Transparent web proxy

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 01:52, 8 December 2009 (edit)
Phuzi0n (Talk | contribs)
(Option 1 (Only The Proxy Itself Bypasses The Proxy) - - update/cleanup to work for v24)
← Previous diff
Revision as of 02:12, 8 December 2009 (edit) (undo)
Phuzi0n (Talk | contribs)
(Option 2 (Multiple Hosts Can Bypass The Proxy))
Next diff →
Line 49: Line 49:
== Option 2 (Multiple Hosts Can Bypass The Proxy)== == Option 2 (Multiple Hosts Can Bypass The Proxy)==
-If you need to allow more than one host to bypass the transparent proxy (such as a game system, or media receiver), use you can use the following script. It allows you to add as many exceptions as you like. It's a requirement to use with DirecTV receivers who have Video On Demand and are using a transparent proxy. +If you need to allow more than one host to bypass the transparent proxy (such as a game system, or media receiver), use the script from [[Transparent_Proxy#Option_1_.28Only_The_Proxy_Itself_Bypasses_The_Proxy.29|Option 1]] along with this command that allows a specific IP to bypass the proxy. You can use it to add as many exceptions as you like. DirecTV receivers which have Video On Demand need to bypass the proxy.
- #!/bin/sh+ iptables -t nat -I PREROUTING -i br0 -s [IPADDRESS] -j ACCEPT
- INTERNAL_NETWORK="192.168.0.0/24"+
- ROUTER_IP="192.168.0.1"+
- PROXY_SERVER="192.168.0.10"+
- PROXY_PORT="3128"+
- if [ -z $TRANSPARENT_PROXY ]; then+
- #!/bin/sh+
- /usr/sbin/iptables -t nat -N Proxy+
- # --Begin Host Exceptions--+
- /usr/sbin/iptables -t nat -A Proxy -i br0 -s $PROXY_SERVER -j RETURN #<--REQUIRED+
- /usr/sbin/iptables -t nat -A Proxy -i br0 -s [IPADDRESS] -j RETURN #<--Additional Exceptions Go Here+
- # --End Host Exceptions--+
- /usr/sbin/iptables -t nat -A Proxy -i br0 -p tcp --dport 80 -j DNAT --to $PROXY_SERVER:$PROXY_PORT+
- /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK -d $INTERNAL_NETWORK \+
- -p tcp --dport 80 -j ACCEPT+
- /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK -d ! $INTERNAL_NETWORK \+
- -p tcp --dport 80 -j Proxy+
- /usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -p tcp -d $PROXY_SERVER \+
- -j SNAT --to $ROUTER_IP+
- /usr/sbin/iptables -t filter -I FORWARD -s $INTERNAL_NETWORK -d $PROXY_SERVER -i br0 -o br0 \+
- -p tcp --dport $PROXY_PORT -j ACCEPT+
- export TRANSPARENT_PROXY="1"+
- else+
- echo "This script has already run!"+
- echo "If it hasn't, unset \$TRANSPARENT_PROXY manually via the shell."+
- fi+
- +
-Be sure to change the values at the top. Also change this line to match the IP addresses of the hosts that should bypass the proxy.+
- /usr/sbin/iptables -t nat -A Proxy -i br0 -s [IPADDRESS] -j RETURN+
-To add additional bypasses, copy the line above, paste it into the "Host Exceptions" section and change the IP address.+
- +
-You'll need to have the script run every time the router boots. An easy way to do is to set as in the rc_firewall variable:+
-#Load the script in your text editor and set the variables accordingly.+
-#Then insert a backslash in front of each double-quote in the script so that they are escaped (otherwise they will cause an error when you perform the next step).+
-#From either [[Telnet/SSH_and_the_Command_Line]]:+
- # nvram set rc_firewall="+
- PASTE+
- EDITED +
- SCRIPT+
- HERE+
- "+
- [Ctrl+D]+
- # nvram commit+
- +
-You can confirm that the changes were made by executing+
- +
- # nvram get rc_firewall+
- +
-With some Squid installations, the proxy server may be expecting connections on an alternate port than the default of 3128. If this is the case, try changing the PROXY_PORT variable in the script above to the correct listening port, as in:+
- +
- PROXY_PORT="8080"+
==Proxy Server on Different Network and Using Chillispot== ==Proxy Server on Different Network and Using Chillispot==

Revision as of 02:12, 8 December 2009

Running a transparent proxy server on your network can be used for more advanced content filtering of web pages for environments such as a school or library (where in some locales, filtering is required by law) or as a way to protect children in the household.

This guide will help you enable a transparent proxy server on your network by having your WRT54G router forward all traffic to the proxy server automatically.

Contents

Desktop Setup

Squid versions older than 2.6

First install Squid on your Unix box. After that you have to set up Squid to do transparent proxying with these settings:

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

Squid versions 2.6 or newer

With Squid installed on your Unix/Linux box, set the following:

http_port 192.168.1.10:3128 transparent

substituting the IP address you're listening on, and the port you wish to use in the example, making sure they match the variables at the top of the router setup script below.

Important for Debian users!

The Squid3 (squid3_3.0.PRE5-5) package from Debian Etch isn't working with this kind of transparent proxy. Try using Squid3 from Debian Lenny or downgrade to Squid-2.6 in Etch.

Router Setup

You will need to use iptables to tell your router how to forward traffic. If you don't have a good grasp on iptables yet, someone has already done the work and written a shell script to do the work for you. Be sure to edit the variables at the top.

Option 1 (Only The Proxy Itself Bypasses The Proxy)

This script can be found at: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=62222

#!/bin/sh
PROXY_IP=192.168.1.10
PROXY_PORT=3128
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT


Change the PROXY_IP and PROXY_PORT variables to match your proxy server's IP address and TCP port.

Option 2 (Multiple Hosts Can Bypass The Proxy)

If you need to allow more than one host to bypass the transparent proxy (such as a game system, or media receiver), use the script from Option 1 along with this command that allows a specific IP to bypass the proxy. You can use it to add as many exceptions as you like. DirecTV receivers which have Video On Demand need to bypass the proxy.

iptables -t nat -I PREROUTING -i br0 -s [IPADDRESS] -j ACCEPT

Proxy Server on Different Network and Using Chillispot


Scripts above are used when the Proxy Server is on same network, who needs proxy transparent with dd-wrt Chillispot enabled in most case (mine too), the Proxy Server is on different Network. I have changed the script Option 1 above to this needs.

 #!/bin/sh
 CHILLI_NETWORK="192.168.182.0/24"
 INTERNAL_NETWORK="192.168.0.0/24"
 CHILLI_ROUTER_IP="192.168.182.1"
 PROXY_SERVER="192.168.0.251"
 PROXY_PORT="3128"
 if [ -z $TRANSPARENT_PROXY ]; then
 /usr/sbin/iptables -t nat -A PREROUTING -i tun0 -s $CHILLI_NETWORK \
   -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT
 /usr/sbin/iptables -t nat -A PREROUTING -i tun0 -s $CHILLI_NETWORK -p tcp --dport 80 \
   -j DNAT --to $PROXY_SERVER:$PROXY_PORT
 /usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s $PROXY_SERVER -p tcp -d \
   $CHILLI_NETWORK -j SNAT --to $CHILLI_ROUTER_IP
 /usr/sbin/iptables -t filter -I FORWARD -s $CHILLI_NETWORK -d $PROXY_SERVER -i tun0 \
   -o br0 -p tcp --dport $PROXY_PORT -j ACCEPT
 export TRANSPARENT_PROXY="1"
 else
 echo "This script has already run!"
 echo "If it hasn't, unset \$TRANSPARENT_PROXY manually via the shell."
 fi

You'll need to have the script run every time the router boots. An easy way to do is to set as in the rc_firewall variable:

  1. Load the script in your text editor and set the variables accordingly.
  2. Log In dd-wrt box.
  3. Administration > commands > paste edited script at Command Shell box> Click Save Firewall.

You can confirm that the changes were made by executing

# nvram get rc_firewall

Reverse proxy

Squid can also be used as a "reverse proxy" or "web accelerator" if the computer(s) behind it are web servers running database-intensive applications such as wiki, blog or forum hosting.

For Squid 2.4 and earlier, this is referred to as "accelerate single host" mode; for version 2.6 the commands in squid.cfg look like:

# Squid normally listens to port 3128, remove this:
# http_port 3128
#
# Instead, change so that squid listens to port 80, substituting your external (WAN) static address here:
http_port 999.999.999.999:80 vhost defaultsite=example.org
# Then have all the requests forwarded to your actual web server (LAN address, change to match your network):
cache_peer 192.168.1.2 parent 80 0 no-query originserver

Squid obtains a speed improvement by storing copies of rendered web pages to the file system and serving the stored copies to users instead of having the actual web server repeatedly regenerate dynamic content. As such, it is suited primarily for use on devices with adequate hard disc storage and may not be suited to small servers with limited storage space.

As the "reverse proxy" Squid configuration is used by large wiki sites such as Wikipedia, MediaWiki.org and Wikipedia's meta wiki do offer some information on the use of Squid in this manner.