28 Sep
Posted on Author swildow

Making Your Squid Server Transparent To Users

It is possible to limit HTTP internet access to only the Squid server without having to modify the browser settings on your client PCs.
Firewall configuration

This is called a “transparent proxy” configuration. It is usually achieved by configuring a firewall between the client PCs and the Internet to redirect all HTTP (TCP port 80) traffic to the Squid server on TCP port 3128 (which is Squid server default TCP port).

The examples below are based on the discussion of Linux iptables that can be found in the firewall chapter of the Linux Websites book. Additional commands may be necessary for you particular network topology.

In both cases below:

> The firewall is connected to the internet on interface eth0 and to the home network on interface eth1.

> The firewall is the default gateway for the home network which uses NAT to access the Internet.

> Only the squid server has access to the internet on port 80 (HTTP). This happens because all HTTP traffic, except that coming from the squid server, is redirected.

Squid Server And Firewall Are The Same Server

Here all HTTP traffic from the home network is redirected to the firewall itself on the squid port of 3128.

iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 \

-j REDIRECT –to-ports 3128

iptables -A OUTPUT -j ACCEPT -m state –state NEW -o eth0 \

-p tcp –dport 80

Squid Server And Firewall Are Different Servers

Here all HTTP traffic from the home network except from the squid server at IP address 192.168.1.100 is redirected to the Squid server on the squid port of 3128.

iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 \

-j DNAT –to 192.168.1.100:8080 -s ! 192.168.1.100/32

iptables -A OUTPUT -j ACCEPT -m state –state NEW -o eth0 \

-p tcp –dport 80