[sllug-members]: Transparent Proxy Log Files

Allen Parker infowolfe at gmail.com
Mon Nov 13 11:53:37 MST 2006 

On 11/13/06, Mike Potter <mike at mikenbob.com> wrote:
> I have been banging my head on this for a while now. I hope you can help me.
>
> I don't want to have to configure my proxy settings each time I use my laptop at
> home. I also don't want my friends and family to have to set a proxy setting
> when they come to the house. So...
>
> I have a OpenWRT router with IPTables set up to route all http traffic though
> another box running tinyproxy and dansguardian using the transparent proxy setup
> found on http://tldp.org/HOWTO/TransparentProxy-6.html.  It works...
> sometimes... but seems to be buggy. I also hate the fact that all my logs now
> show the IP Address of the router instead of the actual client.

Is there a specific reason you're using OpenWRT as the gateway for
your network? Why not plop another NIC into the box that's running
tinyproxy and use it as your router/gateway/dhcp server, etc. (ISC
dhcpd would probably make your life a whole lot easier here anyway).

> So I have a few questions for the group.
>
> 1 - Is the transparent proxy the best way to force all traffic through the
> proxy/filter or are there better ways to accomplish this task?

I assume you're talking about all web traffic, since
aim/icq/msn/yahoo/gtalk/mail won't be going through tinyproxy without
tinyproxy throwing a hissyfit. If you're talking about just things
with http/https in front of them, you should be in decent shape using
tinyproxy. Squid is pretty much your only alternative, but a much
bigger pain to setup.

> 2 - Is there any way with transparent proxy to still show the client IP Address
> in the log files?

I don't really understand what you're asking. Are you asking for a log
of every page you or your family have visited?

> 3 - I tried setting up an automatic proxy settings file, and it works...
> sometimes...

Automatic proxy configs aren't the 'preferred' way of doing things on
larger networks, and probably aren't the most reliable way to do them
inside your network either.

> 4 - Without debating if access in my home should be filtered, are there better
> ways to filter access for a family than dansguardian with multiple computers,
> and OS's? (Currently I have windoze, OS X, and Linux)

Yes. Turn off all non-essential services on your OpenWRT router, turn
into a 'dumb' bridge for wifi -> wired traffic and actually use a real
box for routing (P2 or better will work fine).

> 5 - Finally, a little off-topic, but I want to keep track (log??) other types
> off internet usage in my home like chatting or other programs. Do I need another
> proxy for other internet access that logs and gives me access control lists?
> What's the best way to go here?

As long as you remember to rotate your logs on a regular basis, a
firewall script (like http://spykes.net/?p=firewall) might be
something that you'd want to peek at. I would personally come up with
a list of allowed services that are to be accessed from your LAN,
collect their port numbers, and log the ones you're interested in with
drop rules for everything else.

> I appreciate all your help. You have all been great in the past.

HTH,
Allen Parker

More information about the sllug-members mailing list