IPTABLES, SQUID, DANSGUARDIAN and Transparent Proxy
I have a network setup using IPTABLES scripts, SQUID (proxy) and DANSGUARDIAN (Filter web traffic). Everything works fine but I cannot control my users from getting around my proxy. All they do is just go into IE or Firefox and change the connections settings to automatically detect my settings and they can go to the internet and bypass my proxy and filtering and go to whatever website they want. I thought that I had everything (web browsers) going through my system Transparently by add this rule
PHP Code:
PHP Code:
PHP Code:
|
Still not a fullproof solution, but: why not change 8080 to plain old 80. That should do transparent proxying of general web traffic.
|
yeah, regarding the iptables rule: you need to change the 8080 to 80, as that's what most HTTP packets use (you can use an additional rule for 8080 if you wish)... you also probably wanna change the 3128 to 8080, unless you don't want them to go through dansguardian before squid...
Quote:
|
Those are both great points. WIN32SUX, After what you had said it hit me like a ton of bricks.
PHP Code:
PHP Code:
PHP Code:
help! |
The transparent proxing through squid is working fine. On the client machines I just set IE or Firefox to auto -pilot and everything is fine. The problem is that nothing is filtering unless I manually put in my proxy server IP and port. I want everything on auto-pilot. It appears that the nothing is being filtered through DANSGUARDIAN unless I manually put the settings in.thanks
P.S Another point that I wanted to make was that in my setup the proxy server, Dansguardian are on the same server and the firewall is another. I read a lot of examples and then seems to reference everything on one server. |
Quote:
|
I am going to read that and give it a shot. many thanks winsux32 you have been a great help in the learning curve on teach myself linux.
|
I gave it a shot and the transparent proxinig works fine once again. When I set everything to auto pilot on the web browsers my clients can still go whereever they want. That article that you recommended is for Transparent proxing only not the Danguardian/SQUID filtering. This is my office setup to give you a better picture:
Internet + + (eth0)EXTIF Firewall (eth1)INTIF + + SQUID/DANSGAURDIAN + + LAN + + Worstations I want all webtraffic from the LAN to automatically go through SQUID/DANSGUARDIAN and then to the internet. I want everything to be automatic. help! |
Quote:
Quote:
of course, if you wanna do NAT also (as most people probably do), then things change... but then again, i'm not exactly sure i understand your schema properly... like, for example, the way you drew the proxy directly connected to the LAN would imply that the LAN has to go through the proxy, which would mean the proxy has two interfaces, yet you didn't mark that... this is the scenario i thought you had, as it is i think the most typical one for situations in which the squid/DG box is separate from the firewall: Code:
(eth0) Quote:
Code:
SQUIDBOX="192.168.3.2" |
thanks for your reply. Let me try and clarify my network:
Internet | | | (eth0) Firewall (eth1) 192.168.3.0/27 | | | switch (All LAN traffic is using the 192.168.3.0/27 subnet) | | | LAN 192.168.3.0/27 -------SQUID/DANSGUARDIAN Server 192.168.3.X | | | PC1- 192.168.3.X - PC2 - 192.168.3.X - PC3 192.168.3.X Should I create another subnet like 192.168.4.0/27 and then have my SQUID/DANSGUARDIAN server route the traffic on that subnet? I know that way the traffic will be forced to go through my SQUID/DANSGUARDIAN! |
yeah, have your squid/DG box on another subnet, it's all good (make sure you set the alias properly, use SNAT with the IP specified instead of MASQUERADE, etc.)...
not sure what you mean by "have my SQUID/DANSGUARDIAN server route the traffic on that subnet", as the squid/DG box doesn't have to do any routing at all in your setup for this to work (only the firewall needs to route)... keep in mind that there is no *real* security added by having the box on a different subnet in the same zone (compared to on the same subnet in the same zone)... not sure if that's the reason you wanna use a separate subnet, though... |
Quote:
Internet | | | (eth0) Firewall (eth1) 192.168.3.0/27 | | | switch | | | (eth0)192.168.3.0/27 SQUID/DANSGUARDIAN Server (route traffic from 4.0 to 3.0 subnet) (eth1)192.168.4.0/27 | | | PC1- 192.168.4.X - PC2 - 192.168.4.X - PC3 192.168.4.X thanks |
Quote:
|
AS far as using the redirect, can you give me an example. I dig for some information using the web. Many thanks
|
Quote:
Code:
SQUIDBOX="192.168.3.2" |
All times are GMT -5. The time now is 10:19 PM. |