Re: [squid-users] squid behind firewall with only port 8081 redirecting to squid

From: frech <>
Date: Mon, 20 Jul 2009 06:48:32 -0700 (PDT)

Hi Amos,
thank you so much for your reply!!
I still have some questions.

Amos Jeffries-2 wrote:
> The port-forwarding already setup is external coming in.
> Squid is internal going out. right?
> --> right!
> So ensure that the -i option is used by both rules.
> -i takes the NIC name (eth0, eth1 etc) where the new connections the
> rule applies to are coming into the firewall.
> --> I have the problem, that I can't configure the firewall as I have no
> access. For Squid there is an rule on the firewall directing port 8080 to
> the squid server, so if I set up temporally apache to listen on port 8080
> I can reach the squid server from www ;-) I don't know in the moment, if
> there is also a rule for 8080 going out. But I have no problem to ping and
> use lynx from the squid servers shell.
> The defaults on Lenny should be fine to start with. Define the
> "localnet" settings to your Internal network range and squid3 'just
> works'.
> --> Sorry, I thought to have squid3, but it is the stable 2.7 ... I
> restarted using the example from ../doc/squid/examples
> and only change the http_port to the ip of the servers internal
> eth1-address:
> http_port
> WARNING: Interception is less commonly named "man-in-middle security
> attack". Beware of many problems; least of which is HTTPS and
> authentication completely non-compatible.
> --> I don't want to do to much ;-) It is just, that I don't know to
> configure it in a better way ...
> PART 1:
> The routing on Squid box is normal two routes, with as
> default gateway and as gateway back to
> --> so, how to set the route correct?
> The original:
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> * U 0 0 0
> eth1
> localnet * U 0 0 0
> eth0
> default UG 0 0 0
> eth0
> Do I have to change the first line or to append a new one?
> Is it
> UG 0 0 0
> eth1
> OR
> UG 0 0 0
> eth0
> (so eth0 or eth1 at the end??)
> Interception should be kept as a last resort. If a full outbound block
> is not possible but when you still require the proxy as a filter for
> port-80. I recommend the following:
> --> There is no real need for Interception if I can configure a running
> squid ;-)
> Your config with Squid in 192.168.1.* and clients in 192.168.3.* sounds
> like a DMZ setup to me.
> --> Problem which resulted in this setup:
> I work in a project in Africa. Bandwidth is very low there. Now we had to
> set up a workgroup for some extra work to do. This workgroup resists
> outside the normal company-building and is connected to the main building
> by wlan. We have one server (with data and licence-server) and three
> workstations in the extra building.
> Now we had problems in the network stability (access to the workgroup
> server was interrupted by something coming outoff the intranet ...) and
> working with software needing big updates, I thought, it might be helpful
> to setup a proxy. Now, the three workstations and the server are connected
> by a small hub. The hub is connected to the official switch.
> I changed the "extra" network from the companys to the new
>, because I need static IPs for the workstations and the
> company network uses an DHCP on the firewall.
> On the Squid box is where the DNAT intercept actually happens. As per
> this config:
> (use a second http_port for the intercept traffic).

So all I need, is a simple and working squid configuration to start with ;-)
But until now, I did not manage to set it up ;-(

If I understand correct, all I have to do, is to create the correct route of
interfaces to start with the sample squid.conf. Is this correct?
The "restricted" port 8080 which is redirected from the firewall to my squid
server has no effect ... And, it might work without any port redirected to
my squid??

Kind regards


View this message in context:
Sent from the Squid - Users mailing list archive at
Received on Mon Jul 20 2009 - 13:48:39 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 20 2009 - 12:00:02 MDT