That's a nice diagram, but it's a bit short on details.
My setup, and suggestion for you, is 3.3, but integrating the lan/hub into the proxied firewalled internet gateway server.
WWW < - > fw-server < - > lan.
I'm not too sure how to do this with Debian, resolv.conf will gather name servers (DNS) from the router or modem.
I have trouble with that as My 3G wireless modem is preconfigured for windows, and linux (I think) can't resolve the wins addresses. (10.11.12.13 and 10.11.12.14) where the actual nameservers for my isp (vodafone australia) are 202.135.30.4, etc.
Code:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 203.2.193.67
nameserver 202.135.30.4
nameserver 192.168.0.2
search vfinternet.au
Then I disabled resolv.conf service from running at start.
with iptables, you'll have an internal interface (eth0) and an external interface (ppp0). (my network example)
squid will require the same.
My machine is the fwgw, and my lan is available to the rest of the household.
The household accesses the net and web via this machines proxy, and My browsers also loop back to the internal (eth0) through the proxy external interface (ppp0) by configuring the browsers to use the proxy (192.168.0.2:3128).
The system is pretty secure!
I strongly recommend the links I posted before, or you may need to look further for a recent Debian proxied fwgw howto.
my line from iptables...
Code:
#
## -- Transparent proxy to Squid --- ##
#
$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128
the cache is usually found /var/spool/squid/..
See how you go, regards, Glenn