Solved

Setting up Squid behind NAT

Posted on 2004-09-18
9
503 Views
Last Modified: 2010-08-05
Hi out there,

It's my intention to set up a squid-box to serve a subnet which is placed behind NAT, the setup looks like this :

 
       GW / NAT      x.x.x.x port 3130
           I
           I
         squid     y.y.y.y
         /   \
       /     \
 WS 1  -  WS n

  192.168.2.1   192.168.2.n

The reason for me to place the squid box there is that I want to be able to keep an eye on which sites different ws' browses, a thing that would be somewhat difficult with the squid box on the other side of the NAT.

My problem is how to configure squid so that traffic from the workstations on ordinary ports 80 and 443 is redirected to port 3130 on the NAT.

By using squid I can reduce the load on our connection caused by this particular subnet. Only ports 80 and 443 are of interest in this particular case ;)

Any advice is appreciated !
0
Comment
Question by:gstromsten
9 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 168 total points
ID: 12095950
One solution to this would be to configure the gateway to only accept traffic on 80/443 from the IP of the Squid box. Then configure each workstation to use the IP of the Squid box as a proxy.

If the gateway is a Linux box running IPtables you can configure it for transparent proxy, which eliminates the need for special configuration on the workstations. If it isn't a Linux box you could check the docs for your gateway to see if it can be configured for transparent proxy.
0
 
LVL 17

Assisted Solution

by:owensleftfoot
owensleftfoot earned 166 total points
ID: 12095961
0
 
LVL 2

Assisted Solution

by:fulp02
fulp02 earned 166 total points
ID: 12138433
Alright Basicly What I would Sugest is if you are going to put the squid box infront of the other
machines  You are going to have to route every thing back and forth through it . Instead put all of your machines
on the same net work and sence you only want to monitor web browsing . Set up yout clients to proxy through squid for
web acess and everything else go straight to the gateway/Nat . so  example

                 Nat/gw  
                    |
                    |
          /         |          \
 machine 1     2     squid
         \           \          |
         port 80/443       |
                   \ _______
Sorry if the drwaing sucks
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 2

Expert Comment

by:fulp02
ID: 12138438
Oh and block ports 80/443 from all the machines except squid
0
 
LVL 2

Expert Comment

by:garak1357
ID: 12393310
Make the Squid box your gateway, if it isn't already.
Download the firewall called homeLANsecurity 1.4.1
at http://www.unixpages.com/hls and turn on the
transparent proxy option already configured in it.
No one on the LAN will notice a difference, but all
traffic will be routed through Squid.
0
 

Expert Comment

by:mamamia
ID: 13032271
i think it sould be something like this

                          INTERNET
                                | (eth0)
                    Gateway - Firewall
                                 | (eth1)
                          hub/switch
                                 |
        |-------------------|--------------------|------------------|
     squid                 ws01                   ws02                 ws-n


if you are using IPTABLES:
iptables -t nat -A PREROUTING -i eth1 -s ! squid-box -p tcp --dport 80 -j DNAT --to squidbox:3130
iptables -t nat -A POSTROUTING -o eth1 -s local-network -d squidbox -j SNAT --to firewallbox
iptables -A FORWARD -s local-network -d squid-box -i eth1 -o eth1 -p tcp --dport 3130 -j ACCEPT
iptables -A FORWARD -s squidbox -p tcp --dport 80,443 -j ACCEPT

0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now