Solved

Setting up Squid behind NAT

Posted on 2004-09-18
9
507 Views
Last Modified: 2010-08-05
Hi out there,

It's my intention to set up a squid-box to serve a subnet which is placed behind NAT, the setup looks like this :

 
       GW / NAT      x.x.x.x port 3130
           I
           I
         squid     y.y.y.y
         /   \
       /     \
 WS 1  -  WS n

  192.168.2.1   192.168.2.n

The reason for me to place the squid box there is that I want to be able to keep an eye on which sites different ws' browses, a thing that would be somewhat difficult with the squid box on the other side of the NAT.

My problem is how to configure squid so that traffic from the workstations on ordinary ports 80 and 443 is redirected to port 3130 on the NAT.

By using squid I can reduce the load on our connection caused by this particular subnet. Only ports 80 and 443 are of interest in this particular case ;)

Any advice is appreciated !
0
Comment
Question by:gstromsten
9 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 168 total points
ID: 12095950
One solution to this would be to configure the gateway to only accept traffic on 80/443 from the IP of the Squid box. Then configure each workstation to use the IP of the Squid box as a proxy.

If the gateway is a Linux box running IPtables you can configure it for transparent proxy, which eliminates the need for special configuration on the workstations. If it isn't a Linux box you could check the docs for your gateway to see if it can be configured for transparent proxy.
0
 
LVL 17

Assisted Solution

by:owensleftfoot
owensleftfoot earned 166 total points
ID: 12095961
0
 
LVL 2

Assisted Solution

by:fulp02
fulp02 earned 166 total points
ID: 12138433
Alright Basicly What I would Sugest is if you are going to put the squid box infront of the other
machines  You are going to have to route every thing back and forth through it . Instead put all of your machines
on the same net work and sence you only want to monitor web browsing . Set up yout clients to proxy through squid for
web acess and everything else go straight to the gateway/Nat . so  example

                 Nat/gw  
                    |
                    |
          /         |          \
 machine 1     2     squid
         \           \          |
         port 80/443       |
                   \ _______
Sorry if the drwaing sucks
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 2

Expert Comment

by:fulp02
ID: 12138438
Oh and block ports 80/443 from all the machines except squid
0
 
LVL 2

Expert Comment

by:garak1357
ID: 12393310
Make the Squid box your gateway, if it isn't already.
Download the firewall called homeLANsecurity 1.4.1
at http://www.unixpages.com/hls and turn on the
transparent proxy option already configured in it.
No one on the LAN will notice a difference, but all
traffic will be routed through Squid.
0
 

Expert Comment

by:mamamia
ID: 13032271
i think it sould be something like this

                          INTERNET
                                | (eth0)
                    Gateway - Firewall
                                 | (eth1)
                          hub/switch
                                 |
        |-------------------|--------------------|------------------|
     squid                 ws01                   ws02                 ws-n


if you are using IPTABLES:
iptables -t nat -A PREROUTING -i eth1 -s ! squid-box -p tcp --dport 80 -j DNAT --to squidbox:3130
iptables -t nat -A POSTROUTING -o eth1 -s local-network -d squidbox -j SNAT --to firewallbox
iptables -A FORWARD -s local-network -d squid-box -i eth1 -o eth1 -p tcp --dport 3130 -j ACCEPT
iptables -A FORWARD -s squidbox -p tcp --dport 80,443 -j ACCEPT

0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question