Search squid archive

Re: squid behind firewall with only port 8081 redirecting to squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



frech wrote:
Hi forum,
new to squid I ran right at the beginning in a confusing configuration.

I have to set up squid on a machine behind a firewall.
Firewall is set up to serve port 80 to an other machine than the squid
server!!!

I don't see why this is a problem. Every port has two sides when it passes through a firewall or router:
 * internal going out
 * external coming in.

The port-forwarding already setup is external coming in.
Squid is internal going out. right?

So ensure that the -i option is used by both rules.
-i takes the NIC name (eth0, eth1 etc) where the new connections the rule applies to are coming into the firewall.



OK, the situation:

- squid 3 on a lenny debian server
- server with 2 network adapters
   - eth0 with 192.168.1.2 --> connected to firewall (fw = 192.168.1.1)
      -- port 8081 opened on fw and pointing to squid server (192.168.1.2)
- eth1 with 192.168.3.2 --> connected to small workgroup. -- port 3128 used for squid proxy

My problem is, that I do not know how to setup the squid server correctly,
so that clients from workgroup can connect to internet (which later has to
be restricted).

  http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid

The defaults on Lenny should be fine to start with. Define the "localnet" settings to your Internal network range and squid3 'just works'.


My thoughts:
1. setting up eth0 and eth1.
    -- adding a route to eth1, to use eth0 as gateway
       route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.1 dev
eth0 (is this correct???)
2. using a prerouting wiht iptables??
   -- iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 8081 -j DNAT --to
192.168.1.2:3128


This does not work. What could be wrong or better done?

Ah. Beginner trying interception. My sympathies.


WARNING: Interception is less commonly named "man-in-middle security attack". Beware of many problems; least of which is HTTPS and authentication completely non-compatible.


PART 1:

The routing on Squid box is normal two routes, with 192.168.1.1 as default gateway and 192.168.1.2 as gateway back to 192.168.3.0.

Best practice is to configure browsers properly with the proxy details.
This can be automated with WPAD and PAC files via DNS or DHCP.
   http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers

This will hopefully remove any need for special routes or NAT. Browsers will be contacting 192.168.1.2:3128 directly for their web access. If you wish you may completely firewall port 80 outbound and require the proxy is used.


PART 2:

Interception should be kept as a last resort. If a full outbound block is not possible but when you still require the proxy as a filter for port-80. I recommend the following:

On the router box setup policy-routing as described here:
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

Your config with Squid in 192.168.1.* and clients in 192.168.3.* sounds like a DMZ setup to me.


On the Squid box is where the DNAT intercept actually happens. As per this config:
  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
(use a second http_port for the intercept traffic).


EXTRA:
If you want to simplify further, you can also have Squid reverse-proxy for that internal web server you mentioned:
  http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator

but I'd leave that until you have the rest working and are comfortable with it.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.10 or 3.1.0.11

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux