- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Redirecting all http/https traffice to Squid ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Solved] Redirecting all http/https traffic to Squid proxy
Hi everybody,
I want to transparently redirect all outgoing HTTP and HTTPS traffic from my Wifi Guest LAN to my Squid proxy located in the DMZ.
Traffic from 172.16.100.1-172.16.100.10 tcp/80 should go to 192.168.100.1 tcp/8080
Traffic from 172.16.100.1-172.16.100.10 tcp/443 should go to 192.168.100.1 tcp/8080
After some investigation I found a solution:
Current setup:
Interface: WAN2 (Wifi)
Subnet: 172.16.100.0/24
Default Gateway: 172.16.100.254
Client DHCP Range: 172.16.100.1-172.16.100.10
Interface: DMZ
Subnet: 192.168.100.0/24
Default Gateway: 192.168.100.254
Squid Proxy: 192.168.100.1
Squid listens on 3 ports:
Port 3126 - transparently processes and intercepts HTTP traffic
Port 3127 - transparently processes and intercepts HTTPS traffic
Port 8080 - will be processing traffic from browsers explicitly configured to use Squid as proxy.
First I redirect outbound tcp/80 and tcp/443 to Squid by using policy based routing.
Note: unfortunately Fortigate is not able to do outbound port translation so I do that later on Squid.
Protocol: 6 (tcp)
Incoming interface: <Wifi LAN>
Source address/mask: <Wifi DHCP subnet>
Destination address: mask: 0.0.0.0/0.0.0.0
Source Ports: 1 - 65535
Destinatin Ports: 80 - 80
Outgoing interface: <interface where Squid proxy is connected>
Gateway address: <Squid proxy IP address>
(same again for port 443)
Now Squid sees all http/https traffic but on the wrong ports.
Redirecting arriving HTTP/HTTPS traffic on Squid to the right ports:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3126
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
Have fun :)
- « Previous
-
- 1
- 2
- Next »
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ phill and emnoc
Money is not the problem but why should we buy something we don' t need/want?
In reference to the manuals: Fortiguard Web Filter is a cloud based service which simply does URL filtering (FortiGuard data centers around the world hold the entire categorized URL database and receive rating requests from customer FortiGate units).
This is not what we need and beside that we don' t send any data to cloud based services (especially if they' re US based).
The builtin Fortigate Web Filter is more or less traditional URL blocking which can be combined with other features like AV.
As I understand it is not possible to modify web page data and/or HTTP headers (allow/deny/change) using any of the Fortinet solutions.
With Squid in combination with content filtering you can do all what Fortinet offers but it' s more flexible and powerful. Additionally you can do cacheing, reverse proxy, transparent and non-transparent proxy at the same time, remove ads, trackers and other obnoxious internet junk.
However, I was able to solve it. I' ll edit my initial post in case there' s is someone around who want to do the same.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool
So you used a little of PBR function and iptables to get what you want.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mate,
Found your post; thanks for sharing, valuable info!
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Azure vnet-vnet traffic via FGT A/P... 86 Views
- How to route ougoing FG traffic... 133 Views
- TRAFFIC SHAPPING TO IPSEC TUNNEL 355 Views
- Is there a way to exempt... 110 Views
- Traffic has not forward to another... 369 Views
Labels
-
FortiGate
6,819 -
FortiClient
1,353 -
5.2
801 -
5.4
639 -
FortiManager
585 -
FortiAnalyzer
431 -
6.0
416 -
5.6
362 -
FortiAP
353 -
FortiSwitch
348 -
FortiClient EMS
277 -
FortiMail
266 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
165 -
6.4
128 -
FortiNAC
115 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
90 -
IPsec
90 -
FortiCloud Products
85 -
FortiToken
74 -
SSL-VPN
73 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
45 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
37 -
FortiDNS
35 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
FortiAuthenticator
25 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
LDAP
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
Authentication
11 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.