Everyone in South Africa wants to save a little more bandwidth, as low traffic caps are the rule of the day (esp if you are hanging off an expensive 3G connection).
While the "correct" thing to do is to use wpad autodetection, and thus politely request that users use your proxy, this isn't always an option:
So, here's how you do it:
aptitude install squid
), configure it to have a reasonably large storage pool, give it some sane ACLs, etc.http_port 8080 transparent
to squid.conf
(or http_port 10.1.1.1:8080 transparent
if you are using explicit http_port
options)invoke-rc.d squid reload
If you run squid on your network's default gateway, then you are done. Otherwise, if you have a separate router, you need to do the following on the router:
transprox
table to /etc/iproute2/rt_tables
, i.e. 1 transprox
The reason we use iproute
rules rather than iptables DNAT
is that you lose destination-IP information with a DNAT (like the envelope of an e-mail).
An alternative solution is to run tinyproxy on the router (with the transparent option, enabled in ubuntu but not debian), use the REDIRECT rule above on the router, to redirect to the tinyproxy, and have that upstream
to the squid. But tinyproxy requires some RAM, and on a WRT54 or the likes, you don't have any of that to spare...
Should you need to temporarily disable this for any reason:
iptables -t nat -F PREROUTING
iptables -t mangle -F PREROUTING