Squid transparent proxy, explain?

penguinboy08 · 11-26-2009, 03:20 PM

I'm looking to setup a transparent proxy, which (if I understand correctly) will allow me to monitor/control http traffic on my home lan with the use a log analyser.

I'm planning on following this guide

Yes... I'm cheap and don't wanna buy another NIC.

My question: How does this all work? I get that http traffic goes to my server first, and then to the destination address, but how? What is stopping the other computers on my network from going straight to my router?

Is my interpretation of a transparent proxy correct?

My proposed setup

I know it's a broad question, but I'm just genuinely interested.

acid_kewpie · 11-26-2009, 04:00 PM

A proxy can only run transparently if the traffic passes through it en route to the net. Your diagram shows it just as another node on the network, so it can not intercept the traffic. You'd generally make the server your router on your network, giving it two nic's, 192.168.0.254 and 192.168.1.254 for example and force all clients to use that machine as the default gateway. Then it can easily point any port 80 and 443 traffic into squid rather than permit it out to the net.

your link doesn't work (for me..?) so I can't see the guide you're referring to, but if you really do want it on one arm, then you can still use it as the gateway, but you'd have to ensure you masquerade all outbound traffic as it leaves the proxy server to ensure that when the response comes back it goes back to the proxy, not your own client, as can be achieved with a formal routed network.

penguinboy08 · 11-26-2009, 05:03 PM

Thanks so much for the quick reply. That was some really great info.

So, if I setup something like THIS, then I should be able to monitor traffic?

I've been reading through a LOT of guides on configuring squid, and there seems to be a heap of contradicting info.

First step will be to activate DHCP on router 2, and giving it the 192.168.1.0 network.

From what I can gather, my config should look somthing like this:

Code:

acl internal_network src 192.168.1.0/24
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow internal_network
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all

The I should run these IPtables commands:

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128

Code:

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

Where:
192.168.0.1 is my router with internet access
eth0 is the proxy's connection to router 2 (the lan)
eth1 is the proxy's connection to router 1 (the internet modem/router)

Will that allow un-athenticated access through the proxy for everyone on the 192.168.0.1.0 network?

Again, thanks to anyone who takes time to reply.

acid_kewpie · 11-27-2009, 01:44 AM

Well physically that won't work unless you make your proxy a bridge (like a swtich) as they are both on the same network.

Essentially, transparent proxies are often crap. They *sound* like a brilliantly simple and good idea, but compared to a conventional proxy they suck in so many ways. If you don't have it transparent, you would then simply block all outbound web traffic except from the proxy server. Thing like authentication also get much much more difficult when you don't know the server you need to authenticate against actually exists.

I would say ditch the transparency stuff, but if not, you would need to put eth0 and eth1 on different subnets, and adjust routing accordingly. Also worth remembering there are distro's all prebuilt for this if this isn't a pure learning experience, e.g. SME Server, IPCop, pfsense.