Hi again,
So as per my previous posts I'm trying to child friendly my Internet access. I have 1 machine doing everything (DHCP,DHS,Apache2 (wpad.dat),Samba,Dansguardian, Squid. It has two network cards eth0 and eth1 connected to a VLAN capable (layer 2) gigabit switch. eth0 and eth1 are in different vlans (but they're untagged as I don't fully understand vlans yet). IP forwarding is turned on and working. Squid is only accessible on 127.0.0.1 (verified with netstat -lnp) and dansguardian is listening on port 8080. Apache is on port 80 and successfully serves up the wpad.dat which is configured on DNS and DHCP. I have a DNS CNAME of Proxy and wpad for the server.

I want to firewall it, but it's not working yet, so that may be a bad idea.

The issue is two fold. HTTP browsing works (I'm using it at the moment) but the content filtering does not. Neither does the dansguardian log show anything...at all.

route is:
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.10.10.254 0.0.0.0 UG 100 0 0 eth1
10.10.10.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 br0

netstat lnp is:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.1:445 0.0.0.0:* LISTEN 881/smbd
tcp 0 0 192.168.1.1:139 0.0.0.0:* LISTEN 881/smbd
tcp 0 0 192.168.1.1:8080 0.0.0.0:* LISTEN 4890/dansguardian
tcp 0 0 192.168.1.1:80 0.0.0.0:* LISTEN 2003/apache2
tcp 0 0 192.168.1.1:7634 0.0.0.0:* LISTEN 1825/hddtemp
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 1310/named
tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN 2674/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1026/cupsd
tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN 7326/squid
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1948/master
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1310/named
udp 0 0 0.0.0.0:44854 0.0.0.0:* 7326/squid
udp 0 0 192.168.1.1:53 0.0.0.0:* 1310/named
udp 0 0 0.0.0.0:3130 0.0.0.0:* 7326/squid
udp 0 0 0.0.0.0:67 0.0.0.0:* 1843/dhcpd
udp 0 0 192.168.1.255:137 0.0.0.0:* 982/nmbd
udp 0 0 192.168.1.1:137 0.0.0.0:* 982/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 982/nmbd
udp 0 0 192.168.1.255:138 0.0.0.0:* 982/nmbd
udp 0 0 192.168.1.1:138 0.0.0.0:* 982/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 982/nmbd
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 1843/dhcpd

IPtables is:

# Generated by iptables-save v1.4.10 on Wed Oct 26 16:12:05 2011
*raw
:PREROUTING ACCEPT [1726:181974]
:OUTPUT ACCEPT [393:46805]
COMMIT
# Completed on Wed Oct 26 16:12:05 2011
# Generated by iptables-save v1.4.10 on Wed Oct 26 16:12:05 2011
*mangle
:PREROUTING ACCEPT [1726:181974]
:INPUT ACCEPT [383:32484]
:FORWARD ACCEPT [1319:147815]
:OUTPUT ACCEPT [394:47665]
:POSTROUTING ACCEPT [1720:197065]
COMMIT
# Completed on Wed Oct 26 16:12:05 2011
# Generated by iptables-save v1.4.10 on Wed Oct 26 16:12:05 2011
*filter
:INPUT ACCEPT [340:30375]
:FORWARD ACCEPT [296:40258]
:OUTPUT ACCEPT [315:38425]
-A FORWARD -i br0 -j ACCEPT
COMMIT
# Completed on Wed Oct 26 16:12:05 2011
# Generated by iptables-save v1.4.10 on Wed Oct 26 16:12:05 2011
*nat
:PREROUTING ACCEPT [105:16240]
:INPUT ACCEPT [8:644]
:OUTPUT ACCEPT [8:597]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j SNAT --to-source 10.10.10.1
COMMIT
# Completed on Wed Oct 26 16:12:05 2011

I'm confused, the squid and dansguardian logs are empty (squid worked up to a couple of hours ago, dansguardian had a few pieces of info in the access.log a few days ago, but the content filtering has never worked). Please can someone answer the following for me...

1.) I understand that ip forwarding enables ip forwarding, but is this on every port and every protocol unless locked down ?
2.) If the answer to 1 is yes, then why doesn't running apache on port 80 stop internet browsing ? (I guess because it forwards all packets on port 80 that are NOT destined for that machine ?)
3.) If both of the above are valid, and you're still reading this (well done). Can you tell me the ipchains rule I need to do to allow access to port 80 on the local machine and direct all other traffic on port 80 destined for different subnets to the dansguardian port on 8080 so it can be content filtered.

I think this makes sense. Do you ?

TIA
Simon

IP forwarding enables, or disables forwarding packets through the system. It is enabled via /proc/sys/net/ipv4/ip_forward and would need to be enabled at boot time, via rc.local or the like. This happens in the Internet layer, not the Transport layer. So to answer your question, it enables forwarding for every port.

Basically, yes, you are guessing correctly. If they packets arent destined for that box, they will be sent through the box, rather than to it. If that makes sense.

Ok, if you havent manually set the client browser to use the squid server as a proxy, then squid and dans guardian arent being used. You can check this by checking squids access and cache logs. (/var/log/squid/*). At this point, i would try manually setting the proxy in the browser, and tail those logfiles (and the DG log), to ensure things are working as they should.
In order to set up a transparent proxy, whereby the browser configuration is bog stock, and the firewall redirects the traffic unbeknownst to the client. you will need a rule similar to:
also, ipchains, is used for < 2.4 kernel versions, and iptables was introduced with the 2.6 kernel.. Depending on your distro version, you may need to use iptables. For this example though, the syntax should be the same, but I have not used ipchains, so don't trust me on that

1 members found this post helpful.

1) Yes ip forwarding enable ip forwarding on any protocol.
2) Yes thats true, because it forwards all packets on port 80 that are NOT destined for that machine.
3) Sorry I use iptables, not ipchains
# Flush All Rules
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F

# create your rule
iptables -t filter -A INPUT -d 192.168.1.1,10.10.10.1,127.0.0.1 -j ACCEPT
iptables -t nat -A PREROUTING -d 0.0.0.0/0 -p tcp --dport 80 -j DNAT --to 192.168.1.1:8080
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


try it, and give me feedback...

1 members found this post helpful.

Lqman,

That worked perfectly, with no modifications. Thanks. Now I just need to figure out how to get dansguardian to allow youtube and apt to run

I never knew, or saw any examples, pointing to the use of 0.0.0.0/0 as 'everything'. That's a really useful snippet. Just to satisfy my curiousity, please can you correct me if the following is incorrect:

1.) is to accept all packets received on those ip addresses that has a destination address of the local machine.
2.) perform DNAT (to 192.168.1.1:8080) on all packets passing through with a destination port of 80 which are not going to the local machine (because of the previous rule)
3.) Don't understand. What does this do ? could it be replaced by iptables -t nat -A POSTROUTING -o eth1 -j DNAT --to ? as I've heard that DNAT is better for static IP's.

I think you misunderstand what I'm asking for, lqman got it. You are saying that I want to port forward everything from port 80 to squid, wheh what I actually want to do is run apache on the same machine as squid (so it can serve the wpad.dat file) and route anything destined for port 80 that ISN'T 192.168.1.1 to dansguardian on port 8080 so it can talk to squid on 127.0.0.1:3128. Thanks for trying though.

Sorry, I accidentally mentioned ipchains once and you notice it ;-). I'm running Ubuntu 11.10 so it's iptables all the way.

cheers
Simon