Re: [squid-users] squid behind firewall with only port 8081 redirecting to squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 20 Jul 2009 23:30:11 +1200

frech wrote:
> Hi forum,
> new to squid I ran right at the beginning in a confusing configuration.
>
> I have to set up squid on a machine behind a firewall.
> Firewall is set up to serve port 80 to an other machine than the squid
> server!!!

I don't see why this is a problem. Every port has two sides when it
passes through a firewall or router:
  * internal going out
  * external coming in.

The port-forwarding already setup is external coming in.
Squid is internal going out. right?

So ensure that the -i option is used by both rules.
-i takes the NIC name (eth0, eth1 etc) where the new connections the
rule applies to are coming into the firewall.

>
> OK, the situation:
>
> - squid 3 on a lenny debian server
> - server with 2 network adapters
> - eth0 with 192.168.1.2 --> connected to firewall (fw = 192.168.1.1)
> -- port 8081 opened on fw and pointing to squid server (192.168.1.2)
> - eth1 with 192.168.3.2 --> connected to small workgroup.
> -- port 3128 used for squid proxy
>
> My problem is, that I do not know how to setup the squid server correctly,
> so that clients from workgroup can connect to internet (which later has to
> be restricted).

   http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid

The defaults on Lenny should be fine to start with. Define the
"localnet" settings to your Internal network range and squid3 'just works'.

>
> My thoughts:
> 1. setting up eth0 and eth1.
> -- adding a route to eth1, to use eth0 as gateway
> route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.1 dev
> eth0 (is this correct???)
> 2. using a prerouting wiht iptables??
> -- iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 8081 -j DNAT --to
> 192.168.1.2:3128

>
> This does not work. What could be wrong or better done?

Ah. Beginner trying interception. My sympathies.

WARNING: Interception is less commonly named "man-in-middle security
attack". Beware of many problems; least of which is HTTPS and
authentication completely non-compatible.

PART 1:

The routing on Squid box is normal two routes, with 192.168.1.1 as
default gateway and 192.168.1.2 as gateway back to 192.168.3.0.

Best practice is to configure browsers properly with the proxy details.
This can be automated with WPAD and PAC files via DNS or DHCP.
    http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers

This will hopefully remove any need for special routes or NAT. Browsers
will be contacting 192.168.1.2:3128 directly for their web access. If
you wish you may completely firewall port 80 outbound and require the
proxy is used.

PART 2:

Interception should be kept as a last resort. If a full outbound block
is not possible but when you still require the proxy as a filter for
port-80. I recommend the following:

On the router box setup policy-routing as described here:
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

Your config with Squid in 192.168.1.* and clients in 192.168.3.* sounds
like a DMZ setup to me.

On the Squid box is where the DNAT intercept actually happens. As per
this config:
   http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
(use a second http_port for the intercept traffic).

EXTRA:
   If you want to simplify further, you can also have Squid
reverse-proxy for that internal web server you mentioned:
   http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator

but I'd leave that until you have the rest working and are comfortable
with it.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.10 or 3.1.0.11
Received on Mon Jul 20 2009 - 11:30:23 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 20 2009 - 12:00:02 MDT