Upside-Down-Ternet

With April Fool's Day coming closer, it's time for yet another Upside-Down-Ternet howto - only this time with OpenWrt redirecting to an external Squid proxy. The setup in short:

  • Install Squid3, with the following settings in squid.conf:
      acl localnet src 10.0.0.0/24
      http_access allow localnet
      http_port 3128 intercept
      url_rewrite_program /usr/local/bin/flip.pl
    
  • The /usr/local/bin/flip.pl does the actual work and turns the images upside down. There are a lot of other scripts to choose from :-)

  • Configure your local webserver, so that the URL from flip.pl can be served. Also, one must take care that permissions are set correctly:
      mkdir -m2750 /var/www/ternet
      chown proxy:www-data /var/www/ternet
    
    This way, the Squid proxy running as user "proxy" can write to the directory while the webserver, running as user "www-data" can read from it.

  • Since there's OpenWrt running on our gateway, we have all the iptables power we need to redirect traffic to our Squid proxy:
    SRC=10.0.0.0/24
    IFACE=br-lan
    ROUTER=10.0.0.1
    PROXY=10.0.0.20
    PROXY_PORT=3128
     iptables -t nat -A prerouting_rule \
         -i $IFACE ! -s $PROXY -p tcp --dport 80 -j DNAT --to $PROXY:$PROXY_PORT
     iptables -t nat -A postrouting_rule \
         -o $IFACE -s $SRC -d $PROXY -j SNAT --to $ROUTER
     iptables -A forwarding_rule \
         -i $IFACE -o $IFACE -s $SRC -d $PROXY -p tcp --dport $PROXY_PORT -j ACCEPT
    
    Note: We're using the internal OpenWrt chains here, instead of the predefined PREROUTING, POSTROUTING, FORWARD chains. This way our rules actually get inserted rather than appended to any existing rules.