Issues with transparent proxying through an external box
torriem at chem.byu.edu
Fri Nov 11 19:45:05 MST 2005
On my network at home, my firewall and router is a Linksys WRT54GS
running OpenWRT. I recently set up Dansguardian and Squid on my main
workstation and then through the magic of iptables I have all traffic on
the network natted such that port 80 has to bounce through my proxy.
On my main workstation (also the proxy) I have the following rules set
up to make sure that my own traffic is forced through the proxy even
though the firewall doesn't (out of necessity):
iptables -t nat -A -p tcp --dport 80 -m owner --uid-owner=squid -j ACCEPT
iptables -t nat -A -p tcp --dport 3128 -m owner --uid-owner=squid -j ACCEPT
iptables -t nat -A -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A -p tcp --dport 3128 -j REDIRECT --to-ports 880
This effectively causes my machine to transparent proxy all http traffic
through dans guardian that's generated from my own machine. (handy
rules to know if you want to set up a single machine at home for kids or
On my router, I have the following rules:
iptables -t nat -A PREROUTING -p tcp --dport 80 -s $proxymachine -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -s $mynets -j DNAT --to $proxymachine:8080
iptables -t nat -A POSTROUTING -p tcp --dport 8080 -d $proxymachine -j SNAT --to $router
This works well, and does give transparent proxying for all users on all
machines. However it has two major problems:
1. Noticeable increase in latency. Overall bandwidth is still good, but
pages that have lots of connections to other sites (ads or whatever)
load extremely slow since opening connections is slower.
2. All logs simply show the router ip address as the source address.
Does anyone know if I can reduce the latency and get accurate logging
from this kind of setup? The CPU load on the router is pretty low
almost all the time, so that's not the cause of the problems there.
Michael Torrie <torriem at chem.byu.edu>
More information about the PLUG