LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 05-17-2005, 02:58 PM   #1
colonyofcrumbs
LQ Newbie
 
Registered: May 2005
Posts: 2

Rep: Reputation: 0
Squid behind a NAT/FW


Greetings,

I already have a machine at the gateway of my network performing NAT and FW tasks. I'd like to configure a proxy behind that machine in order to log/report user's web usage, control Internet access and possibly even schedule when the Internet is accessible and when it shouldn't be (i.e. allowing employees to only access the Internet during their lunch hours). From what I've read, it seems like Squid should help me in this quest.

The problem is I haven't found too many documents on putting squid behind a FW. It seems like most focus on it being the actual NAT or gateway.

Here's my questions:

1) Is it possible to run squid behind a FW?

2) Can you run Squid on one network card?

3) If two network cards are required and it can run behind a FW, should the machine be setup just as a basic router (i.e. 192.168.1.0/25 to/from 192.168.1.128/25) before Squid is added?

I appreciate any help you can provide.

Thank you for your time,

Joshua
 
Old 05-17-2005, 03:52 PM   #2
Moloko
Member
 
Registered: Mar 2004
Location: Netherlands
Distribution: Debian
Posts: 729

Rep: Reputation: 30
Scheduling internet access can be done with iptables. In the frontend Fwbuilder you can easily add timeframes to firewall rules.

Logging web usage could be done as well with logging the appropriate firewall rules, but it sounds like an unethical (and illegal) privacy invasion to check how somebody uses the web. Why should you care?
 
Old 05-17-2005, 04:43 PM   #3
colonyofcrumbs
LQ Newbie
 
Registered: May 2005
Posts: 2

Original Poster
Rep: Reputation: 0
Moloko,

Thank you for the quick response.

I haven't heard of FWBuilder, I appreciate the heads up.

I don't think the logging in iptables is comprehensive enough to gather the type of information I'm looking for, but then again, I haven't done a vast amount of research from that perspective.

"Why should you care?"

Well, in my environment, the Internet is a privilege and not a right. With all of the spyware, viruses, information harvesting software, key loggers, etc. that can be unwillingly installed through malicious web pages, I want to be aware of where my user's are going.

In terms of money and labor, I also want to know how much time someone spends with their browser open. In my environment, the browser open means that the person is surfing and possibly not working which is obviously another problem because we don't have any other purpose for the browser to be open (no web apps, etc.).

I've had all-in-one boxes that have recorded this type of information. IMHO there is nothing wrong with this protocol. The user's are made well aware of it as soon as they step through the door because I don't want them to do it. In a sense, it's a scare tactic, but I want it to have some rational also.

Once again, thank you. I'm going to look into the FWBuilder right now.

Regards,

Joshua
 
Old 05-17-2005, 10:18 PM   #4
SirGertrude
Member
 
Registered: May 2004
Location: Missouri
Distribution: Gentoo
Posts: 59

Rep: Reputation: 15
I would recommend using Squid because it is scalable and robust. You shouldn't have any trouble running squid within a NATted environment unless your default policy is to drop all outbound traffic or you are not running a stateful firewall. There is no need for an additional NIC, but if your default policy is to drop all outbound traffic then I would make a rule allowing all outbound traffic from the Squid box. The ideal situation would be to run Squid on the same box the Linux router were on, that way Squid could use the public IP for outgoing connections (without being NATted) and the clients could connect to the internal IP.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem in nat table + squid alvi2 Linux - Networking 3 03-05-2005 05:18 AM
Squid with NAT azfar Linux - Networking 5 11-24-2004 08:54 PM
Squid NAT logging problem ncorreia Linux - Software 0 09-23-2004 05:52 AM
Help With Bind,squid,nat And Proxy debloxie Linux - Networking 0 01-20-2004 05:43 AM
problem about NAT and squid Warchief Linux - Networking 3 07-21-2003 06:48 AM


All times are GMT -5. The time now is 12:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration