So the way i see it i have 2 options. Option one is preferable but im
not sure exactly how to get it to work.

Option 1
Network diagram
Internet->Firewall->dansguardian->switch

The problem i am having is turning dansguardian into a basic router
where if anything on port 80 comes through it will stop it and do it's
thing but allow anything else to go through.
i have 3 iptables entries.
iptables --table nat --append POSTROUTING --out-interface eth0 -j
MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080

for the test i have it setup just a little different than the diagram.
Main Switch->Dansguardian->Switch->test machine
eth0=10.30.0.6/24 - switch
eth1=10.30.0.14/14 - Internet
Maybe because of that im having my issues but with that in place i
can't ping the test machine from dansguardian. test machine is set to
DHCP from my network so it appears it can't make those requests through
dansguardian. by default i have the whole IPTABLES set to accept all
incoming and outgoing.

Option 2
Have my firewall redirect all traffic on port 80 to my dansguardian
box. maybe thats how i am supposed to do it in the first place? to
me it just seems more logical to not bounce the traffic everywhere and
just have it get stopped on it's way out/in.

I would prefer Option one where it allows traffic to pass through it unless it's on port 80.

Any help in both options is most welcome. examples and diagrams how
you implement it would be helpful as well.

Oh i have squid setup to do transparent proxy as well.

hi agent,

first IMHO - you need somekind of transparent proxy,
by that you neen to change your internal interface IP/subnet different than the internet one.

implementing dansguardian --> you need both iptables for traffic redirection, and squid for master web-cache.

pls check your iptables statement :
it should be ipt -t nat -A PREROUTING -i $LANIF -p tcp --dport 80 -j REDIR --to-ports <dansguardian listening port>

dansguardian must be redirect to pass the traffic to squid listener port.

so the steps will be :
1. client to port 80 must redirected by iptables to dansguardian on port 8080
2. dansguardian on 8080 must pass the traffic to squid on 3128.

HTH.

So both nic's can't be on the same subnet? why is that? all i want is traffic to pass through it unless it's http. I do have squid setup currently to be transparent proxy.


I thought dansguardian forwarded to 3128 on it's own and thats why you have that setup in it's CONF file. im guessing im mistaken?

Maybe i have the wrong idea for endgame.
Internet->firwall(10.30.0.2)->(10.30.0.6)dansguardian(10.30.0.14)->switch
would 10.30.0.2 and 10.30.0.6 need to become a new subnet?
if so, im still having trouble finding out how to forward incoming/outgoing through the two interfaces. maybe this happens already? i've already enabled ip4_forwarding = 1.

Some time ago there was a thread in the LQ Slackware forum where I helped someone setup a transparent proxy for (I think) a school. That thread's discussion resulted in me writing a Wiki page about setting up a combination of Dansguardian, Tinyproxy and iptables as a transparent proxy server:
http://alien.slackbook.org/dokuwiki/...lackware:proxy

Instead of tinyproxy you can use squid of course, both use the same listen port and have the same function. The Wiki story still applies in the case of squid.

Eric

Yup i read the whole thread today. im not having trouble with squid or dansguardian (yet) but setting up the box to allow the rest of the traffic to flow through it. i remember reading on there that the fellow you had helped out was having trouble doing the transparent proxy but once he hooked it up to his work network it worked just fine. im already at work :P and anything behind it can't be seen from DG box or anything past it.

as it stands right now, i have squid and dansguardian services stopped. nothing can be seen behind dansguardian. test machine is set to DHCP, but isn't getting through the DG box to do so. On the DG machine the nic into the main switch DHCP's file but the nic going to the test switch doesn't dhcp. however, if i statically set that nic it is pingable.
eth0-internet/mainswitch-10.30.0.6/24
eth1-test switch-10.30.0.14/24
Internet->Firewall->Switch
|-Dansguardian->Test Switch->Test PC
|-My PC
|-Other Servers including DHCP server
output of route -n
Do i need to add a route in to accomplish this?

Did you also read the Wiki article and implement the iptables rules documented there that do the actual transparent redirection?

Eric

I read it this morning before i got into work and then got slammed today anyways. I understand about the transparent redirect and how that happens for squid/dansguardian. there is no mention (or maybe im reading in the wrong place) about how the other traffic flows through it's just assumed that it does. One thing your wiki article mentions is how this is if the DG machine is going to also be the GATEWAY, which mine will not be. i think that changes my scenario a little more. My guess is that both interfaces have to be on different subnets, and this is where im going wrong. See im trying to take a step back and not even figure DG/SQUID into the picture until i can get traffic flowing from the test machine to my network.

Am i right about the different subnet for both nic's, if so then when i make this live im not sure how it would effect my firewall IP.
internet->(EX.IP)firewall(10.30.0.2)->(????)dansguardian(10.30.0.6)->switch

in this setup, would i have to change my firewall ip and the interface it would be connecting into DG with to a different subnet? if i did do that, wouldn't that change my gateway to the DG machine (which is what i don't want to do).

maybe what i don't want to happen is the only way to make it happen and i'd have to go with my Option 2 which is have the firewall forward all http/https traffic to the DG box?

Oh i should also mention i used your easy firewall build script. that did not work either in allowing traffic to pass between interfaces.