If your Linux server is being used as an Internet gateway for your LAN,then it’s a good idea to set it up behind a firewall. If that’s not an option, set up a firewall on the machine itself.
Since the introduction of kernel 2.2, the firewalling and masquerading code for Linux has undergone major changes, with several new improvements and features added. Instead of the original ipmasq tool, ipchains is now used to configure the firewalling code. Its usage is in many ways similar to ipfwadm, and there’s even a wrapper script (/sbin/ipfwadm_wrapper) available to help you set up simple rules if you’re too lazy to RTFM.
Classical firewalls usually depend on either packet filtering (such as ipchains), or proxy filtering technology (such as by a proxy server like Squid). A transparent proxy is a system that appears like a packet filter to client machines (eliminating the need for client-side configuration), and as a classical proxy to servers.
A transparent proxy listens on a specified well-known port (for example, port 80 for Web proxies) for incoming requests, and redirects them to a proxy server running on the same machine. Client machines assume they’re directly talking to the remote Webserver, when instead, they’re communicating through the proxy. Proxy servers such as Squid support transparent proxying.
The first step is to configure transparent proxying on the Linux server. You’ll need to recompile your kernel for this if it’s not already configured. To find out if your kernel has it enabled, look for the file "/proct/net/ip_fwchains". If it exists, you’re in business.
Configuring ipchains
You’ll then need to add some special rules to ipchains, telling it to forward all incoming traffic on Web-specific ports
such as 80 for HTTP, and 81 for HTTPS) to a different port on the same machine, for which your proxy server has been configured (such as port 8080 for Squid).
Enter the following lines into a shell script—you can then put this in your startup scripts to run automatically at boot time. In this case, the server IP address is taken to be 192.168.1.1.
ipchains -A input -p TCP
-d 127.0.0.1/32 www -j ACCEPT
ipchains -A input -p TCP -d 192.168.1.1/32 www -j ACCEPT
ipchains -A input -p TCP -d 0/0 www -j REDIRECT 8080
You can use transparent proxying with 2.0.X kernels. These use ipfwadm to create and modify firewall rules.
If you’re using ipfwadm, create a script file with the following lines:
ipfwadm -I -a a -P tcp -S any/0 -D
127.0.0.1 80
ipfwadm -I -a a -P tcp -S any/0 -D 192.168.1.1 80
ipfwadm -I -a a -P tcp -S any/0 -D any/0 80 -r 8080
You need at least Squid 2.X to use transparent proxying. Once you have it installed and running, little additional configuration is required. Edit /etc/squid/squid.conf and make the following changes.
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
After you’re done, restart Squid with
/etc/rc.d/init.d/squid.init restart
Client configuration
The best part of the client configuration is that there’s none. Clients think that they’re directly connected to the Webserver, without an intermediate proxy server in between. This means that you can use almost any type of client from behind your firewall, even if it doesn’t have proxy or firewall support.