/pcq/media/agency_attachments/2025/02/06/2025-02-06t100846387z-pcquest-new-logo-png.png){kind=logo}
Follow Us Since the introduction of kernel 2.2, the firewalling and masquerading code
for Linux has undergone major changes, with several new improvements and features added.
Instead of the original ipmasq tool, ipchains is now used to configure the
firewalling code. Its usage is in many ways similar to ipfwadm, and there's
even a wrapper script (/sbin/ipfwadm_wrapper) available to help you set up simple rules if
you're too lazy to RTFM.
Classical firewalls usually depend on
either packet filtering (such as ipchains), or proxy filtering technology (such as by a
proxy server like Squid). A transparent proxy is a system that appears like a packet
filter to client machines (eliminating the need for client-side configuration), and as a
classical proxy to servers.
A transparent proxy listens on a specified
well-known port (for example, port 80 for Web proxies) for incoming requests, and
redirects them to a proxy server running on the same machine. Client machines assume
they're directly talking to the remote Webserver, when instead, they're
communicating through the proxy. Proxy servers such as Squid support transparent
proxying.
The first step is to configure transparent
proxying on the Linux server. You'll need to recompile your kernel for this if
it's not already configured. To find out if your kernel has it enabled, look for the
file "/proct/net/ip_fwchains". If it exists, you're in business.
Configuring ipchains
You'll then need to add some special
rules to ipchains, telling it to forward all incoming traffic on Web-specific ports
such as 80 for HTTP, and 81
for HTTPS) to a different port on the same machine, for which your proxy server has been
configured (such as port 8080 for Squid).
Enter the following lines into a shell
script-you can then put this in your startup scripts to run automatically at boot
time. In this case, the server IP address is taken to be 192.168.1.1.
ipchains -A input -p TCP
-d 127.0.0.1/32 www -j ACCEPT
ipchains -A input -p TCP -d 192.168.1.1/32 www -j ACCEPT
ipchains -A input -p TCP -d 0/0 www -j REDIRECT 8080
You can use transparent proxying with 2.0.X
kernels. These use ipfwadm to create and modify firewall rules.
If you're using ipfwadm, create a
script file with the following lines:
ipfwadm -I -a a -P tcp -S any/0 -D
127.0.0.1 80
ipfwadm -I -a a -P tcp -S any/0 -D 192.168.1.1 80
ipfwadm -I -a a -P tcp -S any/0 -D any/0 80 -r 8080
You need at least Squid 2.X
to use transparent proxying. Once you have it installed and running, little additional
configuration is required. Edit /etc/squid/squid.conf and make the following changes.
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
After you're done, restart Squid with
/etc/rc.d/init.d/squid.init
restart
Client configuration
The best part of the client
configuration is that there's none. Clients think that they're directly
connected to the Webserver, without an intermediate proxy server in between. This means
that you can use almost any type of client from behind your firewall, even if it
doesn't have proxy or firewall support.