I decided I’d finally try to get Squid/redirect/filtering/blocking going for wireless this week.  Mainly because the stepson has figured out that formatting/reinstalling an OS on his laptop is the easier way past the client-side filtering software.

So.

WRT54G – GL, actually, bought it from ncix.com, fast fast shipping, excellent price, can’t complain.  Got it specifically to use aftermarket firmware without incident.  Tried DD-WRT, and it hung.  Used Open-WRT.  Works perfectly, updated to webif2/xwrt.  That was stable for a couple of months.

Squid was already installed on the server.  Server has its own connection out, and the router has its own as well.  (Separate PPPoE logins, through the same switch).

Played for a couple of days with iptables rules on the router.  When I finally got it redirecting traffic at first, I got ‘Invalid URL’ errors.  Added vhost argument.  Didn’t help, got different error but at least it was getting some of the right stuff…

This link made the most sense.  Gave up on iptables.  Used this and this as examples.  Bit of trouble when figuring out how to exempt my actual local websites (on the inside of the web/proxy server) from getting translated.

So, WRT54G:

mkdir /etc/iproute2

echo “201 proxy” > /etc/iproute2/rt_tables

ip rule add fwmark 2 table proxy

ip route add default via (squidproxyinternalipaddress) table proxy

iptables -t mangle -A PREROUTING -i vlan0 -p tcp –dport 80 -j MARK –set-mark 2

iptables -t mangle -A PREROUTING -m mark –mark 2 -j ACCEPT
On the squid/server box:

iptables -t nat -A PREROUTING -s 192.168.x.x/25 -p tcp –dport 80 -j ACCEPT

(yes, I have the network split down a /24… so it’s strange).
iptables -t nat -A PREROUTING -p tcp -d ! (squidproxyinternalipaddress) –dport 80 -j REDIRECT –to-port 3128

Seems to do the trick so far.  The bad part is more web traffic goes through the one box, so the memory, which was usually below 1GB without squid and all this happening, is now at 2.5 out of 3GB.  I doubt it’ll increase much though.

Interesting ethical experiment – I got SRG for the statistics, which seems to work well.  Put up a password-protected page with the stats for all the visited sites.  I’m thinking of setting up a separate page for weekly and one for weekend stats, and giving the household access to view the weekend ones, so that everyone can see what’s being visited.  I wonder if that’ll act as a deterrent.