transparent squid and iptables

Discussion in 'Tomato Firmware' started by kabar, Dec 16, 2010.

  1. kabar

    kabar LI Guru Member


    after months (yeah, months) of struggling with squid on my qnap ts-109 i finally got it to work properly. At last it would not hang itself after first visited site. Now i wanna to configure it as a transparent proxy, so i need to set up some IPtables on my tomato. As I am a complete noob when it comes to linux (even though i managed to get dnsmasq and squid working on my qnap im still struggling with linux like a blind child in the fog) I need some help with it.
    Whats more - sometimes we got power out in our block and my qnap wont start squid automatically when starting itself after power is back. Yeah, it can be done, but im still struggling with it, so for now id like tomato to be "smart" and route the http querries to the NAS with squid ONLY when its really working, and bypassing the proxy when its out of order. My fiancee would kill me if the internet wont work while or after the power out (I have a UPS which is powering the modem and router). She would have to SSH to my qnap and manually start the squid, which is far beyond her patience and I am not at home (or connected to internet) ale the time to do it myself.
    Can it be done? How?
    I found this: Is is any good with tomato? Is there some tweaking i have to make to make this work on tomato (well, besides the "smart" option, which will need some kind of scrip I guess)?

    thanks in advane guys. best regards
  2. onehomelist

    onehomelist Addicted to LI Member

    This is about setting up squid as transparent proxy. If the squid is newer than 2.6, put this code in squid conf file:
    http_port transparent

    The ip above should be the ip of your squid server.

    Then paste this at your tomato gui firewall script page
    LAN_IP=`nvram get lan_ipaddr`
    LAN_NET=$LAN_IP/`nvram get lan_netmask`
    iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
    iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
    iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT
    Change the ip to your squid sevrer ip.

    More about it here:
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice