Forcing Users to Use Your Squid Server
If you are using access controls on Squid, you may also want to configure your firewall to allow only HTTP Internet access to only the Squid server. This forces your users to browse the Web through the Squid proxy.
Making Your Squid Server Transparent to Users
It is possible to limit HTTP Internet access to only the Squid server without having to modify the browser settings on your client PCs. This called a transparent proxy configuration. It is usually achieved by configuring a firewall between the client PCs and the Internet to redirect all HTTP (TCP port 80) traffic to the Squid server on TCP port 3128, which is the Squid server's default TCP port.
The examples below are based on the discussion of Linux iptables in Chapter 14, "Linux Firewalls Using iptables." Additional commands may be necessary for you particular network topology.
In both cases below, the firewall is connected to the Internet on interface eth0 and to the home network on interface etH1. The firewall is also the default gateway for the home network and handles network address translation on all the network's traffic to the Internet.
Only the Squid server has access to the Internet on port 80 (HTTP), because all HTTP traffic, except that coming from the Squid server, is redirected.
If the Squid server and firewall are the same server, all HTTP traffic from the home network is redirected to the firewall itself on the Squid port of 3128 and then only the firewall itself is allowed to access the Internet on port 80.
ipFiguret nat -A PREROUTING -i eth1 -p tcp dport 80 \
-j REDIRECT to-port 3128
ipFigureA INPUT -j ACCEPT -m state \
state NEW,ESTABLISHED,RELATED -i eth1 -p tcp \
dport 3128
ipFigureA OUTPUT -j ACCEPT -m state \
state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \
dport 80
ipFigureA INPUT -j ACCEPT -m state \
state ESTABLISHED,RELATED -i eth0 -p tcp \
sport 80
ipFigureA OUTPUT -j ACCEPT -m state \
state ESTABLISHED,RELATED -o eth1 -p tcp \
sport 80
If the Squid server and firewall are different servers, the statements are different. You need to set up iptables so that all connections to the Web not originating from the Squid server are actually converted into three connections; one from the Web browser client to the firewall and another from the firewall to the Squid server. This triggers the Squid server to make its own connection to the Web to service the request. The Squid server then gets the data and replies to the firewall, which then relays this information to the Web browser client. The iptables program does all this using these NAT statements:
ipFiguret nat -A PREROUTING -i eth1 -s ! 192.168.1.100 \
-p tcp dport 80 -j DNATto 192.168.1.100:3128
ipFiguret nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 \
-d 192.168.1.100 -j SNAT to 192.168.1.1
ipFigureA FORWARD -s 192.168.1.0/24 -d 192.168.1.100 \
-i eth1 -o eth1 -m state \
state NEW,ESTABLISHED,RELATED \
-p tcp dport 3128 -j ACCEPT
ipFigureA FORWARD -d 192.168.1.0/24 -s 192.168.1.100 \
-i eth1 -o eth1 -m state state ESTABLISHED,RELATED \
-p tcp sport 3128 -j ACCEPT
In the first statement, all HTTP traffic from the home network except from the Squid server at IP address 192.168.1.100 is redirected to the Squid server on port 3128 using destination NAT. The second statement makes this redirected traffic also undergo source NAT to make it appear as if it is coming from the firewall itself. The FORWARD statements are used to ensure the traffic is allowed to flow to the Squid server after the NAT process is complete. The unusual feature is that the NAT all takes place on one interface, that of the home network (eth1).
Additionally, you will have to make sure your firewall has rules to allow your Squid server to access the Internet on HTTP TCP port 80 as covered in Chapter 14, "Linux Firewalls Using iptables."
You will also need to make a few transparent proxy modifications to your squid.conf file:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Manually Configuring Web Browsers to Use Your Squid Server
If you don't have a firewall that supports redirection, then you need to configure your firewall to only accept HTTP Internet access from the Squid server, as well as configure your PC browser's proxy server settings manually to use the Squid server. The method you use depends on your browser.
For example, to make these changes using Internet Explorer:
1. | Click on the Tools item in the browser's menu bar.
| 2. | Click on Internet Options.
| 3. | Click on Connections.
| 4. | Click on LAN Settings.
| 5. | Configure with the address and TCP port (3128 default) used by your Squid server.
|
Here's how to make the same changes using Mozilla or Firefox:
1. | Click on the Edit item in the browser's menu bar.
| 2. | Click on Preferences.
| 3. | Click on Advanced.
| 4. | Click on Proxies.
| 5. | Configure with the address and TCP port (3128 default) used by your Squid server under Manual Proxy Configuration.
|
 | 