Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi again,
So as per my previous posts I'm trying to child friendly my Internet access. I have 1 machine doing everything (DHCP,DHS,Apache2 (wpad.dat),Samba,Dansguardian, Squid. It has two network cards eth0 and eth1 connected to a VLAN capable (layer 2) gigabit switch. eth0 and eth1 are in different vlans (but they're untagged as I don't fully understand vlans yet). IP forwarding is turned on and working. Squid is only accessible on 127.0.0.1 (verified with netstat -lnp) and dansguardian is listening on port 8080. Apache is on port 80 and successfully serves up the wpad.dat which is configured on DNS and DHCP. I have a DNS CNAME of Proxy and wpad for the server.
I want to firewall it, but it's not working yet, so that may be a bad idea.
The issue is two fold. HTTP browsing works (I'm using it at the moment) but the content filtering does not. Neither does the dansguardian log show anything...at all.
route is:
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.10.10.254 0.0.0.0 UG 100 0 0 eth1
10.10.10.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
# Generated by iptables-save v1.4.10 on Wed Oct 26 16:12:05 2011
*raw
:PREROUTING ACCEPT [1726:181974]
:OUTPUT ACCEPT [393:46805]
COMMIT
# Completed on Wed Oct 26 16:12:05 2011
# Generated by iptables-save v1.4.10 on Wed Oct 26 16:12:05 2011
*mangle
:PREROUTING ACCEPT [1726:181974]
:INPUT ACCEPT [383:32484]
:FORWARD ACCEPT [1319:147815]
:OUTPUT ACCEPT [394:47665]
:POSTROUTING ACCEPT [1720:197065]
COMMIT
# Completed on Wed Oct 26 16:12:05 2011
# Generated by iptables-save v1.4.10 on Wed Oct 26 16:12:05 2011
*filter
:INPUT ACCEPT [340:30375]
:FORWARD ACCEPT [296:40258]
:OUTPUT ACCEPT [315:38425]
-A FORWARD -i br0 -j ACCEPT
COMMIT
# Completed on Wed Oct 26 16:12:05 2011
# Generated by iptables-save v1.4.10 on Wed Oct 26 16:12:05 2011
*nat
:PREROUTING ACCEPT [105:16240]
:INPUT ACCEPT [8:644]
:OUTPUT ACCEPT [8:597]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j SNAT --to-source 10.10.10.1
COMMIT
# Completed on Wed Oct 26 16:12:05 2011
I'm confused, the squid and dansguardian logs are empty (squid worked up to a couple of hours ago, dansguardian had a few pieces of info in the access.log a few days ago, but the content filtering has never worked). Please can someone answer the following for me...
1.) I understand that ip forwarding enables ip forwarding, but is this on every port and every protocol unless locked down ?
2.) If the answer to 1 is yes, then why doesn't running apache on port 80 stop internet browsing ? (I guess because it forwards all packets on port 80 that are NOT destined for that machine ?)
3.) If both of the above are valid, and you're still reading this (well done). Can you tell me the ipchains rule I need to do to allow access to port 80 on the local machine and direct all other traffic on port 80 destined for different subnets to the dansguardian port on 8080 so it can be content filtered.
1.) I understand that ip forwarding enables ip forwarding, but is this on every port and every protocol unless locked down ?
IP forwarding enables, or disables forwarding packets through the system. It is enabled via /proc/sys/net/ipv4/ip_forward and would need to be enabled at boot time, via rc.local or the like. This happens in the Internet layer, not the Transport layer. So to answer your question, it enables forwarding for every port.
Quote:
2.) If the answer to 1 is yes, then why doesn't running apache on port 80 stop internet browsing ? (I guess because it forwards all packets on port 80 that are NOT destined for that machine ?)
Basically, yes, you are guessing correctly. If they packets arent destined for that box, they will be sent through the box, rather than to it. If that makes sense.
Quote:
3.) If both of the above are valid, and you're still reading this (well done). Can you tell me the ipchains rule I need to do to allow access to port 80 on the local machine and direct all other traffic on port 80 destined for different subnets to the dansguardian port on 8080 so it can be content filtered.
Ok, if you havent manually set the client browser to use the squid server as a proxy, then squid and dans guardian arent being used. You can check this by checking squids access and cache logs. (/var/log/squid/*). At this point, i would try manually setting the proxy in the browser, and tail those logfiles (and the DG log), to ensure things are working as they should.
In order to set up a transparent proxy, whereby the browser configuration is bog stock, and the firewall redirects the traffic unbeknownst to the client. you will need a rule similar to:
also, ipchains, is used for < 2.4 kernel versions, and iptables was introduced with the 2.6 kernel.. Depending on your distro version, you may need to use iptables. For this example though, the syntax should be the same, but I have not used ipchains, so don't trust me on that
1) Yes ip forwarding enable ip forwarding on any protocol.
2) Yes thats true, because it forwards all packets on port 80 that are NOT destined for that machine.
3) Sorry I use iptables, not ipchains
# Flush All Rules
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
# create your rule
iptables -t filter -A INPUT -d 192.168.1.1,10.10.10.1,127.0.0.1 -j ACCEPT
iptables -t nat -A PREROUTING -d 0.0.0.0/0 -p tcp --dport 80 -j DNAT --to 192.168.1.1:8080
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
That worked perfectly, with no modifications. Thanks. Now I just need to figure out how to get dansguardian to allow youtube and apt to run
I never knew, or saw any examples, pointing to the use of 0.0.0.0/0 as 'everything'. That's a really useful snippet. Just to satisfy my curiousity, please can you correct me if the following is incorrect:
1.) is to accept all packets received on those ip addresses that has a destination address of the local machine.
2.) perform DNAT (to 192.168.1.1:8080) on all packets passing through with a destination port of 80 which are not going to the local machine (because of the previous rule)
3.) Don't understand. What does this do ? could it be replaced by iptables -t nat -A POSTROUTING -o eth1 -j DNAT --to ? as I've heard that DNAT is better for static IP's.
I think you misunderstand what I'm asking for, lqman got it. You are saying that I want to port forward everything from port 80 to squid, wheh what I actually want to do is run apache on the same machine as squid (so it can serve the wpad.dat file) and route anything destined for port 80 that ISN'T 192.168.1.1 to dansguardian on port 8080 so it can talk to squid on 127.0.0.1:3128. Thanks for trying though.
Quote:
Originally Posted by fukawi1
also, ipchains, is used for < 2.4 kernel versions, and iptables was introduced with the 2.6 kernel.. Depending on your distro version, you may need to use iptables. For this example though, the syntax should be the same, but I have not used ipchains, so don't trust me on that
Sorry, I accidentally mentioned ipchains once and you notice it ;-). I'm running Ubuntu 11.10 so it's iptables all the way.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.