[squid-users] Transparent proxy before NAT

Yuri Voinov yvoinov at gmail.com
Tue Jul 14 05:52:22 UTC 2015 

I use a bit another configuration:

http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoIOSv15Wccp2

As you can see, squid box placed between two routers. Front router uses 
NAT to white IP, back router has no NAT and configured with WCCPv2 
redirection. DMZ configured between two routers.

As I think, configuration you described will really strange and 
insecure. Yes, you can assign white IP to squid. No, you can't use squid 
as router or DHCP. Squid box can only work as intercepter for HTTP/HTTPS 
traffic and TCP/IP forwarder for another traffic.

As I said, more correct configuration will be:

Internet <-----> Router <-----> Transparent Squid box as gateway 
<-------> devices.

This configuration works, I use it on my testing environment.

14.07.15 2:34, John Pearson пишет:
> Thanks Yuri for the response, I understand. I do have Shorewall 
> configured and I understand the security implications. My Router is 
> also the Wireless AP, so I want to try out this setup without having 
> to buy another Wireless AP.
>
> I don't mind it being complex, do you have any suggestions on getting 
> Internet <---> Squid <---> Router (NAT) working ?
>
> Thanks!
>
> On Mon, Jul 13, 2015 at 1:33 PM, John Pearson 
> <johnpearson555 at gmail.com <mailto:johnpearson555 at gmail.com>> wrote:
>
>     Thanks Yuri for the response, I understand. I do have Shorewall
>     configured and I understand the security implications. My Router
>     is also the Wireless AP, so I want to try out this setup without
>     having to buy another Wireless AP.
>
>     I don't mind it being complex, do you have any suggestions on
>     getting Internet <---> Squid <---> Router (NAT) working ?
>
>     Thanks!
>
>     On Mon, Jul 13, 2015 at 1:26 PM, Yuri Voinov <yvoinov at gmail.com
>     <mailto:yvoinov at gmail.com>> wrote:
>
>
>         -----BEGIN PGP SIGNED MESSAGE-----
>         Hash: SHA256
>
>         Ah,
>
>         forgot about:
>
>         Your squid in scheme I wrote will have static gray IP. And
>         this IP must be excluded from DHCP pool on router.
>
>         14.07.15 2:15, John Pearson пишет:
>         > Hi Everyone, > > My setup is: Internet <--> Squid-eth0 <--> Squid-eth1
>         <--> Router <--> > Devices > > Currently the Router is doing
>         NAT and DHCP for the devices connected to it. > Squid is in
>         transparent mode. I set up a bridge ( br0). I set up the >
>         ebtables and iptables. It works but I want to figure out a way
>         without > having to configure Squid server or Router with
>         hardcoded addresses. > > I have it working with either setup:
>         > 1. Remove the bridge ( br0) and setup the Squid server eth1
>         as a static IP > address and set Squid server IP address as
>         gateway in Router settings. > 2. Since Squid server is in
>         bridge mode, I can hard code IP address in a > Squid ACL as
>         all traffic appears to come this IP address from the router. >
>         > I want a way to do this without any setup, basically to take
>         a Squid box > and place it before a Router. Is there a way to
>         do this ? > > A few ideas that might be wrong: > 1. In bridge
>         mode, http_access allow CURRENTIPADDRESS  ( CURRENTIPADDRESS >
>         is the dynamic IP address provided the ISP ) Is there a way to
>         obtain this > in the squid.conf file ? > 2. Setup a DHCP
>         server alongside Squid server and have Squid(DHCP) <--> >
>         Router(DHCP, NAT) and have same dhcp address given to the
>         Router in > squid.conf as http_access allow localnet > >
>         Thanks in advance! > > >
>         > _______________________________________________ >
>         squid-users mailing list > squid-users at lists.squid-cache.org
>         <mailto:squid-users at lists.squid-cache.org> >
>         http://lists.squid-cache.org/listinfo/squid-users
>
>         -----BEGIN PGP SIGNATURE-----
>         Version: GnuPG v2
>
>         iQEbBAEBCAAGBQJVpB7aAAoJENNXIZxhPexGJcgH+IcaMqoEwlcRYFNCWqKT/Msc
>         I6aMD/82Uw5ow/HayX/GrxCHTzYjdCzXDXJTP9cAnHZaMnvOPxtCGuVocEHNEiOa
>         sDsZC9P074hoANDEAYXycWF73auCxYg4jcg8dRtbZwVEazwYsMVN6ye5a3i9EaZM
>         /DotQ78htLNRJrLhoCO9yQBtJObcUs+eyOie4oxk4YWSfQMcjZOXen7U8K8KGQuH
>         cOBcodLJv/eP1T+CcEe3ATr8Szo+zQ648jG27pdy7XuPecek7sWllRnyq93fpkID
>         FnvOr21R3gLBBdStYty43PKQ/4Z3d4vp56aYEweKBsGJV9kVC2QMjDXLOzrbug==
>         =1pgP
>         -----END PGP SIGNATURE-----
>
>
>         _______________________________________________
>         squid-users mailing list
>         squid-users at lists.squid-cache.org
>         <mailto:squid-users at lists.squid-cache.org>
>         http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150714/00b0cd92/attachment.html>

More information about the squid-users mailing list