1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Transparent Proxy question

Discussion in 'Tomato Firmware' started by rickh57, May 10, 2008.

  1. rickh57

    rickh57 LI Guru Member

    I've successfully configured my Tomato based WRT54GL router to use my Ubuntu box as a proxy server using a shell script as per a suggestion that I found in a different thread. I can browse the web from the various computers on my network and I can see the entries in squid's log file, but they all have my router's internal ip address as their source (e.g., no matter which computer they are coming from. This prevents the use of address specific access rules, so I can't use it to restrict sites for my teenager without still manually configuring his browser. I'd hoped to eliminate the need to do manual configuration, since that makes it very easy for him to change.

    I'm not a squid or iptables expert. Is there anyway to configure iptables to use the original ip address of the request when it proxys through squid? (BTW, I did search here and via Google, but nothing jumped out at me).
  2. averylinden

    averylinden Addicted to LI Member

    Not sure exactly what you are trying to accomplish, but maybe it will be simpler for you to use Tomato's access restrictions to block all outgoing Internet traffic from your teenager's MAC. Then put the proxy server behind the router and route the teen's traffic through it.
  3. HennieM

    HennieM Network Guru Member

    It seems the shell script you use, does this:

    If web request: PC --> router --> proxy --> router --> internet
    If not web request: PC --> router --> internet

    Thus, if its a www request, your router actually redirects the request back to the proxy server, which is why the Squid logs shows the source addresses as that of the router.

    What I do, is essentially this:

    For all request: PC --> proxy --> router

    This is accomplished by:
    1) Set up your DHCP server (if it's your router, it's http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) to give out the "router" address as that of your proxy server (say [If dnsmasq, it seems "--dhcp-option = option:router," would do this].
    2) Hard code the "router" address ON YOUR PROXY SERVER, to be that of the real router (say
    3) This part is to stop the clever teenager from bypassing the proxy...: On your router, set up an iptables rule that only allows destination port 80 (http) or destination port 443 (https) ONLY FROM your proxy server (--source
    4) Set up the PC's browsers to have their proxy as You can also do this via a DHCP option and a pac file.

    To be clear, back to (1): If your computers on your network have hardcoded IP addresses, set the "default gateway" as that of the proxy server; i.e.
    IP 192.168.0.x
    Default gateway

    While your proxy server has:
    IP 192.168.0.x
    Default gateway

    With the above setup:
    If a non-www request is made:
    PC --> proxy (squid does nothing - proxy will arp redirect) --> router

    For www request:
    PC --> proxy (squid applies squid rules) --> router

    The downside is that on your router, it will seem like ALL internet traffic comes from your proxy server. However, on the proxy server, you can identify which PC the request came from. This is no longer a "transparent proxy", but a very visible proxy....

Share This Page