Accessing another subnet behind proxy

routingsquid

I have squid proxy with dansguardian with ip x.x.1.125 and all computer have this ip as their gateway. Now I need them to access an application on x.x.othernetwork.41 ip. But when I turn on ip forwarding, they can access this ip but the internet becomes open even without proxy settings in the browser. In other words, the users get full access internet when I enable forwarding.

I want them to access this application on another subnet but also access internet through proxy only.The proxy can ping the software ip x.x.othernetwork.41.

x.x.1.125 has single network card.

Thanks

Best Answer

There are different ways of achieving this.

You may add firewall rules using iptables in the proxy server that will block outgoing connection to port 80/443 for local LAN, so that the users won't be able to use internet without using the proxy.
Disable IP forwarding in the proxy server and configure proper route to the other network using route command so that the packet are routed to the right gateway to reach the other network.

The problem is in your setup, you are using the proxy server as gateway, which is actually not a router, as you have said, it has only one ethernet interface. So you should consider configuring your LAN so, that the computers are configured with the correct/actual gateway address. This way they will be able to reach other networks without going through the proxy server. A proxy server doesn't need to be the default gateway to work properly.

Related Solutions

Tproxy squid bridge very slow when cache is full

Roberto, what is the size of this FS?

I can see that you use 8000.

cache_dir ufs /var/spool/squid 8000 16 256

Documentation states, that you have to subtract 20% from total space available for cache. Wiki is pointing that 10% should be left for OS accounting structures.

This way or another it is safe to leave some free space!

How to setup client for squid transparent proxy

I am not sure, but please take a look with this checklist:

Edit the the squid.conf file and change the following line to enable transparent proxy mode:

http_port 3128

http_port 3128 intercept

Then

service squid restart 
service squid reload

Add an entry to iptables NAT table to port-forward inbound traffic on the inside interface (LAN side) to the Squid server on port 3128 (assuming eth0 is the inside interface with the IP address 192.168.1.3

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.3:3128

Now you can look at your iptables, default filter table, and NAT table, using the following commands:

iptables -L -t filter

iptables -L -t nat

Now you can add (append) to the iptable filter table with the following commands, to accept input on port 3128 for Squid

iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT

Also Try this:

You need both one 'intercept' and one 'forward proxy' port in config even if you don't use forward proxy:

http_port 3129 

http_port 3128 intercept

Note: The transparent option has been deprecated by intercept option since 2010.

Best Answer

Related Solutions

Tproxy squid bridge very slow when cache is full

How to setup client for squid transparent proxy

Related Topic