Squid NAT Rule Same Interface



  • I have a squid transparent proxy sitting on the LAN interface. I know I can make this work if I set squid on OPT1, but I would perfer it on the LAN interface. I have squid and a couple other servers running inside VMware Server and would do not want to add nic cards to the box.

    I created a NAT rule as follows:

    interface: lan
    external address: any
    protocol: tcp
    external port range: 80
    nat ip: 10.10.1.19 (squid ip)
    local port: 3128

    The problem is theres no way to specify the external address as not the squid ip. So I'm assuming its just generating a loop. Is there any way around this.

    I have used monowall before I know I can add a rule by hand using the following on the exec.php page. I tried this in pfsense but it doesn't work. Is there a way to do this?

    echo 'rdr fxp1 ! from 10.10.1.19/32 to 0.0.0.0/0 port = 80 -> 10.10.1.19 port 3128 tcp' | ipnat -f-



  • I gave up getting it to work. What I did was set the dhcp server gateway in pfsense to point to the squid box. Then I just enabled ipv4 fowarding and created two iptables rules. Yes this puts all dhcp clients no matter what protocol or port through the squid box, but the performance hit is neglibile and will be outweighed by the caching effect. Especially for google maps and live.local virtual earth. All servers still point to the pfsense box as their default gateway.

    If anybody wants to duplicate … I'm running fedora core 4, squid setup in transparent proxy mode.

    Add/change the following line in /etc/sysctl.conf to enable ip forwarding.

    net.ipv4.ip_forward = 1

    Then just add the following iptables rules to /etc/rc.local

    iptables -A FORWARD -j ACCEPT
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

    The first rule says to accept and forward all traffic received to the default gateway (pfsense) otherwise aim, mail clients, etc wouldn't work. The second intercepts the http traffic and sends it to squid on the default port of 3128.

    I also use the following script so I can make changes to squid and restart it without end users seeing.

    echo "Stopping Squid Traffic Redireect"
    iptables -t nat -F PREROUTING

    service squid restart

    echo "Redirecting Traffic To Squid"
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

    This just clears the iptables then reinstates the rule after squid restarts. You can make modifications of this to stop squid, etc.


Log in to reply