Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The problem i am having is turning dansguardian into a basic router
where if anything on port 80 comes through it will stop it and do it's
thing but allow anything else to go through.
i have 3 iptables entries.
iptables --table nat --append POSTROUTING --out-interface eth0 -j
MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
for the test i have it setup just a little different than the diagram.
Main Switch->Dansguardian->Switch->test machine
eth0=10.30.0.6/24 - switch
eth1=10.30.0.14/14 - Internet
Maybe because of that im having my issues but with that in place i
can't ping the test machine from dansguardian. test machine is set to
DHCP from my network so it appears it can't make those requests through
dansguardian. by default i have the whole IPTABLES set to accept all
incoming and outgoing.
Option 2
Have my firewall redirect all traffic on port 80 to my dansguardian
box. maybe thats how i am supposed to do it in the first place? to
me it just seems more logical to not bounce the traffic everywhere and
just have it get stopped on it's way out/in.
I would prefer Option one where it allows traffic to pass through it unless it's on port 80.
Any help in both options is most welcome. examples and diagrams how
you implement it would be helpful as well.
Oh i have squid setup to do transparent proxy as well.
first IMHO - you need somekind of transparent proxy,
by that you neen to change your internal interface IP/subnet different than the internet one.
Quote:
for the test i have it setup just a little different than the diagram.
Main Switch->Dansguardian->Switch->test machine
eth0=10.30.0.6/24 - switch
eth1=10.30.0.14/14 - Internet
Maybe because of that im having my issues but with that in place i
can't ping the test machine from dansguardian. test machine is set to
DHCP from my network so it appears it can't make those requests through
dansguardian. by default i have the whole IPTABLES set to accept all
incoming and outgoing.
implementing dansguardian --> you need both iptables for traffic redirection, and squid for master web-cache.
it should be ipt -t nat -A PREROUTING -i $LANIF -p tcp --dport 80 -j REDIR --to-ports <dansguardian listening port>
dansguardian must be redirect to pass the traffic to squid listener port.
so the steps will be :
1. client to port 80 must redirected by iptables to dansguardian on port 8080
2. dansguardian on 8080 must pass the traffic to squid on 3128.
first IMHO - you need somekind of transparent proxy,
by that you neen to change your internal interface IP/subnet different than the internet one.
So both nic's can't be on the same subnet? why is that? all i want is traffic to pass through it unless it's http. I do have squid setup currently to be transparent proxy.
Quote:
Originally Posted by rossonieri#1
it should be ipt -t nat -A PREROUTING -i $LANIF -p tcp --dport 80 -j REDIR --to-ports <dansguardian listening port>
dansguardian must be redirect to pass the traffic to squid listener port.
so the steps will be :
1. client to port 80 must redirected by iptables to dansguardian on port 8080
2. dansguardian on 8080 must pass the traffic to squid on 3128.
I thought dansguardian forwarded to 3128 on it's own and thats why you have that setup in it's CONF file. im guessing im mistaken?
Maybe i have the wrong idea for endgame.
Internet->firwall(10.30.0.2)->(10.30.0.6)dansguardian(10.30.0.14)->switch
would 10.30.0.2 and 10.30.0.6 need to become a new subnet?
if so, im still having trouble finding out how to forward incoming/outgoing through the two interfaces. maybe this happens already? i've already enabled ip4_forwarding = 1.
Some time ago there was a thread in the LQ Slackware forum where I helped someone setup a transparent proxy for (I think) a school. That thread's discussion resulted in me writing a Wiki page about setting up a combination of Dansguardian, Tinyproxy and iptables as a transparent proxy server: http://alien.slackbook.org/dokuwiki/...lackware:proxy
Instead of tinyproxy you can use squid of course, both use the same listen port and have the same function. The Wiki story still applies in the case of squid.
Some time ago there was a thread in the LQ Slackware forum where I helped someone setup a transparent proxy for (I think) a school. That thread's discussion resulted in me writing a Wiki page about setting up a combination of Dansguardian, Tinyproxy and iptables as a transparent proxy server: http://alien.slackbook.org/dokuwiki/...lackware:proxy
Instead of tinyproxy you can use squid of course, both use the same listen port and have the same function. The Wiki story still applies in the case of squid.
Eric
Yup i read the whole thread today. im not having trouble with squid or dansguardian (yet) but setting up the box to allow the rest of the traffic to flow through it. i remember reading on there that the fellow you had helped out was having trouble doing the transparent proxy but once he hooked it up to his work network it worked just fine. im already at work :P and anything behind it can't be seen from DG box or anything past it.
as it stands right now, i have squid and dansguardian services stopped. nothing can be seen behind dansguardian. test machine is set to DHCP, but isn't getting through the DG box to do so. On the DG machine the nic into the main switch DHCP's file but the nic going to the test switch doesn't dhcp. however, if i statically set that nic it is pingable.
eth0-internet/mainswitch-10.30.0.6/24
eth1-test switch-10.30.0.14/24
Internet->Firewall->Switch
|-Dansguardian->Test Switch->Test PC
|-My PC
|-Other Servers including DHCP server
output of route -n
Code:
root@vader:/var/log# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.30.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.30.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.30.0.1 0.0.0.0 UG 1 0 0 eth0
Did you also read the Wiki article and implement the iptables rules documented there that do the actual transparent redirection?
Eric
I read it this morning before i got into work and then got slammed today anyways. I understand about the transparent redirect and how that happens for squid/dansguardian. there is no mention (or maybe im reading in the wrong place) about how the other traffic flows through it's just assumed that it does. One thing your wiki article mentions is how this is if the DG machine is going to also be the GATEWAY, which mine will not be. i think that changes my scenario a little more. My guess is that both interfaces have to be on different subnets, and this is where im going wrong. See im trying to take a step back and not even figure DG/SQUID into the picture until i can get traffic flowing from the test machine to my network.
Am i right about the different subnet for both nic's, if so then when i make this live im not sure how it would effect my firewall IP.
internet->(EX.IP)firewall(10.30.0.2)->(????)dansguardian(10.30.0.6)->switch
in this setup, would i have to change my firewall ip and the interface it would be connecting into DG with to a different subnet? if i did do that, wouldn't that change my gateway to the DG machine (which is what i don't want to do).
maybe what i don't want to happen is the only way to make it happen and i'd have to go with my Option 2 which is have the firewall forward all http/https traffic to the DG box?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.