Force all web traffic to go through a proxy server

Q I've been running a Squid (and SquidGuard) web proxy on my Fedora box. I've set up SquidGuard blocking rules to protect my children from undesirable content. What this means is that on their (Windows XP) machine, I set the internet to route through my proxy server (192.168.100.100:8080), and all is well. What concerns me is that my eldest is becoming quite savvy and it won't take him long to realise that if he unticks the box marked Use Proxy Server and switches to a direct connection to the internet, he'll get unfiltered access. Can I force all traffic to go through my (always-on) FC6 machine - perhaps by setting up port forwarding on the router (to which only I have the password) - so all web traffic has to go through the proxy server and if he switches to a 'direct' connection he will get no internet? If so, how? I've tried redirecting port 80 and 8080 to the IP of my PC but that doesn't seem to work.

A By "the internet" I take it you mean the world wide web, which is all that Squid normally handles. However, you can force all internet traffic to go through your FC6 box and then through SquidGuard with three steps. First, and how you do this depends on your router, you have to configure your router so that it only allows your FC6 box to connect to the internet. The port forwarding you set up only affects incoming connections, so remove that. Secondly, you need to set your FC6 box up as a default gateway, so all internet traffic (not just web traffic) goes though it. Edit the file /etc/sysctl.conf, as root, and change the line

net.ipv4.ip_forward = 0

to end in 1 instead of 0. Now run service network restart You should now reconfigure your children's computer to use the IP address of your FC6 box as its network gateway. Because you have disabled their access via the router, this is now the only way they can connect to the net. That still leaves the problem of your children removing any proxy setting, so now we use a feature of Squid called transparent proxying. This forces all web requests going through the machine and you've already forced that with the previous steps - to go through Squid 's proxy and hence through SquidGuard. Edit the Squid configuration file (usually /etc/squid/squid.conf) and find the line(s) starting 'http_port' This probably reads http_port 8080 in your file. Change this to

http_port 80 transparent

The 80 sets it to work on the standard HTTP port. The transparent option makes Squid intercept and handle all requests, regardless of whether the browser is configured to use a proxy server or not. You should either remove the old proxy settings from the browsers or add a line to handle requests to the old 8080 port.

http_port 8080 transparent

There is an alternative way of handling this. You can leave http_port set to 8080 and use an Iptables rule to forward all port 80 requests from addresses that you want to proxy to port 8080. This is more complex but it gives more flexibility, such as allowing some machines to bypass the proxy altogether. There are details on this on the Squid website at www.squid-cache.org. You could also use Iptables, or one of the many front-ends such as Firestarter, to block outgoing traffic to all but the common ports (such as HTTP, HTTPS, POP3, SMTP and FTP). This will prevent your children from using a remote proxy that works on another port. You could possibly do this on the router; however, implementing it on the FC6 box would allow you to block them but still have unrestricted internet access for yourself.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar