Question on Squid

What's the best way to setup a home network? Why should I care about BGP?

Question on Squid

Post by m1k3st4rr on Fri Jun 04, 2010 12:37 pm
([msg=39488]see Question on Squid[/msg])

First post!

I am looking to set-up a transparent proxy on a home network used between myself and a few roommates... the internet seems to suggest 'squid' is a solution.

The problem is, I do not have a permanent machine to install squid on and use as the proxy server. Can I install squid on a linux-based web server and forward requests to that domain?

Are there any other solutions?
m1k3st4rr
New User
New User
 
Posts: 8
Joined: Fri Jun 04, 2010 12:25 pm
Blog: View Blog (0)


Re: Question on Squid

Post by Goatboy on Fri Jun 04, 2010 1:15 pm
([msg=39490]see Re: Question on Squid[/msg])

A remote local proxy. Nice.

Technically, you could do this. You'd just need to set up each computer individually to use the web server's IP as the proxy. That would significantly slow down performance though, as much as using a normal proxy would.
Assume that everything I say is or could be a lie.
User avatar
Goatboy
Expert
Expert
 
Posts: 2864
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Question on Squid

Post by m1k3st4rr on Fri Jun 04, 2010 1:42 pm
([msg=39496]see Re: Question on Squid[/msg])

Yeah I realize this not the most practical thing to do... I just want to see if it can be done. Eventually I plan to have a permanent proxy, but until then I want something to work with.

So setting up the remote proxy will work... next question is how to send traffic this direction.

I want to continue with the assumption that the router will be the default gateway for anyone joining the network, and that users' configurations should not have to be aware of the proxy. Could I install, say, dd-wrt on my router and use iptables to send traffic to the proxy? Maybe only selectively forwarding IP groups?
m1k3st4rr
New User
New User
 
Posts: 8
Joined: Fri Jun 04, 2010 12:25 pm
Blog: View Blog (0)


Re: Question on Squid

Post by Goatboy on Fri Jun 04, 2010 1:50 pm
([msg=39497]see Re: Question on Squid[/msg])

I haven't gotten the chance to mess with DD-WRT (since the router I am using is not mine) but I would assume it has that capability. When you ask about selectively forwarding groups of IPs, I am guessing you want to only "monitor" certain computers? As in you have two subnets, one for your own computers (to be proxied) and one for guests/others?

I have to go for a bit, but someone should be able to pick up.
Assume that everything I say is or could be a lie.
User avatar
Goatboy
Expert
Expert
 
Posts: 2864
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Question on Squid

Post by m1k3st4rr on Fri Jun 04, 2010 2:46 pm
([msg=39498]see Re: Question on Squid[/msg])

Bingo - just what I was looking for. Selective forwarding for known computers to the proxy (which will eventually serve as a caching proxy as well, although not practical if its remote!), some different action for unknown computers, and bypass the proxy for gaming consoles, etc.

Thanks for the help goatboy, I feel much more confident with this idea now 8-)
m1k3st4rr
New User
New User
 
Posts: 8
Joined: Fri Jun 04, 2010 12:25 pm
Blog: View Blog (0)


Re: Question on Squid

Post by Goatboy on Fri Jun 04, 2010 3:47 pm
([msg=39500]see Re: Question on Squid[/msg])

Here's how I would subnet it, assuming a 192.168.0.1/24 address space:

Code: Select all
192.168.0.0       = Network address       | Going through proxy
192.168.0.1-62    = Usable addresses      | getting results cached, etc.
192.168.0.63      = Broadcast address     | (62 possible clients)

192.168.0.64      = Network address       | Gaming computers, or others
192.168.0.65-126  = Usable addresses      | which will need ports forwarded
192.168.0.127     = Broadcast address     | (62 possible clients)

192.168.0.128     = Network address       | "Other" computers, such as
192.168.0.129-254 = Usable addresses      | guests on your wireless
192.168.0.255     = Broadcast address     | (126 possible clients)
Assume that everything I say is or could be a lie.
User avatar
Goatboy
Expert
Expert
 
Posts: 2864
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Question on Squid

Post by thetan on Sun Jun 20, 2010 12:20 am
([msg=40486]see Re: Question on Squid[/msg])

wo0t i'm back from 2 weeks of military training and i think i finally recovered from the sleep dep.

Anyways, i've set up a handfull of proxies. From squid caching proxies to apache mod_proxy's.

When setting up transparent proxies, you do not need to configure any machine to use them and instead machines are forced to use them transparently without knowing, hence the usage of the word transparent. My preferred way to achieve this is to host the proxy daemon on the same machine operating as the router. This typically ain't such a big deal to me as most of the routers i operate are FreeBSD boxes with a half dozen NICs in them.

However, i've done transparent proxies before where the actual proxy machine was on a separate system then the router and the only difference is that you just have to change a redirect rule (in PF for FreeBSD, iptables for linux) from forwarding the desired proxied traffic to 127.0.0.1 on the proxy port, to the ip/port combo of the location of the remote proxy. .... yup, thats all it takes.

Naturally you configure squid to operate transparently:
Code: Select all
http_port 192.168.1.1:3128 transparent

^^ to your squid.conf, where 192.168.1.1 is the ip of the squid box and 3128 is the port you want squid to listen to for http requests

In linux you'd do most of the firewall/re-routing work with iptables. The great thing about DD-WRT is it linux and as such it comes with and uses iptables.

one of my favorite uses for DD-WRT is that i use it as a cheap SSH tunnel into my home network from wherever i am and also if i'm on an unencrypted wifi connection somewhere, i tunnel my web traffic over encrypted SSH through my home connection for privacy. No i'm not paranoid, i like to do things like check my bank account on the road and the last thing i would ever do is send those credentials over an unencrypted, broadcasted transmission.

on a side note, /me introduces Goatboy to VLANs
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP

Image

“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
User avatar
thetan
Contributor
Contributor
 
Posts: 657
Joined: Thu Dec 17, 2009 6:58 pm
Location: Various Bay Area Cities, California
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests