Question on Squid

[m1k3st4rr]

First post!

I am looking to set-up a transparent proxy on a home network used between myself and a few roommates... the internet seems to suggest 'squid' is a solution.

The problem is, I do not have a permanent machine to install squid on and use as the proxy server. Can I install squid on a linux-based web server and forward requests to that domain?

Are there any other solutions?

[Goatboy]

A remote local proxy. Nice.

Technically, you could do this. You'd just need to set up each computer individually to use the web server's IP as the proxy. That would significantly slow down performance though, as much as using a normal proxy would.

[m1k3st4rr]

Yeah I realize this not the most practical thing to do... I just want to see if it can be done. Eventually I plan to have a permanent proxy, but until then I want something to work with.

So setting up the remote proxy will work... next question is how to send traffic this direction.

I want to continue with the assumption that the router will be the default gateway for anyone joining the network, and that users' configurations should not have to be aware of the proxy. Could I install, say, dd-wrt on my router and use iptables to send traffic to the proxy? Maybe only selectively forwarding IP groups?

[Goatboy]

I haven't gotten the chance to mess with DD-WRT (since the router I am using is not mine) but I would assume it has that capability. When you ask about selectively forwarding groups of IPs, I am guessing you want to only "monitor" certain computers? As in you have two subnets, one for your own computers (to be proxied) and one for guests/others?

I have to go for a bit, but someone should be able to pick up.

[m1k3st4rr]

Bingo - just what I was looking for. Selective forwarding for known computers to the proxy (which will eventually serve as a caching proxy as well, although not practical if its remote!), some different action for unknown computers, and bypass the proxy for gaming consoles, etc.

Thanks for the help goatboy, I feel much more confident with this idea now

[Goatboy]

Here's how I would subnet it, assuming a 192.168.0.1/24 address space:

Code: Select all

192.168.0.0       = Network address       | Going through proxy
192.168.0.1-62    = Usable addresses      | getting results cached, etc.
192.168.0.63      = Broadcast address     | (62 possible clients)

192.168.0.64      = Network address       | Gaming computers, or others
192.168.0.65-126  = Usable addresses      | which will need ports forwarded
192.168.0.127     = Broadcast address     | (62 possible clients)

192.168.0.128     = Network address       | "Other" computers, such as
192.168.0.129-254 = Usable addresses      | guests on your wireless
192.168.0.255     = Broadcast address     | (126 possible clients)


[thetan]

wo0t i'm back from 2 weeks of military training and i think i finally recovered from the sleep dep.

Anyways, i've set up a handfull of proxies. From squid caching proxies to apache mod_proxy's.

When setting up transparent proxies, you do not need to configure any machine to use them and instead machines are forced to use them transparently without knowing, hence the usage of the word transparent. My preferred way to achieve this is to host the proxy daemon on the same machine operating as the router. This typically ain't such a big deal to me as most of the routers i operate are FreeBSD boxes with a half dozen NICs in them.

However, i've done transparent proxies before where the actual proxy machine was on a separate system then the router and the only difference is that you just have to change a redirect rule (in PF for FreeBSD, iptables for linux) from forwarding the desired proxied traffic to 127.0.0.1 on the proxy port, to the ip/port combo of the location of the remote proxy. .... yup, thats all it takes.

Naturally you configure squid to operate transparently:

Code: Select all

http_port 192.168.1.1:3128 transparent


^^ to your squid.conf, where 192.168.1.1 is the ip of the squid box and 3128 is the port you want squid to listen to for http requests

In linux you'd do most of the firewall/re-routing work with iptables. The great thing about DD-WRT is it linux and as such it comes with and uses iptables.

one of my favorite uses for DD-WRT is that i use it as a cheap SSH tunnel into my home network from wherever i am and also if i'm on an unencrypted wifi connection somewhere, i tunnel my web traffic over encrypted SSH through my home connection for privacy. No i'm not paranoid, i like to do things like check my bank account on the road and the last thing i would ever do is send those credentials over an unencrypted, broadcasted transmission.

on a side note, /me introduces Goatboy to VLANs