July 12th, 2005
Squid on Linksys
I’ve always run Squid on my home linux router. But I recently went through an overhaul in my home office, and tried to silence everything and anything I could since all the whirring fans were so loud I couldn’t think. During that process I replaced my linux router with a Linksys WRT54GS and loaded it with a copy of Sveasoft Alchemy-V1.0 (which I highly recommend). Since the replacement, I’ve been running without Squid – and I’ve missed it. So a couple of weeks ago I got off my ass and got it to work. This is what I did:
Assuming that you have Squid running on a linux box somewhere on your local LAN, make sure you have all the correct settings in Squid to make it behave like a transparent proxy. So make sure that the following tweaks are in your squid.conf:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
I know that both Tivo and ReplayTV require that their HTTP traffic not be intercepted for them to work. So we’ll have to exlude them from the caching. If you don’t have any devices that need excluding, you can leave out that IPTABLES entry. Or if you’d like to exclude more, add as many entries as you’d like.
SSH into your WRT54 and make the following entries into your IPTABLES:
> iptables -t nat -I PREROUTING -s [ADDR OF PVR] -p tcp --dport 80 -j ACCEPT
> iptables -t nat -I PREROUTING -p tcp -s ! [ADDR OF PROXY] --dport 80 -i br0 -j DNAT --to-destination [ADDR OF PROXY]:3128
> iptables -t nat -I POSTROUTING -o br0 -d [ADDR OF PROXY] -s [SUBNET] -j SNAT --to-source [ADDR OF WRT54]ADDR OF PVR – address of device that needs to be excluded
ADDR OF PROXY – address of your Squid box
ADDR OF WRT54 – address of your Linksys box, should be the “default gateway” for all the nodes on your LAN
SUBNET – the full subnet address (ie, 192.168.1.0/24)
If all goes well you should start seeing your access.log for Squid grow when trying to browse the web from one of the workstations on your LAN. If not, you can try to debug it or just power-cycle the linksys box to revert it back.
Assuming that everything does go well, you can commit your changes to NVRAM by doing the following:
> nvram set rc_startup='#!/bin/ash
sleep 15
iptables -t nat -I PREROUTING -s [ADDR OF PVR] -p tcp --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -s ! [ADDR OF PROXY] --dport 80 -i br0 -j DNAT --to-destination [ADDR OF PROXY]:3128
iptables -t nat -I POSTROUTING -o br0 -d [ADDR OF PROXY] -s [SUBNET] -j SNAT --to-source [ADDR OF WRT54]
'
> nvram commit
Enjoy!
Update: For some reason, the double dashes are getting reduced to single dashes in the code snippets above. If someone knows how to get my CSS to not do that I’d appreciate any tips.