Upside-Down-Ternet

With April Fool's Day coming closer, it's time for yet another Upside-Down-Ternet howto - only this time with OpenWrt redirecting to an external Squid proxy. The setup in short:

• Install Squid3, with the following settings in squid.conf:

    acl localnet src 10.0.0.0/24
    http_access allow localnet
    http_port 3128 intercept
    url_rewrite_program /usr/local/bin/flip.pl
  

• The /usr/local/bin/flip.pl does the actual work and turns the images upside down. There are a lot of other scripts to choose from :-)


• Configure your local webserver, so that the URL from flip.pl can be served. Also, one must take care that permissions are set correctly:

    mkdir -m2750 /var/www/ternet
    chown proxy:www-data /var/www/ternet
  

  This way, the Squid proxy running as user "proxy" can write to the directory while the webserver, running as user "www-data" can read from it.


• Since there's OpenWrt running on our gateway, we have all the iptables power we need to redirect traffic to our Squid proxy:

  SRC=10.0.0.0/24
  IFACE=br-lan
  ROUTER=10.0.0.1
  PROXY=10.0.0.20
  PROXY_PORT=3128
   iptables -t nat -A prerouting_rule \
       -i $IFACE ! -s $PROXY -p tcp --dport 80 -j DNAT --to $PROXY:$PROXY_PORT
   iptables -t nat -A postrouting_rule \
       -o $IFACE -s $SRC -d $PROXY -j SNAT --to $ROUTER
   iptables -A forwarding_rule \
       -i $IFACE -o $IFACE -s $SRC -d $PROXY -p tcp --dport $PROXY_PORT -j ACCEPT
  

  Note: We're using the internal OpenWrt chains here, instead of the predefined PREROUTING, POSTROUTING, FORWARD chains. This way our rules actually get inserted rather than appended to any existing rules.