Transparent web proxy
From DD-WRT Wiki
Revision as of 01:52, 26 July 2006 (edit) Sveasoft (Talk | contribs) m ← Previous diff |
Revision as of 18:41, 22 August 2006 (edit) (undo) Schmots (Talk | contribs) Next diff → |
||
Line 58: | Line 58: | ||
# nvram get rc_firewall | # nvram get rc_firewall | ||
+ | There is an error in trying to paste that script into the dd-wrt nvram. However here is a method that does work. Take the iptables part | ||
+ | |||
+ | /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK \ | ||
+ | -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT | ||
+ | /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 \ | ||
+ | -j DNAT --to $PROXY_SERVER:$PROXY_PORT | ||
+ | /usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d \ | ||
+ | $PROXY_SERVER -j SNAT --to $ROUTER_IP | ||
+ | /usr/sbin/iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 \ | ||
+ | -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT | ||
+ | |||
+ | and replace the variables with the right information : i.e. $INTERNAL_NETWORK, $PROXY_SERVER, $PROXY_PORT, and $ROUTER_IP. Once that is done, just copy and paste those three lines where you were trying to paste that whole script.. don't for get the " at the end on a line by itself. | ||
[[Category:advanced HOWTO]] | [[Category:advanced HOWTO]] | ||
[[Category:English documentation]] | [[Category:English documentation]] |
Revision as of 18:41, 22 August 2006
Contents |
Introduction
Running a transparent proxy server on your network can be used for more advanced content filtering of web pages for environments such as a school or library (where in some locales, filtering is required by law) or as a way to protect children in the household.
This guide will help you enable a transparent proxy server on your network by having your WRT54G router forward all traffic to the proxy server automatically.
Desktop Setup
First install Squid on your unix box after that you have to set up squid to do transparent proxying with these settings
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Router Setup
You will need to use iptables to tell your router how to forward traffic. If you don't have a good grasp on iptables yet, someone has already done the work and written a shellscript to do the work for you. Be sure to edit the variables at the top.
The script can be found at: http://forum.bsr-clan.de/viewtopic.php?p=10177#10177
#!/bin/sh INTERNAL_NETWORK="192.168.0.0/24" ROUTER_IP="192.168.0.1" PROXY_SERVER="192.168.0.10" PROXY_PORT="3128" if [ -z $TRANSPARENT_PROXY ]; then /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK \ -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 \ -j DNAT --to $PROXY_SERVER:$PROXY_PORT /usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d \ $PROXY_SERVER -j SNAT --to $ROUTER_IP /usr/sbin/iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 \ -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT export TRANSPARENT_PROXY="1" else echo "This script has already run!" echo "If it hasn't, unset \$TRANSPARENT_PROXY manually via the shell." fi
You'll need to have the script run every time the router boots. An easy way to do is to set as in the rc_firewall variable. From either Telnet/SSH_and_the_Command_Line
# nvram set rc_firewall=" PASTE EDITED SCRIPT HERE " # nvram commit
You can confirm that the changes were made by executing
# nvram get rc_firewall
There is an error in trying to paste that script into the dd-wrt nvram. However here is a method that does work. Take the iptables part
/usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK \
-d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 \ -j DNAT --to $PROXY_SERVER:$PROXY_PORT /usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d \ $PROXY_SERVER -j SNAT --to $ROUTER_IP /usr/sbin/iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 \ -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT
and replace the variables with the right information : i.e. $INTERNAL_NETWORK, $PROXY_SERVER, $PROXY_PORT, and $ROUTER_IP. Once that is done, just copy and paste those three lines where you were trying to paste that whole script.. don't for get the " at the end on a line by itself.