1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Route lan traffic to internal lan proxy server

Discussion in 'Tomato Firmware' started by Roady89, Jun 19, 2009.

  1. Roady89

    Roady89 LI Guru Member

    I've been beating my head against a wall for 3 days now trying to figure out how to use tomato to route traffic to an internal proxy server.

    Heres my hardware.

    DSL Modem Running in Bridged mode----->WRT54G running Tomato----->Lan side has an Ubuntu Webserver hardwired to the wrt54g and 3 other PC's connected wirelessly.

    On my laptop I can set up Firefox to point to the internal proxy just fine. I have done this and it works perfect. What I want to do is to be able to point certain IP's on the lan to the ubuntu proxy server using the Tomato router. For example, IP 192.168.1.1 rule says to point to the proxy server but ALLOW IP 192.168.1.2. to go around the proxy. I want to be able to force any IP I chose through the proxy with tomato. (or other firmware if tomato doesn't have this feature)

    Any ideas, tips, anything is Greatly appreciated.
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I haven't tried it, but you could try running the following from a telnet/ssh session:
    Code:
    iptables -t nat -I PREROUTING -s <desired ip> -j ROUTE -gw <proxy ip>
    If that works, you can put it in your firewall script (Advanced->Scripts).
  3. Roady89

    Roady89 LI Guru Member

    So that will add the commands to the iptables?

    For example, IP 192.168.1.138 is my ip and I want to send all traffic from my IP through 192.168.1.148 which is the proxy server. Now what about port numbers? I have a specific port set up.

    iptables -t nat -I PREROUTING -s <192.168.1.138> -j ROUTE -gw <192.168.1.148>

    I'm running 1.19. Does that make a difference. I can always flash the latest and I have another 54G with the latest. (I think)

    1.19 Scripts is in Administration--->scripts
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    What type of proxy server are you running? As far as I know, it will have to be an intercepting ("transparent") proxy for what you want. That means it works as a gateway as well as a proxy (which means it will accept connections on all ports and protocols). Otherwise, the client will have to make configuration changes.

    And, yes, the ROUTE iptables target is only available in 1.24 and later (though, don't use 1.24: get the latest).
  5. Roady89

    Roady89 LI Guru Member

    I'm gonna go ahead and flash this other 54G with the latest firmware so we're on the same page. Any comments are welcome.


    I have squid and tor/privoxy running on the server as well as a webserver and some other things.
  6. Roady89

    Roady89 LI Guru Member

    OK, I flashed to the latest firmware. Now that I kinda sorta halfarse know to add the iptables rules I'm gonna play with it and see what happens. I'll let you know.

    I don't know if it will work the way I want. SGTpepper brings up a good question. I have to put the port number in firefox for it to work. Problem is, I can't do that and won't do that on the other machines. The kiddos can't know they are being pushed through a proxy. It's not all about that, there are other machines on the lan that need to go through the proxy. ie: Content filter

    I have 2 nics on the ubuntu box....could there possibly be a way to reconfigure the hardware and it work?

    Like this maybe---internet---->modem----->etho in(ubuntu server)eth1 out------->54G with tomato----->rest of lan? Thats perhaps a question for the ubuntu forum.
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You've said you have squid on the server. I know there are ways to configure it to be an intercepting proxy. Maybe you could mess with that?
  8. Roady89

    Roady89 LI Guru Member

    Yes, I have total control of everthing on the server. I was hoping there would be some directives or something in tomato to do what I needed to do. I'm still looking.

    What about this? Does this even remotely look right. Its a copy/paist/edit from an IP table rule that I came across....just wondering why I can't use a similar IP table rule in tomato?

    For starters, I KNOW JACK about IP tables or what any of this means. Complete newb here but willing to learn.


    iptables -t nat -A PREROUTING -i 192.168.1.138 -p tcp --dport 80 -j DNAT --to 192.168.1.148:3128
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That means that anything coming from 192.168.1.138 destined for anywhere on port 80, it will instead send it to 192.168.1.148 port 3128. I've never set up a proxy, so I don't know if blindly sending HTTP traffic to that port on the proxy server is all that is needed (ie there is no proxy-related negotiation). But, I guess it's worth a shot.
  10. Roady89

    Roady89 LI Guru Member


    Ok, so I'm going to go to--->Administration--->firewall--->paist that IP rule in and hit save correct? Restart the router and test.
  11. Roady89

    Roady89 LI Guru Member

    Well, that didn't work. I think we're headed in the right direction though. Thats exactly what I want if I can jut get the directive right. Any suggestions?
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That'd work. But, you can avoid a bunch of reboots if you just SSH/telnet to the router and run the command from the shell. If you find it works, then you can add it to the firewall script to make it persistent.
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Take a look here. It's written for DD-WRT, but it probably would work on Tomato, too.
  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Some of that is not needed for Tomato. Try just the following (replacing everything in <>s as appropriate):
    Code:
    iptables -t nat -A PREROUTING -i br0 -s <computer ip> -p tcp --dport 80 -j DNAT --to <proxy ip>:<proxy port>
    iptables -t nat -A POSTROUTING -o br0 -s <computer ip> -p tcp -d <proxy ip> -j SNAT --to <router LAN IP>
    iptables -t filter -I FORWARD -s <computer ip> -d <proxy ip> -i br0 -o br0 -p tcp --dport <proxy port> -j ACCEPT
    
    This would need to be repeated for each computer you want to have forced through the proxy. If you'd rather it be a blanket rule with exceptions, that can be done, too.
  15. rs232

    rs232 LI Guru Member

    I did try the scrips from the last 2 post but no luck. I'm pretty sure squid is working properly as the linux box used to be my gateway. I'm now using tomato and I'd like to redirect the web calls from the clients on the LAN to the squid which is at a different address fro mthe default gateway.


    Code:
        C
        |
    I---R---Clients
    
    Code:
    iptables -t nat -A PREROUTING -i br0 -s 10.0.9.0/24 -p tcp --dport 80 -j DNAT --to 10.10.9.5:8008
    iptables -t nat -A POSTROUTING -o br0 -s 10.0.9.0/24 -p tcp -d 10.10.9.5 -j SNAT --to 10.10.9.1
    iptables -t filter -I FORWARD -s 10.0.9.0/24 -d 10.10.9.5 -i br0 -o br0 -p tcp --dport 8008 -j ACCEPT
    10.10.9.0/24 is my LAN
    10.10.9.1 is the IP on the LAN for my router/AP (R)
    10.10.9.5 is the IP of Linux/squid (C)
    8008 is the squid port

    Am I doing anything wrong?

    Regards
    rs232
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    By using the whole subnet (10.10.9.0/24) in your rules, you're redirecting the squid proxy to itself :wink:

    I suggest replacing the 10.10.9.0/24 with a single IP address just to see if the general approach works (of course, it would only direct the single IP address to the proxy). Then, if it works and you want to do the whole subnet, we can put it back and add an exception for the squid to get out.

    EDIT: If it doesn't work, the following would be useful from the router's SSH/telnet shell:
    Code:
    service firewall restart
    <Attempt to access web on computer which you are redirecting>
    iptables -t nat -vL;iptables -t filter -vL
    
    The out put of that last line should tell us if the firewall rules are being executed as expected.
  17. yahooking

    yahooking Networkin' Nut Member

    Hi, this worked for me thanks...
    You must do
    service firewall restart
    and
    iptables -t nat -vL;iptables -t filter -vL
    from ssh or telnet. it will take like 10 seconds and you can test that it DOES work
    :D
    THANkS

    One question i had, can we route this direct to TOR ? without the use of http privoxy ?
  18. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Great! Glad to hear it. I thought it should.
    I really don't know, but my guess would be no (unless you compiled privoxy into the firmware, that is).

Share This Page