Transparent web proxy
From DD-WRT Wiki
Revision as of 15:57, 11 October 2007 (edit) Dtitzer (Talk | contribs) (→Squid versions 2.6 or newer) ← Previous diff |
Revision as of 15:59, 11 October 2007 (edit) (undo) Dtitzer (Talk | contribs) (→Squid versions 2.6 or newer) Next diff → |
||
Line 20: | Line 20: | ||
http_port 192.168.0.10:3128 transparent | http_port 192.168.0.10:3128 transparent | ||
- | substituting the IP address you're listening on, and the port you wish to use in the example | + | substituting the IP address you're listening on, and the port you wish to use in the example, making sure they match the variables at the top of the router setup script below. |
= Router Setup = | = Router Setup = |
Revision as of 15:59, 11 October 2007
Running a transparent proxy server on your network can be used for more advanced content filtering of web pages for environments such as a school or library (where in some locales, filtering is required by law) or as a way to protect children in the household.
This guide will help you enable a transparent proxy server on your network by having your WRT54G router forward all traffic to the proxy server automatically.
Contents |
Desktop Setup
Squid versions older than 2.6
First install Squid on your Unix box. After that you have to set up Squid to do transparent proxying with these settings:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Squid versions 2.6 or newer
With Squid installed on your Unix/Linux box, set the following:
http_port 192.168.0.10:3128 transparent
substituting the IP address you're listening on, and the port you wish to use in the example, making sure they match the variables at the top of the router setup script below.
Router Setup
You will need to use iptables to tell your router how to forward traffic. If you don't have a good grasp on iptables yet, someone has already done the work and written a shell script to do the work for you. Be sure to edit the variables at the top.
The script can be found at: http://forum.bsr-clan.de/viewtopic.php?p=10177#10177
#!/bin/sh INTERNAL_NETWORK="192.168.0.0/24" ROUTER_IP="192.168.0.1" PROXY_SERVER="192.168.0.10" PROXY_PORT="3128" if [ -z $TRANSPARENT_PROXY ]; then /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK \ -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 \ -j DNAT --to $PROXY_SERVER:$PROXY_PORT /usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d \ $PROXY_SERVER -j SNAT --to $ROUTER_IP /usr/sbin/iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 \ -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT export TRANSPARENT_PROXY="1" else echo "This script has already run!" echo "If it hasn't, unset \$TRANSPARENT_PROXY manually via the shell." fi
For some people, this script and its rules are resulting in the hostname and domain name being dropped from the http request that gets passed on to the proxy system. Anyone have a clue why this is?
You'll need to have the script run every time the router boots. An easy way to do is to set as in the rc_firewall variable:
- Load the script in your text editor and set the variables accordingly.
- Then insert a backslash in front of each double-quote in the script so that they are escaped (otherwise they will cause an error when you perform the next step).
- From either Telnet/SSH_and_the_Command_Line:
# nvram set rc_firewall=" PASTE EDITED SCRIPT HERE " [Ctrl+D] # nvram commit
You can confirm that the changes were made by executing
# nvram get rc_firewall
With some Squid installations, the proxy server may be expecting connections on an alternate port than the default of 3128. If this is the case, try changing the PROXY_PORT variable in the script above to the correct listening port, as in:
PROXY_PORT="8080"