Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM

631

632

633

634

635

636

637

638

639

640

“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 612 — #638

The most important option is the number 15:

Example 25.1: Firewall Conﬁguration: Option 15

# 15.)

# Which accesses to services should be redirected to a local port

# on the firewall machine?

# This can be used to force all internal users to surf via your

# Squid proxy, or transparently redirect incoming web traffic to

# a secure web server.

# Choice: leave empty or use the following explained syntax of

# redirecting rules, separated with spaces.

# A redirecting rule consists of 1) source IP/net,

# 2) destination IP/net, 3) original destination port and

# 4) local port to redirect the traffic to, separated by a colon,

# e.g. "10.0.0.0/8,0/0,80,3128 0/0,172.20.1.1,80,8080"

The comments above show the syntax to follow. First, enter the IP address

and the netmask of the internal networks accessing the proxy ﬁrewall.

Second, enter the IP address and the netmask to which these clients send

their requests. In the case of web browsers, specify the networks 0/0, a

wild card that means “to everywhere.” After that, enter the original port

to which these requests are sent and, ﬁnally, the port to which all these re-

quests are redirected. As Squid supports more protocols than HTTP, redi-

rect requests from other ports to the proxy, such as FTP (port 21), HTTPS,

or SSL (port 443). In this example, web services (port 80) are redirected to

the proxy port (port 3128). If there are more networks or services to add,

they must be separated by a blank space in the respective entry.

FW_REDIRECT_TCP="192.168.0.0/16,0/0,80,3128 192.168.0.0/16,0/0,21,3128"

FW_REDIRECT_UDP="192.168.0.0/16,0/0,80,3128 192.168.0.0/16,0/0,21,3128"

To start the ﬁrewall and the new conﬁguration with it, change an entry in

the /etc/sysconfig/SuSEfirewall2 ﬁle. The entry START_FW must

be set to "yes".

Start Squid as shown in Section 25.3.4 on page 603. To check if everything

is working properly, check the Squid logs in /var/log/squid/access.

log.

To verify that all ports are correctly conﬁgured, perform a port scan on the

machine from any computer outside your network. Only the web services

(port 80) should be open. To scan the ports with nmap, the command syn-

tax is nmap -O IP_address.

612

25.3. Proxy Server: Squid