Tinyproxy with Transparent mode GLi.net Help

Hi everyone,
the last few days for a large number of hours I have been trying to get this concept to work:

client to router, router to internal tinyproxy, filter back to internet and client.
but for some reason, no matter what forwarding options I have enabled, it always allows internet access and disregards the proxy. when I try in command line, I see the proxy working, but I would have to modify the clients pc in order to connect to the proxy, I want the router to do it for me.

but every time I try and follow the steps, it just allows all traffic to go through.
so the router is set to 192.168.8.1
the clients will run on the 192.168.8.xxx
is this where my issue is?

i've attached some photos so everyone sees where I am at, I beg for some help, I may just go nuts.




I also wanted to add this photo of tinyproxy working:

It is very bad practice to post screenshots and pictures. They don't contain all the details that config files have. So next time please avoid it unless absolutely necessary.
From what I can make out, you are matching packets with source port 80. This is the server response, not the client request.

Hi Trendy,
thanks for the heads up - much appreciated.

would you know what steps I can take here?
if I set the browser with the proxy set to : http://192.168.8.1 Port:8888,
it does exactly what I need it to do, but I cant get it to do that on the router end.

You can follow the example in documentation.

Hi Trendy, thanks for being active with me on this. would you mind looking over my setup:


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include 'glfw'
	option type 'script'
	option path '/usr/bin/glfw.sh'
	option reload '1'

config include 'glqos'
	option type 'script'
	option path '/usr/sbin/glqos.sh'
	option reload '1'

config include 'mwan3'
	option type 'script'
	option path '/var/etc/mwan3.include'
	option reload '1'

config zone 'guestzone'
	option name 'guestzone'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding 'guestzone_fwd'
	option src 'guestzone'
	option dest 'wan'

config rule 'guestzone_dhcp'
	option name 'guestzone_DHCP'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'guestzone_dns'
	option name 'guestzone_DNS'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config rule 'glservice_rule'
	option name 'glservice'
	option dest_port '83'
	option proto 'tcp udp'
	option src 'wan'
	option target 'ACCEPT'
	option enabled '0'

config redirect
	option target 'DNAT'
	option dest 'lan'
	option proto 'tcp'
	option dest_ip '192.168.8.1'
	option src 'lan'
	option src_port '80'
	option dest_port '8888'
	option src_dport '80'
	option name 'Transparent Proxy Redirect'
	option src_dip '!192.168.8.1'

config redirect
	option enabled '1'

config redirect
        option src              lan
        option proto            tcp
        option src_ip           !192.168.8.1
        option src_dport        80
        option dest_ip          192.168.1.100
        option dest_port        8888
        option target           DNAT

config redirect
        option dest             lan
        option proto            tcp
        option src_dip          192.168.8.1
        option dest_ip          192.168.1.100
        option dest_port        8888
        option target           SNAT

One more thing, use preformatted text (the </> button) to include console output. You may edit the previous post and fix the formatting.

thanks! didnt know that either.
much appreciated.

by the way, I followed as well this instructions as you will notice from my Firewall config file:

https://openwrt.org/docs/guide-user/services/proxy/tinyproxy

but, I keep getting access to everything and im trying not to...

Much better now.
The example is using an external proxy at IP 192.168.1.100.
I suppose your tinyproxy is running on OpenWrt (192.168.8.1:8888), so you may want to correct that.

Hey, Corrected, still on going issue. I can access google.com for example when I shouldn't considering I set the tinyproxy with filter and default deny enabled.
and yes, the Tinyproxy is set to listen to 192.168.8.1:8888
here is the corrected version:

config redirect
	option target 'DNAT'
	option dest 'lan'
	option proto 'tcp'
	option dest_ip '192.168.8.1'
	option src 'lan'
	option src_port '80'
	option dest_port '8888'
	option src_dport '80'
	option name 'Transparent Proxy Redirect'
	option src_dip '!192.168.8.1'

config redirect
	option enabled '1'

config redirect
        option src              lan
        option proto            tcp
        option src_ip           !192.168.8.1
        option src_dport        80
        option dest_ip          192.168.8.100
        option dest_port        8888
        option target           DNAT

config redirect
        option dest             lan
        option proto            tcp
        option src_dip          192.168.8.1
        option dest_ip          192.168.8.100
        option dest_port        8888
        option target           SNAT

Again you are using 'src_port 80'. You only need the 'src_dport 80'

Hi Again,
So I cleaned it up a little, and the only thing I cant do now is access the router page of 192.168.8.1 which I sort of understand and is logical. but I can still goto any website outside of the filter list. here is the clean up I made:
I also removed the src_port 80 as you mentioned.
I also tried different variations with dest_ip to be 192.168.8.100 or !192.168.8.100, but the way it is right now is the only thing that has shown any change which throws the tinyproxy error page i've been looking for.

config redirect
	option enabled '1'

config redirect
	option target 'DNAT'
	option dest 'lan'
	option proto 'tcp'
	option dest_ip '192.168.8.1'
	option src 'lan'
	option dest_port '8888'
	option src_dport '80'
	option name 'Transparent Proxy Redirect'
	option src_dip '!192.168.8.1'

config redirect
        option src              lan
        option proto            tcp
        option src_ip           !192.168.8.1
        option src_dport        80
        option dest_ip          192.168.8.1
        option dest_port        8888
        option target           DNAT

config redirect
        option dest             lan
        option proto            tcp
        option src_dip          192.168.8.1
        option dest_ip          192.168.8.1
        option dest_port        8888
        option target           SNAT

Here is my tinyproxy config:

config tinyproxy
	option Timeout '600'
	option DefaultErrorFile '/usr/share/tinyproxy/default.html'
	option StatFile '/usr/share/tinyproxy/stats.html'
	option LogFile '/var/log/tinyproxy.log'
	option LogLevel 'Info'
	option MaxClients '100'
	option MinSpareServers '5'
	option MaxSpareServers '20'
	option StartServers '10'
	option MaxRequestsPerChild '0'
	option ViaProxyName 'tinyproxy'
	list ConnectPort '443'
	list ConnectPort '563'
	option enabled '1'
	option Filter '/etc/luci-uploads/cbid.tinyproxy.cfg01822b.Filter'
	option FilterDefaultDeny '1'
	option FilterURLs '1'
	option User 'root'
	option Group 'root'
	list Allow '192.168.8.1/24'
	list Allow '192.168.8.1'
	list Allow '127.0.0.1'
	option Listen '192.168.8.1'
	option Port '8888'

I noticed something interesting and I dont know if this would cause any issue, but when I restart the firewall, I also find the following:

Warning: Section @redirect[0] has no target specified, defaulting to DNAT
Warning: Section @redirect[0] has no source specified
Warning: Section @redirect[0] does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[1] does not specify a destination, assuming 'lan'

Restart Log:

root@GL-AR300M:~# /etc/init.d/firewall restart
Parse error (invalid character in name field) at line 179, byte 28
Error: Failed to load /etc/config/firewall
root@GL-AR300M:~# /etc/init.d/firewall restart
Parse error (invalid character in name field) at line 179, byte 28
Error: Failed to load /etc/config/firewall
root@GL-AR300M:~# /etc/init.d/firewall restart
Warning: Section @redirect[0] has no target specified, defaulting to DNAT
Warning: Section @redirect[0] has no source specified
Warning: Section @redirect[0] does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[1] does not specify a destination, assuming 'lan'
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'guestzone_DHCP'
   * Rule 'guestzone_DNS'
   * Redirect #0
   * Redirect #1
   * Forward 'lan' -> 'wan'
   * Forward 'guestzone' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guestzone'
 * Populating IPv4 nat table
   * Redirect #0
   * Redirect #1
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guestzone'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guestzone'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'guestzone_DHCP'
   * Rule 'guestzone_DNS'
   * Forward 'lan' -> 'wan'
   * Forward 'guestzone' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guestzone'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guestzone'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
uci: Entry not found
uci: Entry not found
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ipset v6.34: The set with the given name does not exist
iptables v1.6.2: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
   ! Failed with exit code 3
 * Running script '/usr/bin/glfw.sh'
uci: Entry not found
uci: Entry not found
 * Running script '/usr/sbin/glqos.sh'
 * Running script '/var/etc/mwan3.include'

Hello,
im updating my situation.

I have made some modification and some tests which ill post in a bit. I have noticed now the tinyproxy is working - but it only filters IP's but not websites even though I have the filter method setup. however, tinyproxy works exactly the way I needed if I manually config the client pc - so right now its as if the tinyproxy with the DNAT and SNAT set only filters IP's but not domain names. does anyone have a suggestion?

here is my firewall setup


config redirect
        option src 'lan'
        option proto 'tcp'
        option src_ip '192.168.8.1/24'
        option src_dport '80'
        option dest_ip '192.168.8.1'
        option dest_port '8888'
        option target 'DNAT'

config redirect
        option dest 'lan'
        option proto 'tcp'
        option src_dip '192.168.8.1'
        option dest_ip '192.168.8.1'
        option dest_port '8888'
        option target 'SNAT'

The SNAT is kinda useless and the options used are wrong.
The DNAT is matching only source IP 192.168.8.1
Delete them both and use the redirect from the tinyproxy page.

uci set firewall.@redirect[0].name='Transparent Proxy Redirect'
uci set firewall.@redirect[0].src=lan
uci set firewall.@redirect[0].proto=tcp
uci set firewall.@redirect[0].dest_port=8888
uci set firewall.@redirect[0].src_dport=80
uci set firewall.@redirect[0].src_dip='!192.168.1.1'
uci set firewall.@redirect[0].dest_ip=192.168.1.1
uci commit firewall
service firewall restart

Everything that comes in from lan interface to any IP except 192.168.1.1 port 80/tcp, redirect it to 182.168.1.1 port 8888/tcp.

Hello,
thanks for staying patient with me.
unfortunately this doesnt work either. its just so wierd. if you look at my first post, I believe the first image goes that same config, and then 3 posts down I had it with the dnat. but I tried your suggestion removing everything else and just using that script, and it also does not work....
can this be something to do with SSL?

If the pages you are trying to browse are https, which uses destination port 443 and not http which uses port 80, then yes this redirect will not work.
To make https work transparently though you need to have its certificate installed in every host, otherwise the browser will complain for man-in-the-middle-attack.

ugh.... that explains it then. I am looking for a method to use a router, to lock only 2 websites to be accessible. do you have any ideas what can be used then other than proxy?