0,21,3128"
To start the firewall and the new configuration with it, change an entry in
the /etc/sysconfig/SuSEfirewall2
file. The entry
START_FW
must be set to "yes"
.
Start Squid as shown in Section 33.3, “Starting Squid”. To check if
everything is working properly, check the Squid logs in
/var/log/squid/access.log
.
To verify that all ports are correctly configured, perform a
port scan on the machine from any computer outside your network. Only the
Web services (port 80) should be open. To scan the ports with
nmap, the command syntax is
nmap -O IP_address
.