Force clients to use proxy

Question

Here's my network configuration:

My network configuration http://daveden.files.wordpress.com/2013/05/network-configuration.png

The proxy server is running Ubuntu with Squid on port 3128 and DansGuardian on port 8080.

I'd like to force all clients to use the proxy server - specifically, port 8080 - for any TCP/UDP access. However, I don't want to transparently redirect.

How do I do this? Can I just drop packets if the client isn't configured to use the proxy server on port 8080?

I'd like whatever system I come up with to work on the proxy server itself as well. It's the only desktop computer in the house, so it'd be nice if I could allow people in my household to use it but still know that they're protected.

You either run a transparent proxy or block web traffic and manually setup the proxy on all clients. — Jason H, May 22 '13 at 10:56
Why don't you want to transparently redirect? Seems the easiest solution. You could implement a captive portal to explain users what to do, and thus avoid the "The Internet is not working for me!" syndrome, but why suffer needlessly? — LSerni, May 22 '13 at 15:26
Closed as off topic??? The guys at Server Fault said I should ask here! — Big McLargeHuge, May 22 '13 at 16:57
The reason I don't want to transparently redirect is because that doesn't work for HTTPS. — Big McLargeHuge, May 22 '13 at 17:13

JZeolla · Answer 1 · 2013-05-22T13:16:14.843

You have a couple options:

Use something like WCCP and function transparently
Be an inline proxy, as it seems you are now.
Use WPAD to send the devices to a box hosting your PAC file.
Manually specify the proxy in your clients.

However, this all depends on what you're exactly running, and if your devices support it (Can blenders handle PAC files?). If possible, I suggest using WPAD, but you should be aware of MITM vulnerabilities.

Also, to address your question about dropping TCP/UDP packets which aren't proxied, just drop everything that doesn't have a source of your proxy, at any point after the ingress interface of the proxy. Unfortunately, if you want to do this with a separate device, that device will have to reside between your proxy and modem.

You can also set your proxy up to do it by either using iptables on your proxy egress interface, or you could just not route traffic outbound for other internal devices... But the second solution would also extend past TCP/IP to include ICMP, IP Protocols, etc.

score 1 · Answer 2 · answered May 22 '13 at 06:25

1

You could redirect packet to send them to your proxy

This method is called transparent proxy

You may find some cookbooks there:

answered May 22 '13 at 06:25

F. Hauri - Give Up GitHub

4,266
2
22
34

The reason I don't want to transparently redirect is because that doesn't work for HTTPS. – Big McLargeHuge May 22 '13 at 17:09
Take a look there: http://serverfault.com/questions/369829/setting-up-a-transparent-ssl-proxy – F. Hauri - Give Up GitHub May 22 '13 at 18:15

Force clients to use proxy

2 Answers2