Transparent squid proxy and SuSEfirewall2

Bpa-eng · September 25, 2009, 4:19pm

Hi,

I have a system setup with 2 nics - eth0 and eth1. This system is only for use as a proxy and internet filter (eventually).
The proxy works fine if it runs as a normal proxy and I change the settings in each web browser; however, this is not ideal. I would like for the DHCP server to nominate each connecting system a gateway referring to eth0 say 192.168.0.100. That way all outgoing packets will pass through this system.
I figure I need to redirect traffic on port 80 to squid on port 3128, and allow other traffic that squid can’t handle to be passed through.
Outgoing traffic should go out to the internet on eth1 - say 192.168.0.200.

Do I need to bond the two interfaces for the latter to work?
What settings do I need in /etc/sysconfig/SuSEfirewall2 ?
I would set http_access 3128 transparent in /etc/squid/squid.conf

The entries that appear to be critical in SuSEfirewall2 are as follows (not necessarily correct):
FW_DEV_EXT=“eth1”
FW_DEV_INT=“lo eth0”
FW_ROUTE=“no”
FW_MASQUERADE=“no”
FW_REDIRECT=“192.168.0.0/24,0/0,tcp,80,3128 192.168.0.0/24,0/0,tcp”

When in transparent mode and as the gateway nothing reaches squid (tailing access.log shows nothing new).

This system is a para-virtualised OpenSuSE 11.1

Couple of extra questions - is it even worth having two nics? The idea was to only allow 192.168.0.200 (eth1) access to the net so that squid cannot be bypassed and try to separate the traffic (if necessary).

Cheers
Aaron

Bpa-eng · September 26, 2009, 5:28pm

Just in case anyone else comes looking for something like this:

I seem to have it working. I turned on Masquerading in SuSEfirewall2…

FW_DEV_EXT=“any eth1”
FW_DEV_INT=“lo eth0”
FW_ROUTE=“yes”
FW_MASQUERADE=“yes”
FW_MASQ_DEV=“zone:ext”
FW_MASQ_NETS=“192.168.0.0/24”
FW_PROTECT_FROM_INT=“no”

Yast had this line in there (not sure if it’s necessary):

FW_CONFIGURATIONS_EXT=“apache2 sshd xorg-x11-server”

I think using SERVICES_INT_* is only relevant if PROTECT_FROM_INT=“yes”

FW_SERVICES_INT_TCP=“www domain ftp https smtp pop3 ntp 587”
FW_SERVICES_INT_UDP=“domain https”

I’m not entirely sure that this one is necessary:

FW_TRUSTED_NETS=“192.168.0.0/24”

Redirect port 80 to Squid on 3128

FW_REDIRECT=“192.168.0.0/24,0.0.0.0/0,tcp,80,3128”

Squid is setup really basically at the moment with
http_port 3128 transparent

Things to resolve:

Which nic is the outgoing traffic on and how can I choose an interface?

Information used to get this working came from SuSEfirewall2 configuration examples