« DVD: Kick-AssTiVo HD 2 will be blank soon.... »

doing the transparent proxy thing


  12:06:00 pm, by The Dreamer   , 493 words  
Categories: Software, Computer, Networking, Cox HSI, AT&T DSL, Broadband

doing the transparent proxy thing

In the morning, I will open like 50 tabs in firefox...for the sites I check out every morning. And, going through my caching proxy helps. But, there are things that I can't get to using the proxy, so I will toggle off the use of proxy in firefox.

But, then I don't remember to switch it back on later....

Additionally, there are devices on my home network that I think could benefit from going through squid, but they don't offer easy ways to make that go.

So, the answer was to investigate transparent proxy. Which I finally got around to doing this weekend.

I added two new ports to my squid.conf

http_port coxtport transparent
http_port dsltport transparent

went with new ports for transparent separate from the existing ones, and two so that one squid cache handling either gateway....

I did a lot of googling around to figure out the iptables to add to my Sveasoft Alchemy running WRT54GS routers.

This is what I've settled on (for cox gateway):

iptables -t nat -A PREROUTING -i br0 -s ! box.lhaven.homeip.net -p tcp --dport 80 -j DNAT \
     --to box.lhaven.homeip.net:coxtport
iptables -t nat -A POSTROUTING -o br0 -s lhaven.homeip.net/24 -d box.lhaven.homeip.net -j SNAT \
     --to coxgateway
iptables -A FORWARD -s lhaven.homeip.net/24 -d box.lhaven.homeip.net -i br0 -o br0 -m state \
     --state NEW,ESTABLISHED,RELATED -p tcp --dport coxtport -j ACCEPT
iptables -A FORWARD -d lhaven.homeip.net/24 -s box.lhaven.homeip.net -i br0 -o br0 -m state \
     --state ESTABLISHED,RELATED -p tcp --sport coxtport -j ACCEPT

On the other router, changed box.lhaven.homeip.net to box2.lhaven.homeip.net, coxtport to dsltport, and coxgateway to dslgateway. coxgateway & dslgateway being the LAN IP of the respective routers. On 'box', box.lhaven.homeip.net routes to cox router, and box2.lhaven.homeip.net routes to dsl router.... With all the NAT/filtering on the internal interface, I shouldn't have to worry that the external interface is dynamic....most of the online details I had found involved used both interfaces and extra rules if the external is dynamic. Though they were written for where squid and iptables box were on different hosts...and the iptables box was a linux firewall of some sort, and not necessarily the outside router.

I had played around with an internal linux router/firewall separate from or in-addition to the alchemy routers....at various times in the past... In fact, it was 'box' that was doing that in a previous life.

I currently, have the iptables additions done manually...but if everything checks out...I'll probably add them to rc_firewall to make them permament... This probably just means I'm no closer to replacing the routers though....

Though someday I should upgrade the cox router, because it would probably be nice to be able to use wondershaper again...but can't get faster than <6Mbps down when its enabled. And, not the 12Mbps(15Mbps with PowerBoost) that it is capable of delivering.

I had thought of being funny and cross routing the transparent proxy....or some configuration that makes it favor cox for web traffic (that I could then switch to DSL when necessary), etc. But, went with simple....


Comment from: The Dreamer [Member]  

Well, looks like it isn’t going to work…too many things on my home network don’t seem to list the proxy, or the proxy doesn’t like it.

IE: 3 TiVos, 2 ReplayTVs, etc.

I didn’t plan my network based on needing to exempt ranges from a transparent proxy at some future date (now)….and, it is kind of a big deal to move things around now.

09/05/10 @ 13:45
Comment from: The Dreamer [Member]  

Silly me…while poking around, I had re-setup a local webserver so I could get tcpdump onto the router. Used to be ‘lhaven’, but when I redid it…I didn’t recreate that part. But, I still had the stuff in backup…so first I restored it there, and then remember that it would work better on a box that is running apache (so either ‘box’ or ‘orac’…I went with ‘orac’ since cp from backup was easier.)

Looked at the backup directories, and thought I should do a backup of my router configs soon.

But, in pulling out the transparent proxy stuff, I decided to tweak a little of the settings….namely one of the pings that the .profile does hadn’t worked in a long time and I never did add my new TiVo to rc_firewall.

Well, I did something wrong….and it bricked the router. Reset to factory and then restore the old backup (and it is a really old backup….ouch)

I think I have things working again….now do a backup :)

09/05/10 @ 15:18
Comment from: The Dreamer [Member]  

Guess I may be looking at the new router thing…but for both.

09/05/10 @ 17:28
Comment from: The Dreamer [Member]  

well, testing transparent proxy again, with bypasses for the DVRs…

Meanwhile, looking at a Buffalo WHR-HP-GN or two….

09/05/10 @ 20:01
Comment from: The Dreamer [Member]  

Looks like my WeatherDirect device doesn’t like the transparent proxy either….


09/08/10 @ 07:50
Now instead of subjecting some poor random forum to a long rambling thought, I will try to consolidate those things into this blog where they can be more easily ignored profess to be collected thoughts from my mind.

Latest Poopli Updaters -- http://lkc.me/poop


There are 17 years 11 months 10 hours 45 minutes and 3 seconds until the end of time.
And, it has been 7 years 1 month 28 days 3 hours 17 minutes and 53 seconds since The Doctor saved us all from the end of the World!


February 2020
Mon Tue Wed Thu Fri Sat Sun
 << <   > >>
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29  


  XML Feeds

Who's Online?

  • Guest Users: 4
This seal is issued to lawrencechen.net by StopTheHacker Inc.
Web Site Builder

hosted by
Green Web Hosting! This site hosted by DreamHost.

monitored by
Monitored by eXternalTest
SiteUptime Web Site Monitoring Service
website uptime