Solved

Setting up Squid behind NAT

Posted on 2004-09-18
9
509 Views
Last Modified: 2010-08-05
Hi out there,

It's my intention to set up a squid-box to serve a subnet which is placed behind NAT, the setup looks like this :

 
       GW / NAT      x.x.x.x port 3130
           I
           I
         squid     y.y.y.y
         /   \
       /     \
 WS 1  -  WS n

  192.168.2.1   192.168.2.n

The reason for me to place the squid box there is that I want to be able to keep an eye on which sites different ws' browses, a thing that would be somewhat difficult with the squid box on the other side of the NAT.

My problem is how to configure squid so that traffic from the workstations on ordinary ports 80 and 443 is redirected to port 3130 on the NAT.

By using squid I can reduce the load on our connection caused by this particular subnet. Only ports 80 and 443 are of interest in this particular case ;)

Any advice is appreciated !
0
Comment
Question by:gstromsten
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 168 total points
ID: 12095950
One solution to this would be to configure the gateway to only accept traffic on 80/443 from the IP of the Squid box. Then configure each workstation to use the IP of the Squid box as a proxy.

If the gateway is a Linux box running IPtables you can configure it for transparent proxy, which eliminates the need for special configuration on the workstations. If it isn't a Linux box you could check the docs for your gateway to see if it can be configured for transparent proxy.
0
 
LVL 17

Assisted Solution

by:owensleftfoot
owensleftfoot earned 166 total points
ID: 12095961
0
 
LVL 2

Assisted Solution

by:fulp02
fulp02 earned 166 total points
ID: 12138433
Alright Basicly What I would Sugest is if you are going to put the squid box infront of the other
machines  You are going to have to route every thing back and forth through it . Instead put all of your machines
on the same net work and sence you only want to monitor web browsing . Set up yout clients to proxy through squid for
web acess and everything else go straight to the gateway/Nat . so  example

                 Nat/gw  
                    |
                    |
          /         |          \
 machine 1     2     squid
         \           \          |
         port 80/443       |
                   \ _______
Sorry if the drwaing sucks
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 2

Expert Comment

by:fulp02
ID: 12138438
Oh and block ports 80/443 from all the machines except squid
0
 
LVL 2

Expert Comment

by:garak1357
ID: 12393310
Make the Squid box your gateway, if it isn't already.
Download the firewall called homeLANsecurity 1.4.1
at http://www.unixpages.com/hls and turn on the
transparent proxy option already configured in it.
No one on the LAN will notice a difference, but all
traffic will be routed through Squid.
0
 

Expert Comment

by:mamamia
ID: 13032271
i think it sould be something like this

                          INTERNET
                                | (eth0)
                    Gateway - Firewall
                                 | (eth1)
                          hub/switch
                                 |
        |-------------------|--------------------|------------------|
     squid                 ws01                   ws02                 ws-n


if you are using IPTABLES:
iptables -t nat -A PREROUTING -i eth1 -s ! squid-box -p tcp --dport 80 -j DNAT --to squidbox:3130
iptables -t nat -A POSTROUTING -o eth1 -s local-network -d squidbox -j SNAT --to firewallbox
iptables -A FORWARD -s local-network -d squid-box -i eth1 -o eth1 -p tcp --dport 3130 -j ACCEPT
iptables -A FORWARD -s squidbox -p tcp --dport 80,443 -j ACCEPT

0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question