I have in my possession a small gigabyte switch (no VLAN capabilities), D-link ADSL router (that supports telnet and runs a base Linux firmware (most do it seems) and a pcduino running Ubuntu (with a single 100mbps LAN card and a wireless N card)
Some clients connect to the switch via cable (if this was the only way they connected, I would simply place the pcduino between that switch and the router and route the traffic though the local squid, dansguardian, etc.) and others connect directly to the ADSL router using wifi (this is the major issue why I cannot just do the above, from what I can tell).
So basically I have a couple options, the two that spring to mind are:
Option #1: Set the DHCP server to give my client PCs the default gateway of the pcduino (10.0.0.45) and set the pcduino's default gateway to the ADSL router (this is the simplest approach tbh). The traffic will then flow through the device, allowing me to manipulate traffic via iptables. However, if someone has multiple subnets/vlans/etc, this will be problematic. I suppose I could assign that single Ethernet port multiple IP address (just thought of this now) but its messy.
Second option = Use iptables (on the ADSL router, added via telnet) to push outbound traffic of specific types (e.g. http, ftp, https, etc. that is going to the WAN) to the pcduino. The duino will then manipulate the traffic via squid, dansguardian, etc (basically content filtering, etc.) and then send it back to the ADSL router. From what I have read, this does require nothing gets changed in the web GUI of the router otherwise it will reset the tables to default (kind of crappy) but I cant see this happening very often. If this can be eliminated, I would be very interested in knowing how.
I kind of like the second one because it doesn't require me to change the default gateway of the LAN clients. However, I think the problem that i am having (because its not working) is that its causing a routing loop. I use this one the router (just doing http for now):
iptables -t nat -A PREROUTING -i br0 -s ! 10.0.0.45 -d ! 10.0.0.45 -p tcp --dport 80 -j DNAT --to 10.0.0.45:8888
I think its not working because its going from router -> duino -> router -> duino (instead of exiting at this point) so I will need to somehow say that if traffic is coming from the duino on port x, allow it to exit on the WAN (via NAT)
If I manually set my browser to 10.0.0.45:8888 (the dansguardian HTTP proxy, chained to squid), it works fine (content gets blocked, etc). Its literally just the iptables rule (and maybe the entire routing methodology and process) that I need help/advice with. Basically, how would you do it?
Any suggestions welcome
Thanks in advance!
Jared