Squid transparent proxy, explain?
I'm looking to setup a transparent proxy, which (if I understand correctly) will allow me to monitor/control http traffic on my home lan with the use a log analyser.
I'm planning on following this guide Yes... I'm cheap and don't wanna buy another NIC. My question: How does this all work? I get that http traffic goes to my server first, and then to the destination address, but how? What is stopping the other computers on my network from going straight to my router? Is my interpretation of a transparent proxy correct? My proposed setup I know it's a broad question, but I'm just genuinely interested. |
A proxy can only run transparently if the traffic passes through it en route to the net. Your diagram shows it just as another node on the network, so it can not intercept the traffic. You'd generally make the server your router on your network, giving it two nic's, 192.168.0.254 and 192.168.1.254 for example and force all clients to use that machine as the default gateway. Then it can easily point any port 80 and 443 traffic into squid rather than permit it out to the net.
your link doesn't work (for me..?) so I can't see the guide you're referring to, but if you really do want it on one arm, then you can still use it as the gateway, but you'd have to ensure you masquerade all outbound traffic as it leaves the proxy server to ensure that when the response comes back it goes back to the proxy, not your own client, as can be achieved with a formal routed network. |
Thanks so much for the quick reply. That was some really great info.
So, if I setup something like THIS, then I should be able to monitor traffic? I've been reading through a LOT of guides on configuring squid, and there seems to be a heap of contradicting info. First step will be to activate DHCP on router 2, and giving it the 192.168.1.0 network. From what I can gather, my config should look somthing like this: Code:
acl internal_network src 192.168.1.0/24 Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128 Code:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 Where: 192.168.0.1 is my router with internet access eth0 is the proxy's connection to router 2 (the lan) eth1 is the proxy's connection to router 1 (the internet modem/router) Will that allow un-athenticated access through the proxy for everyone on the 192.168.0.1.0 network? Again, thanks to anyone who takes time to reply. |
Well physically that won't work unless you make your proxy a bridge (like a swtich) as they are both on the same network.
Essentially, transparent proxies are often crap. They *sound* like a brilliantly simple and good idea, but compared to a conventional proxy they suck in so many ways. If you don't have it transparent, you would then simply block all outbound web traffic except from the proxy server. Thing like authentication also get much much more difficult when you don't know the server you need to authenticate against actually exists. I would say ditch the transparency stuff, but if not, you would need to put eth0 and eth1 on different subnets, and adjust routing accordingly. Also worth remembering there are distro's all prebuilt for this if this isn't a pure learning experience, e.g. SME Server, IPCop, pfsense. |
All times are GMT -5. The time now is 03:22 PM. |