Solved

Setting up Squid behind NAT

Posted on 2004-09-18
9
511 Views
Last Modified: 2010-08-05
Hi out there,

It's my intention to set up a squid-box to serve a subnet which is placed behind NAT, the setup looks like this :

 
       GW / NAT      x.x.x.x port 3130
           I
           I
         squid     y.y.y.y
         /   \
       /     \
 WS 1  -  WS n

  192.168.2.1   192.168.2.n

The reason for me to place the squid box there is that I want to be able to keep an eye on which sites different ws' browses, a thing that would be somewhat difficult with the squid box on the other side of the NAT.

My problem is how to configure squid so that traffic from the workstations on ordinary ports 80 and 443 is redirected to port 3130 on the NAT.

By using squid I can reduce the load on our connection caused by this particular subnet. Only ports 80 and 443 are of interest in this particular case ;)

Any advice is appreciated !
0
Comment
Question by:gstromsten
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 168 total points
ID: 12095950
One solution to this would be to configure the gateway to only accept traffic on 80/443 from the IP of the Squid box. Then configure each workstation to use the IP of the Squid box as a proxy.

If the gateway is a Linux box running IPtables you can configure it for transparent proxy, which eliminates the need for special configuration on the workstations. If it isn't a Linux box you could check the docs for your gateway to see if it can be configured for transparent proxy.
0
 
LVL 17

Assisted Solution

by:owensleftfoot
owensleftfoot earned 166 total points
ID: 12095961
0
 
LVL 2

Assisted Solution

by:fulp02
fulp02 earned 166 total points
ID: 12138433
Alright Basicly What I would Sugest is if you are going to put the squid box infront of the other
machines  You are going to have to route every thing back and forth through it . Instead put all of your machines
on the same net work and sence you only want to monitor web browsing . Set up yout clients to proxy through squid for
web acess and everything else go straight to the gateway/Nat . so  example

                 Nat/gw  
                    |
                    |
          /         |          \
 machine 1     2     squid
         \           \          |
         port 80/443       |
                   \ _______
Sorry if the drwaing sucks
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 2

Expert Comment

by:fulp02
ID: 12138438
Oh and block ports 80/443 from all the machines except squid
0
 
LVL 2

Expert Comment

by:garak1357
ID: 12393310
Make the Squid box your gateway, if it isn't already.
Download the firewall called homeLANsecurity 1.4.1
at http://www.unixpages.com/hls and turn on the
transparent proxy option already configured in it.
No one on the LAN will notice a difference, but all
traffic will be routed through Squid.
0
 

Expert Comment

by:mamamia
ID: 13032271
i think it sould be something like this

                          INTERNET
                                | (eth0)
                    Gateway - Firewall
                                 | (eth1)
                          hub/switch
                                 |
        |-------------------|--------------------|------------------|
     squid                 ws01                   ws02                 ws-n


if you are using IPTABLES:
iptables -t nat -A PREROUTING -i eth1 -s ! squid-box -p tcp --dport 80 -j DNAT --to squidbox:3130
iptables -t nat -A POSTROUTING -o eth1 -s local-network -d squidbox -j SNAT --to firewallbox
iptables -A FORWARD -s local-network -d squid-box -i eth1 -o eth1 -p tcp --dport 3130 -j ACCEPT
iptables -A FORWARD -s squidbox -p tcp --dport 80,443 -j ACCEPT

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question