Skip to main content
mcwz
New Member
May 12, 2014
Question

[Solved] Redirecting all http/https traffic to Squid proxy

  • May 12, 2014
  • 12 replies
  • 57492 views
Hi everybody, I want to transparently redirect all outgoing HTTP and HTTPS traffic from my Wifi Guest LAN to my Squid proxy located in the DMZ. Traffic from 172.16.100.1-172.16.100.10 tcp/80 should go to 192.168.100.1 tcp/8080 Traffic from 172.16.100.1-172.16.100.10 tcp/443 should go to 192.168.100.1 tcp/8080 After some investigation I found a solution: Current setup: Interface: WAN2 (Wifi) Subnet: 172.16.100.0/24 Default Gateway: 172.16.100.254 Client DHCP Range: 172.16.100.1-172.16.100.10 Interface: DMZ Subnet: 192.168.100.0/24 Default Gateway: 192.168.100.254 Squid Proxy: 192.168.100.1 Squid listens on 3 ports: Port 3126 - transparently processes and intercepts HTTP traffic Port 3127 - transparently processes and intercepts HTTPS traffic Port 8080 - will be processing traffic from browsers explicitly configured to use Squid as proxy. First I redirect outbound tcp/80 and tcp/443 to Squid by using policy based routing. Note: unfortunately Fortigate is not able to do outbound port translation so I do that later on Squid. Protocol: 6 (tcp) Incoming interface: <Wifi LAN> Source address/mask: <Wifi DHCP subnet> Destination address: mask: 0.0.0.0/0.0.0.0 Source Ports: 1 - 65535 Destinatin Ports: 80 - 80 Outgoing interface: <interface where Squid proxy is connected> Gateway address: <Squid proxy IP address> (same again for port 443) Now Squid sees all http/https traffic but on the wrong ports. Redirecting arriving HTTP/HTTPS traffic on Squid to the right ports: iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3126 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127 Have fun :)

    12 replies

    billp
    New Member
    May 12, 2014
    Have you seen the KB article on squid proxies? I' ve linked to it below. I believe you need to set up WCCP. http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30096
    emnoc
    New Member
    May 12, 2014
    Agreed, WCCP is what you need for transparent proxy
    mcwz
    mcwzAuthor
    New Member
    May 12, 2014
    Hi Bill Thanks for the answer. Yes I know this KB article but I' m not sure if WCCP will do the job. My Squid proxy doesn' t do any caching (I disabled it). Squid just does some content filtering and mainly blocks/removes advertisement, trackers, etc. Additionally I don' t know if WCCP work with https - I configured Squid to act as MITM.
    emnoc
    New Member
    May 12, 2014
    Reading this I have to say; If your not doing any caching, than why do you need squid? The fortigate and fortiguard webfilter and categorization is probably 1000x times better than what you can get via squid & accomplish ALL of the things your asking for. This would also eliminated the overhead of WCCP ( encapsulating a second header is sometimes a cpu intense act ) And eliminate management and ownership of yet another device. Just some things to think about
    mcwz
    mcwzAuthor
    New Member
    May 13, 2014
    Hi emnoc, we habe a FGT-60C in our branch office and this box just does a S2S tunnel to our Checkpoint cluster in the main office. That means everything except normal web surfing (from the guest wifi) goes through the tunnel. The FGT-60C UTM subscriptions are already expired and we don' t renew it as we don' t need it. As I said we have a Squid server with additional content filtering. Although we can work with URL categorization we don' t need it. What Squid does is almost the same you can do with Firefox browser plugins like Adblock Plus + Ghostery. Squid uses the same lists (Easylist) and removes all advertising and trackers and it removes and manipulates some headers (e.g. browser user agent, etc.). I don' t know if Fortinet webfilter/Fortiguard is able to do that. Anyway, the Fortigates UTM features are nice toys but not what we need. Comeing back to my original question: Redirecting http/https traffic to Squid is of course what we need but take it as an example for the general problem behind: Let assume we don' t talk about http and squid but some different protocol. Let say we want to redirect certain traffic from an IP range or subnet to a specific IP address and a specific port. e.g. traffic from 172.16.100.1-172.16.100.10 tcp/1234 should go to 192.168.100.1 tcp/5678 Now we' re not talking anymore about UTM, Squid, WCCP or whatever. We just need to forward specific traffic and do port translation. I' m wondering if Fortigate is not able to do that?
    ede_pfau
    SuperUser
    SuperUser
    May 13, 2014
    Using the Central NAT table you can achieve what you are planning: full control over port translation, address translation and the source address range which this will apply to. You may have a look into the FortiOS Handbook for FortiOS 5.0, pg. 555 ff.
    mcwz
    mcwzAuthor
    New Member
    May 13, 2014
    Hi Ede, I tried Central NAT but it is not possible to do destination port translation. Central NAT has the options: Source Address Translated Address Original Source Port Translated Port As outgoing http traffic has a random source port that can' t work. It would only be possible to do source PAT but not destination PAT. There needs to be an additional option like " Original Destination Port" . In the meanwhile I think Fortigate is really to stupid to do that :(
    Phill_Proud
    New Member
    May 14, 2014
    I guess the time you have spent on this is worth far less than a couple of hundred dollars to renew the FortiGuard subscription?
    emnoc
    New Member
    May 14, 2014
    exactly He' s trying to make something happen that' s not doable with Central-NAT As far as I know, I don' t know of any firewall that can do what he asking and even iptables which is probably the most flexible thing on planet earth, can' t do this. A 3 year subscription license on a FGT60C is pennies ( less than 267 usd on avg ) and will provide all that he need, and since he stated no caching of data, this would be simplest method to gain all that he requires.
    mcwz
    mcwzAuthor
    New Member
    May 15, 2014
    @ phill and emnoc Money is not the problem but why should we buy something we don' t need/want? In reference to the manuals: Fortiguard Web Filter is a cloud based service which simply does URL filtering (FortiGuard data centers around the world hold the entire categorized URL database and receive rating requests from customer FortiGate units). This is not what we need and beside that we don' t send any data to cloud based services (especially if they' re US based). The builtin Fortigate Web Filter is more or less traditional URL blocking which can be combined with other features like AV. As I understand it is not possible to modify web page data and/or HTTP headers (allow/deny/change) using any of the Fortinet solutions. With Squid in combination with content filtering you can do all what Fortinet offers but it' s more flexible and powerful. Additionally you can do cacheing, reverse proxy, transparent and non-transparent proxy at the same time, remove ads, trackers and other obnoxious internet junk. However, I was able to solve it. I' ll edit my initial post in case there' s is someone around who want to do the same.