LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Proxy Server / Network Layout Question (https://www.linuxquestions.org/questions/linux-networking-3/proxy-server-network-layout-question-512561/)

msound 12-21-2006 08:22 AM
Proxy Server / Network Layout Question
 
Good Morning (or Afternoon/Evening) All

I have a n00bish networking question about proxy servers. In the past I've always made my proxy server the network gateway, so the setup would go something like:
Modem/Router > Firewall > Proxy Server > Switch > LAN

The proxy server would have two nics with IP forwarding enabled and all that jazz. I'd set an ip tables rule to make the proxy server "transparent" to the lan by automatically forwarding outgoing port 80 traffic to port 8080 or 3128 (or whatever port that was being used by Squid).

This setup works well in a basic SOHO network environment, but I have a feeling that the more advanced the environment, the more difficult this would become to manage. Basically when troubleshooting connectivity to an online application, vpn, or some other remote service, it's never fun having 2 gateways. I'd like to have just 1 point of restriction in the form of a robust firewall. ie:
Modem/Router > Firewall > Switch > LAN

So now the question is, how do I transparently force users to go through the proxy? I know that I could manually setup the connection settings for IE and Firefox to point to the proxy, but what's stopping the users from removing those settings. The traveling laptop users have local admin rights to their machine, so they have the ability to change those settings.

So what is like the standard method used by network admins to force their lan users to transparently go through a proxy server?

Thanks!

librano 12-21-2006 08:34 AM
i am not sure but i'm just going to toss my 2cents...

i suppose you will have to setup your firewall so that it accepts web requests (ie requests to port 80 and 433>for https) only from the proxy server's IP. requests from other IPs on the LAN are dropped. So anyone on the LAN will have to access the net through the proxy server.

This is just my logical line of thought. I dont know if it is correct or how eactly to do it... but it will mean fiddling with iptables or shorewall config file. I'm sure there is enough documentation on the net for this.

lib.

msound 12-21-2006 08:43 AM
Yeah that was what I was thinking as well. I'd just like to know what other network admins for large companies would do. I seem to have made a habit of simply doing "what works". There are always several ways to get from point A to point B, but as an administrator it's important to follow the correct path.

Man that all sounded really nerdy ;)

amitsharma_26 12-21-2006 08:55 PM
Quote:
Originally Posted by librano
i suppose you will have to setup your firewall so that it accepts web requests (ie requests to port 80 and 433>for https) only from the proxy server's IP. requests from other IPs on the LAN are dropped. So anyone on the LAN will have to access the net through the proxy server.
Or instead of dropping those LAN packets, you can redirect all of these packets back to your proxy again.


All times are GMT -5. The time now is 05:49 PM.