[Solved] Redirecting all http/https traffic to Squid proxy

mcwz · ‎05-12-2014

Hi everybody, I want to transparently redirect all outgoing HTTP and HTTPS traffic from my Wifi Guest LAN to my Squid proxy located in the DMZ. Traffic from 172.16.100.1-172.16.100.10 tcp/80 should go to 192.168.100.1 tcp/8080 Traffic from 172.16.100.1-172.16.100.10 tcp/443 should go to 192.168.100.1 tcp/8080 After some investigation I found a solution: Current setup: Interface: WAN2 (Wifi) Subnet: 172.16.100.0/24 Default Gateway: 172.16.100.254 Client DHCP Range: 172.16.100.1-172.16.100.10 Interface: DMZ Subnet: 192.168.100.0/24 Default Gateway: 192.168.100.254 Squid Proxy: 192.168.100.1 Squid listens on 3 ports: Port 3126 - transparently processes and intercepts HTTP traffic Port 3127 - transparently processes and intercepts HTTPS traffic Port 8080 - will be processing traffic from browsers explicitly configured to use Squid as proxy. First I redirect outbound tcp/80 and tcp/443 to Squid by using policy based routing. Note: unfortunately Fortigate is not able to do outbound port translation so I do that later on Squid. Protocol: 6 (tcp) Incoming interface: <Wifi LAN> Source address/mask: <Wifi DHCP subnet> Destination address: mask: 0.0.0.0/0.0.0.0 Source Ports: 1 - 65535 Destinatin Ports: 80 - 80 Outgoing interface: <interface where Squid proxy is connected> Gateway address: <Squid proxy IP address> (same again for port 443) Now Squid sees all http/https traffic but on the wrong ports. Redirecting arriving HTTP/HTTPS traffic on Squid to the right ports: iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3126 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127 Have fun :)

billp · ‎05-12-2014

Have you seen the KB article on squid proxies? I' ve linked to it below. I believe you need to set up WCCP. http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30096

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

emnoc · ‎05-12-2014

Agreed, WCCP is what you need for transparent proxy

PCNSE

NSE

StrongSwan

mcwz · ‎05-12-2014

Hi Bill Thanks for the answer. Yes I know this KB article but I' m not sure if WCCP will do the job. My Squid proxy doesn' t do any caching (I disabled it). Squid just does some content filtering and mainly blocks/removes advertisement, trackers, etc. Additionally I don' t know if WCCP work with https - I configured Squid to act as MITM.

emnoc · ‎05-12-2014

Reading this I have to say; If your not doing any caching, than why do you need squid? The fortigate and fortiguard webfilter and categorization is probably 1000x times better than what you can get via squid & accomplish ALL of the things your asking for. This would also eliminated the overhead of WCCP ( encapsulating a second header is sometimes a cpu intense act ) And eliminate management and ownership of yet another device. Just some things to think about

PCNSE

NSE

StrongSwan

mcwz · ‎05-13-2014

Hi emnoc, we habe a FGT-60C in our branch office and this box just does a S2S tunnel to our Checkpoint cluster in the main office. That means everything except normal web surfing (from the guest wifi) goes through the tunnel. The FGT-60C UTM subscriptions are already expired and we don' t renew it as we don' t need it. As I said we have a Squid server with additional content filtering. Although we can work with URL categorization we don' t need it. What Squid does is almost the same you can do with Firefox browser plugins like Adblock Plus + Ghostery. Squid uses the same lists (Easylist) and removes all advertising and trackers and it removes and manipulates some headers (e.g. browser user agent, etc.). I don' t know if Fortinet webfilter/Fortiguard is able to do that. Anyway, the Fortigates UTM features are nice toys but not what we need. Comeing back to my original question: Redirecting http/https traffic to Squid is of course what we need but take it as an example for the general problem behind: Let assume we don' t talk about http and squid but some different protocol. Let say we want to redirect certain traffic from an IP range or subnet to a specific IP address and a specific port. e.g. traffic from 172.16.100.1-172.16.100.10 tcp/1234 should go to 192.168.100.1 tcp/5678 Now we' re not talking anymore about UTM, Squid, WCCP or whatever. We just need to forward specific traffic and do port translation. I' m wondering if Fortigate is not able to do that?

ede_pfau · ‎05-13-2014

Using the Central NAT table you can achieve what you are planning: full control over port translation, address translation and the source address range which this will apply to. You may have a look into the FortiOS Handbook for FortiOS 5.0, pg. 555 ff.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

mcwz · ‎05-13-2014

Hi Ede, I tried Central NAT but it is not possible to do destination port translation. Central NAT has the options: Source Address Translated Address Original Source Port Translated Port As outgoing http traffic has a random source port that can' t work. It would only be possible to do source PAT but not destination PAT. There needs to be an additional option like " Original Destination Port" . In the meanwhile I think Fortigate is really to stupid to do that :(

Phill_Proud · ‎05-13-2014

I guess the time you have spent on this is worth far less than a couple of hundred dollars to renew the FortiGuard subscription?

emnoc · ‎05-13-2014

exactly He' s trying to make something happen that' s not doable with Central-NAT As far as I know, I don' t know of any firewall that can do what he asking and even iptables which is probably the most flexible thing on planet earth, can' t do this. A 3 year subscription license on a FGT60C is pennies ( less than 267 usd on avg ) and will provide all that he need, and since he stated no caching of data, this would be simplest method to gain all that he requires.

PCNSE

NSE

StrongSwan