Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mcwz
New Contributor

[Solved] Redirecting all http/https traffic to Squid proxy

Hi everybody, I want to transparently redirect all outgoing HTTP and HTTPS traffic from my Wifi Guest LAN to my Squid proxy located in the DMZ. Traffic from 172.16.100.1-172.16.100.10 tcp/80 should go to 192.168.100.1 tcp/8080 Traffic from 172.16.100.1-172.16.100.10 tcp/443 should go to 192.168.100.1 tcp/8080 After some investigation I found a solution: Current setup: Interface: WAN2 (Wifi) Subnet: 172.16.100.0/24 Default Gateway: 172.16.100.254 Client DHCP Range: 172.16.100.1-172.16.100.10 Interface: DMZ Subnet: 192.168.100.0/24 Default Gateway: 192.168.100.254 Squid Proxy: 192.168.100.1 Squid listens on 3 ports: Port 3126 - transparently processes and intercepts HTTP traffic Port 3127 - transparently processes and intercepts HTTPS traffic Port 8080 - will be processing traffic from browsers explicitly configured to use Squid as proxy. First I redirect outbound tcp/80 and tcp/443 to Squid by using policy based routing. Note: unfortunately Fortigate is not able to do outbound port translation so I do that later on Squid. Protocol: 6 (tcp) Incoming interface: <Wifi LAN> Source address/mask: <Wifi DHCP subnet> Destination address: mask: 0.0.0.0/0.0.0.0 Source Ports: 1 - 65535 Destinatin Ports: 80 - 80 Outgoing interface: <interface where Squid proxy is connected> Gateway address: <Squid proxy IP address> (same again for port 443) Now Squid sees all http/https traffic but on the wrong ports. Redirecting arriving HTTP/HTTPS traffic on Squid to the right ports: iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3126 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127 Have fun :)
12 REPLIES 12
mcwz
New Contributor

@ phill and emnoc Money is not the problem but why should we buy something we don' t need/want? In reference to the manuals: Fortiguard Web Filter is a cloud based service which simply does URL filtering (FortiGuard data centers around the world hold the entire categorized URL database and receive rating requests from customer FortiGate units). This is not what we need and beside that we don' t send any data to cloud based services (especially if they' re US based). The builtin Fortigate Web Filter is more or less traditional URL blocking which can be combined with other features like AV. As I understand it is not possible to modify web page data and/or HTTP headers (allow/deny/change) using any of the Fortinet solutions. With Squid in combination with content filtering you can do all what Fortinet offers but it' s more flexible and powerful. Additionally you can do cacheing, reverse proxy, transparent and non-transparent proxy at the same time, remove ads, trackers and other obnoxious internet junk. However, I was able to solve it. I' ll edit my initial post in case there' s is someone around who want to do the same.
emnoc
Esteemed Contributor III

Cool So you used a little of PBR function and iptables to get what you want.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
laf
New Contributor II

Hi mate,

 

Found your post; thanks for sharing, valuable info!

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors