i have no found a better way of locking down those clients to access Squid directlly .. :)
you can use a SNAT and a DNAT rule but the Service must not be running on the same box (as the firewall) it must be on your lan somewhere ect ... :) Because when SNAT chages the Source address it does it right before it is actually Sent of of the Adapter so to the Local machine (Firewall) it is still unchanged .. :( i tried this by Using Squid on my Firewall box and setting the Access Control Lists to only The Gateway itself.. but that did not work .. :( but with a another server on my LAN i.e. Webserver why not turn it into a Cache server ? . it works very well for me :)
