The usual way of working with proxy servers is the following: the Web
browser sends requests to a certain port in the proxy server and the proxy
provides these required objects, whether they are in its cache or not. When
working in a network, several situations may arise:
In all these cases, a transparent proxy may be used. The principle is very
easy: the proxy intercepts and answers the requests of the Web browser, so
the Web browser receives the requested pages without knowing from where they
are coming. As the name indicates, the entire process is done transparently.
42.5.2 Firewall Configuration with SuSEfirewall2
Now redirect all incoming requests via the firewall with help of a port
forwarding rule to the Squid port. To do this,
use the enclosed tool SuSEfirewall2, described in Section 44.4.1,
Configuring the Firewall with YaST. Its configuration file can be found in
/etc/sysconfig/SuSEfirewall2. The configuration
file consists of well-documented entries. To set a transparent
proxy, you must configure several firewall options:
Define ports and services (see /etc/services)
on the firewall that are accessed from untrusted (external) networks
such as the Internet. In this example, only Web services are offered to the
outside:
FW_SERVICES_EXT_TCP="www"
Define ports or services (see /etc/services) on the
firewall that are accessed from the secure (internal) network, both via TCP
and UDP:
FW_SERVICES_INT_TCP="domain www 3128"
FW_SERVICES_INT_UDP="domain"
This allows accessing Web services and Squid
(whose default port is 3128).
The service domain
stands for DNS (domain name service). This
service is commonly used. Otherwise, simply take it out of the above
entries and set the following option to no:
FW_SERVICE_DNS="yes"
The most important option is option number 15:
Example 42-1
Firewall Configuration: Option 15
# 15.)
# Which accesses to services should be redirected to a local port
# on the firewall machine?
#
# This can be used to force all internal users to surf via your
# Squid proxy, or transparently redirect incoming Web traffic to
# a secure Web server.
#
# Choice: leave empty or use the following explained syntax of
# redirecting rules, separated with spaces.
# A redirecting rule consists of 1) source IP/net,
# 2) destination IP/net, 3) original destination port and
# 4) local port to redirect the traffic to, separated by a colon,
# e.g. "10.0.0.0/8,0/0,80,3128 0/0,172.20.1.1,80,8080"
The comments above show the syntax to follow. First, enter the IP address
and the netmask of the internal networks accessing the proxy firewall.
Second, enter the IP address and the netmask to which these clients send
their requests. In the case of Web browsers, specify the networks
0/0, a wild card that means to
everywhere.
After that, enter the original port to which these
requests are sent and, finally, the port to which all these requests are
redirected. Because Squid supports protocols other than HTTP,
redirect requests
from other ports to the proxy, such as FTP (port 21), HTTPS, or SSL (port
443). In this example, Web services (port 80) are
redirected to the proxy port (port 3128). If there are
more networks or services to add, they must be separated by a blank space
in the respective entry.
FW_REDIRECT_TCP="192.168.0.0/16,0/0,80,3128 192.168.0.0/16,0/0,21,3128"
FW_REDIRECT_UDP="192.168.0.0/16,0/0,80,3128 192.168.0.0/16,0/0,21,3128"
To start the firewall and the new configuration with it, change an entry in
the /etc/sysconfig/SuSEfirewall2 file. The entry
START_FW must be set to "yes".
Start Squid as shown in Section 42.3,
Starting Squid. To check if
everything is working properly, check the Squid logs in
/var/log/squid/access.log.
To verify that all ports are correctly configured, perform a
port scan on the machine from any computer outside your network. Only the
Web services (port 80) should be open. To scan the ports with
nmap, the command syntax is
nmap -O IP_address.