Post Reply 
Bfilter, Squid and DD-WRT
Dec. 16, 2010, 02:49 AM (This post was last modified: Dec. 16, 2010 03:59 AM by bkruggel.)
Post: #1
Bfilter, Squid and DD-WRT
Hello,

my setup turns around two DD-WRT routers (one as firewall and repeater, the other for local network), a Debian server and multiple (moving) laptops and three workstations.
In the moment I have bfilter and squid installed on the server and configuring a browser to use bfilter works well - I can see in the log files, that requests go through bfilter and squid alright.
However, I am unable to make HTTP traffic go automatically through bfilter. As my router has routing tables (and I use these functions for the openvpn as well), that would make it easier for all laptops (which are on three different OSs). What I want to do is to have all HTTP traffic go through bfilter and squid by default, so when a laptop comes into the network, it doesn't have to bother with setting up the proxy information for all it's different browsers.

I took these lines from http://www.dd-wrt.com/wiki/index.php/Squ...AN_Subnet, which basically tell iptables on the router to do what I want to do.

-----
#!/bin/sh
PROXY_IP=192.168.1.10
PROXY_PORT=8080
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT
-----

But with these iptables being active, I can't make any connection: the only webpage I see is

-----
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: /

The following error was encountered:

* Unsupported Request Protocol

BFilter does not support all request methods for all access protocols.

Generated Thu, 16 Dec 2010 02:22:01 GMT by SchrottServer (BFilter/1.1.4)
-----

Is there any way to make this work?
What am I doing wrong?

Thanks,
Björn
Add Thank You Quote this message in a reply
Dec. 16, 2010, 05:06 PM (This post was last modified: Dec. 16, 2010 05:08 PM by Graycode.)
Post: #2
RE: Bfilter, Squid and DD-WRT
HTTP requests that go directly to a web server (not going to a proxy) look like this:
Code:
GET / HTTP/1.1
Host: www.example.com

For a request that IS going to a proxy, the protocol and host is given in the request line.
Code:
GET http://www.example.com/ HTTP/1.1
Host: www.example.com

By your having fooled the computers into not knowing there's a proxy in the mix, their browsers are naturally sending the server format vs. proxy format. Apparently BFilter does not support that. It sees '/' where it expects to see the 'http://' protocol and so responds with "Unsupported Request Protocol".

A solution may be to swap the order of your proxies. Instead of BFilter:8080 forwarding to Squid:3128, make Squid the primary entry point. You'll need to tell Squid to route requests through the BFilter proxy. http://wiki.squid-cache.org/Features/CacheHierarchy
Add Thank You Quote this message in a reply
Dec. 17, 2010, 12:10 AM
Post: #3
RE: Bfilter, Squid and DD-WRT
Wow - thanks a lot! I didn't have any idea...

However, I was testing bfilter today and in fact I found a website that was completely misdetected - (http://www.videotron.com) - this website does exactly what bfilter doesn't like (and me neither) - to make a horrible mess with JavaScript.
So I also tested privoxy this morning, but performance sufferred significantly (the setup in the moment works significantly faster than traditional Firefox AdBlock, especially on slower machines like netbooks and tablets). The nice thing was that Privoxy has a whitelist - which BFilter obviously lacks, and NOFILTER has no effect on javascript. Disabling filters for BFilter is obviously not the purpose.

The other problem are all the different OS here, again. I tried automatic solutions for an Ubuntu Laptop with a badly configured environment and a Workstation with Gnome - I configured the laptop browsers one by one to use the proxy and for the PC, I told Gnome to use the proxy. Result: the laptop works as expected (browser uses the proxy, all the rest doesn't), on the PC browsing works, but for example empathy is broken (MSN and Yahoo can't connect).
So maybe I'll do the configuration for Macs and Linuxes like I did on the laptop, which is fully automatic (due to ifupdown and some wrapperscripts). And Windows users will have to get ProxyFoxy or something.

Anyway, thank you very much - I'll have to look at this stuff more precisely when I have time.
Add Thank You Quote this message in a reply
Dec. 17, 2010, 06:41 PM (This post was last modified: Dec. 17, 2010 07:11 PM by bkruggel.)
Post: #4
RE: Bfilter, Squid and DD-WRT
This doesn't leave me :-)

Your solution is great and simple. After 2 hours fiddling with squidguard (until I understood that the reason it didn't work was that it simply segfaulted every time) I tried as you said.
And, well, it simply works. No configuration or horrible wrapper scripts. Empathy doesn't decide anything anymore, so MSN and Yahoo work, https pages work, everything is great.

I still have to check the CPU load, though. I made a test yesterday with somebody else who 'surfs' the web at far higher speed than I do while somebody was streaming music from the server to the kitchen and the fan on the old iBook (the server) went on.
I am wondering if it is the filtering or the blocking that uses more cpu load? In the worst case, I could still try to remove the keyboard from the iBook...

BTW: The problem with Videotron was in the cache somewhere. When I cleared all caches (squid and local caches) and deleted cookies, it went completely away.
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: