Hi everyone,
the last few days for a large number of hours I have been trying to get this concept to work:
client to router, router to internal tinyproxy, filter back to internet and client.
but for some reason, no matter what forwarding options I have enabled, it always allows internet access and disregards the proxy. when I try in command line, I see the proxy working, but I would have to modify the clients pc in order to connect to the proxy, I want the router to do it for me.
but every time I try and follow the steps, it just allows all traffic to go through.
so the router is set to 192.168.8.1
the clients will run on the 192.168.8.xxx
is this where my issue is?
i've attached some photos so everyone sees where I am at, I beg for some help, I may just go nuts.
It is very bad practice to post screenshots and pictures. They don't contain all the details that config files have. So next time please avoid it unless absolutely necessary.
From what I can make out, you are matching packets with source port 80. This is the server response, not the client request.
Hi Trendy,
thanks for the heads up - much appreciated.
would you know what steps I can take here?
if I set the browser with the proxy set to : http://192.168.8.1 Port:8888,
it does exactly what I need it to do, but I cant get it to do that on the router end.
Much better now.
The example is using an external proxy at IP 192.168.1.100.
I suppose your tinyproxy is running on OpenWrt (192.168.8.1:8888), so you may want to correct that.
Hey, Corrected, still on going issue. I can access google.com for example when I shouldn't considering I set the tinyproxy with filter and default deny enabled.
and yes, the Tinyproxy is set to listen to 192.168.8.1:8888
here is the corrected version:
Hi Again,
So I cleaned it up a little, and the only thing I cant do now is access the router page of 192.168.8.1 which I sort of understand and is logical. but I can still goto any website outside of the filter list. here is the clean up I made:
I also removed the src_port 80 as you mentioned.
I also tried different variations with dest_ip to be 192.168.8.100 or !192.168.8.100, but the way it is right now is the only thing that has shown any change which throws the tinyproxy error page i've been looking for.
config redirect
option enabled '1'
config redirect
option target 'DNAT'
option dest 'lan'
option proto 'tcp'
option dest_ip '192.168.8.1'
option src 'lan'
option dest_port '8888'
option src_dport '80'
option name 'Transparent Proxy Redirect'
option src_dip '!192.168.8.1'
config redirect
option src lan
option proto tcp
option src_ip !192.168.8.1
option src_dport 80
option dest_ip 192.168.8.1
option dest_port 8888
option target DNAT
config redirect
option dest lan
option proto tcp
option src_dip 192.168.8.1
option dest_ip 192.168.8.1
option dest_port 8888
option target SNAT
I noticed something interesting and I dont know if this would cause any issue, but when I restart the firewall, I also find the following:
Warning: Section @redirect[0] has no target specified, defaulting to DNAT
Warning: Section @redirect[0] has no source specified
Warning: Section @redirect[0] does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[1] does not specify a destination, assuming 'lan'
Restart Log:
root@GL-AR300M:~# /etc/init.d/firewall restart
Parse error (invalid character in name field) at line 179, byte 28
Error: Failed to load /etc/config/firewall
root@GL-AR300M:~# /etc/init.d/firewall restart
Parse error (invalid character in name field) at line 179, byte 28
Error: Failed to load /etc/config/firewall
root@GL-AR300M:~# /etc/init.d/firewall restart
Warning: Section @redirect[0] has no target specified, defaulting to DNAT
Warning: Section @redirect[0] has no source specified
Warning: Section @redirect[0] does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[1] does not specify a destination, assuming 'lan'
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'guestzone_DHCP'
* Rule 'guestzone_DNS'
* Redirect #0
* Redirect #1
* Forward 'lan' -> 'wan'
* Forward 'guestzone' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Zone 'guestzone'
* Populating IPv4 nat table
* Redirect #0
* Redirect #1
* Zone 'lan'
* Zone 'wan'
* Zone 'guestzone'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'guestzone'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'guestzone_DHCP'
* Rule 'guestzone_DNS'
* Forward 'lan' -> 'wan'
* Forward 'guestzone' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Zone 'guestzone'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'guestzone'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
uci: Entry not found
uci: Entry not found
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ipset v6.34: The set with the given name does not exist
iptables v1.6.2: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
! Failed with exit code 3
* Running script '/usr/bin/glfw.sh'
uci: Entry not found
uci: Entry not found
* Running script '/usr/sbin/glqos.sh'
* Running script '/var/etc/mwan3.include'
I have made some modification and some tests which ill post in a bit. I have noticed now the tinyproxy is working - but it only filters IP's but not websites even though I have the filter method setup. however, tinyproxy works exactly the way I needed if I manually config the client pc - so right now its as if the tinyproxy with the DNAT and SNAT set only filters IP's but not domain names. does anyone have a suggestion?
The SNAT is kinda useless and the options used are wrong.
The DNAT is matching only source IP 192.168.8.1
Delete them both and use the redirect from the tinyproxy page.
uci set firewall.@redirect[0].name='Transparent Proxy Redirect'
uci set firewall.@redirect[0].src=lan
uci set firewall.@redirect[0].proto=tcp
uci set firewall.@redirect[0].dest_port=8888
uci set firewall.@redirect[0].src_dport=80
uci set firewall.@redirect[0].src_dip='!192.168.1.1'
uci set firewall.@redirect[0].dest_ip=192.168.1.1
uci commit firewall
service firewall restart
Everything that comes in from lan interface to any IP except 192.168.1.1 port 80/tcp, redirect it to 182.168.1.1 port 8888/tcp.
Hello,
thanks for staying patient with me.
unfortunately this doesnt work either. its just so wierd. if you look at my first post, I believe the first image goes that same config, and then 3 posts down I had it with the dnat. but I tried your suggestion removing everything else and just using that script, and it also does not work....
can this be something to do with SSL?
If the pages you are trying to browse are https, which uses destination port 443 and not http which uses port 80, then yes this redirect will not work.
To make https work transparently though you need to have its certificate installed in every host, otherwise the browser will complain for man-in-the-middle-attack.
ugh.... that explains it then. I am looking for a method to use a router, to lock only 2 websites to be accessible. do you have any ideas what can be used then other than proxy?