On Tue, 21 Sep 2010 07:48:07 -0700, Andrei <funactivities@xxxxxxxxx>
wrote:
>>> 5) No NATing is done on this machine.
>>
>> Ah, "transparent" flag does not means what you think then.
>>
>> In Squid-3.2 and older it means "traffic arriving at this port has been
>> redirected here via NAT in the firewall".
>>
>> What did you actually want?
>
> I have 300 kids with laptops. It would be difficult to setup each
> individual browser for proxy.
> Proxy is a LAN client like the rest of laptops. Firwall (NAT, DHCP
> etc.) sends/forwards all the traffic to the proxy.
> No NAT is preformed on the proxy. The proxy computer is just a Squid
> 3.1 box with dnsmasq.
Ah, kid, laptops ... captive portal with "hostile" users :)
Doing NAT at the firewall before traffic gets to Squid erases the IP
address information which may help you control them a bit more. NAT on the
squid box is a MUST when using the "transparent" flag. You may have noticed
Squid access.log only contains the firewall IP?
The only case I'm aware of where the router/firewall is unable to route
raw traffic to Squid without altering it on the way is for home-user ADSL
boxes. All others seem to be capable of policy routing port 80 to the squid
box for NAT + Squid to happen there.
You will definitely be wanting to test out and use those iptables mangle
table rules to protect your interception http_port. Squid is vulnerable to
a widely known attack (CVE-2009-0801) where special requests can be sent
directly to the squid port doing "transparent"/NAT to make Squid fetch
content from other than the IP address used in the TCP link to the
firewall.
WPAD will also be your friend when dealing with this type of user.
Browsers only need to be set to "automatically detect network proxy" where
they cannot easily see what the proxy is. The bulk of the setup is in your
DHCP/DNS/Web servers. You gain all the extra abilities of (authentication,
HTTPS filtering, safe HTTP redirects, etc) as if the browser was manually
configured with the proxy. Details in that squid wiki under browser
configuration ("fully automatic with WPAD").
With the dnsmasq NATing kept on the proxy box as a last resort to catch
the machines bot set to auto-detect the proxy.
Amos
