?
Solved

Setting up Squid behind NAT

Posted on 2004-09-18
9
Medium Priority
?
513 Views
Last Modified: 2010-08-05
Hi out there,

It's my intention to set up a squid-box to serve a subnet which is placed behind NAT, the setup looks like this :

 
       GW / NAT      x.x.x.x port 3130
           I
           I
         squid     y.y.y.y
         /   \
       /     \
 WS 1  -  WS n

  192.168.2.1   192.168.2.n

The reason for me to place the squid box there is that I want to be able to keep an eye on which sites different ws' browses, a thing that would be somewhat difficult with the squid box on the other side of the NAT.

My problem is how to configure squid so that traffic from the workstations on ordinary ports 80 and 443 is redirected to port 3130 on the NAT.

By using squid I can reduce the load on our connection caused by this particular subnet. Only ports 80 and 443 are of interest in this particular case ;)

Any advice is appreciated !
0
Comment
Question by:gstromsten
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 672 total points
ID: 12095950
One solution to this would be to configure the gateway to only accept traffic on 80/443 from the IP of the Squid box. Then configure each workstation to use the IP of the Squid box as a proxy.

If the gateway is a Linux box running IPtables you can configure it for transparent proxy, which eliminates the need for special configuration on the workstations. If it isn't a Linux box you could check the docs for your gateway to see if it can be configured for transparent proxy.
0
 
LVL 17

Assisted Solution

by:owensleftfoot
owensleftfoot earned 664 total points
ID: 12095961
0
 
LVL 2

Assisted Solution

by:fulp02
fulp02 earned 664 total points
ID: 12138433
Alright Basicly What I would Sugest is if you are going to put the squid box infront of the other
machines  You are going to have to route every thing back and forth through it . Instead put all of your machines
on the same net work and sence you only want to monitor web browsing . Set up yout clients to proxy through squid for
web acess and everything else go straight to the gateway/Nat . so  example

                 Nat/gw  
                    |
                    |
          /         |          \
 machine 1     2     squid
         \           \          |
         port 80/443       |
                   \ _______
Sorry if the drwaing sucks
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:fulp02
ID: 12138438
Oh and block ports 80/443 from all the machines except squid
0
 
LVL 2

Expert Comment

by:garak1357
ID: 12393310
Make the Squid box your gateway, if it isn't already.
Download the firewall called homeLANsecurity 1.4.1
at http://www.unixpages.com/hls and turn on the
transparent proxy option already configured in it.
No one on the LAN will notice a difference, but all
traffic will be routed through Squid.
0
 

Expert Comment

by:mamamia
ID: 13032271
i think it sould be something like this

                          INTERNET
                                | (eth0)
                    Gateway - Firewall
                                 | (eth1)
                          hub/switch
                                 |
        |-------------------|--------------------|------------------|
     squid                 ws01                   ws02                 ws-n


if you are using IPTABLES:
iptables -t nat -A PREROUTING -i eth1 -s ! squid-box -p tcp --dport 80 -j DNAT --to squidbox:3130
iptables -t nat -A POSTROUTING -o eth1 -s local-network -d squidbox -j SNAT --to firewallbox
iptables -A FORWARD -s local-network -d squid-box -i eth1 -o eth1 -p tcp --dport 3130 -j ACCEPT
iptables -A FORWARD -s squidbox -p tcp --dport 80,443 -j ACCEPT

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month8 days, 16 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question