Transparent squid proxy and SuSEfirewall2


I have a system setup with 2 nics - eth0 and eth1. This system is only for use as a proxy and internet filter (eventually).
The proxy works fine if it runs as a normal proxy and I change the settings in each web browser; however, this is not ideal. I would like for the DHCP server to nominate each connecting system a gateway referring to eth0 say That way all outgoing packets will pass through this system.
I figure I need to redirect traffic on port 80 to squid on port 3128, and allow other traffic that squid can’t handle to be passed through.
Outgoing traffic should go out to the internet on eth1 - say

Do I need to bond the two interfaces for the latter to work?
What settings do I need in /etc/sysconfig/SuSEfirewall2 ?
I would set http_access 3128 transparent in /etc/squid/squid.conf

The entries that appear to be critical in SuSEfirewall2 are as follows (not necessarily correct):
FW_DEV_INT=“lo eth0”

When in transparent mode and as the gateway nothing reaches squid (tailing access.log shows nothing new).

This system is a para-virtualised OpenSuSE 11.1

Couple of extra questions - is it even worth having two nics? The idea was to only allow (eth1) access to the net so that squid cannot be bypassed and try to separate the traffic (if necessary).


Just in case anyone else comes looking for something like this:

I seem to have it working. I turned on Masquerading in SuSEfirewall2…

FW_DEV_EXT=“any eth1”
FW_DEV_INT=“lo eth0”

Yast had this line in there (not sure if it’s necessary):

FW_CONFIGURATIONS_EXT=“apache2 sshd xorg-x11-server”

I think using SERVICES_INT_* is only relevant if PROTECT_FROM_INT=“yes”

FW_SERVICES_INT_TCP=“www domain ftp https smtp pop3 ntp 587”
FW_SERVICES_INT_UDP=“domain https”

I’m not entirely sure that this one is necessary:


Redirect port 80 to Squid on 3128


Squid is setup really basically at the moment with
http_port 3128 transparent

Things to resolve:

  • Which nic is the outgoing traffic on and how can I choose an interface?

Information used to get this working came from SuSEfirewall2 configuration examples