LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPTABLES, SQUID, DANSGUARDIAN and Transparent Proxy (http://www.linuxquestions.org/questions/linux-networking-3/iptables-squid-dansguardian-and-transparent-proxy-549036/)

metallica1973 04-25-2007 07:45 PM

IPTABLES, SQUID, DANSGUARDIAN and Transparent Proxy
 
I have a network setup using IPTABLES scripts, SQUID (proxy) and DANSGUARDIAN (Filter web traffic). Everything works fine but I cannot control my users from getting around my proxy. All they do is just go into IE or Firefox and change the connections settings to automatically detect my settings and they can go to the internet and bypass my proxy and filtering and go to whatever website they want. I thought that I had everything (web browsers) going through my system Transparently by add this rule

PHP Code:

$IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 8080 -j REDIRECT --to-port 192.168.3.2:3128 

SQUID

PHP Code:

http_port 127.0.0.1:3128 

DANSGUARDIAN

PHP Code:

# the port that DansGuardian listens to.
filterport 8080 

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip 127.0.0.1

# the port DansGuardian connects to proxy on
proxyport 3128 


osor 04-25-2007 08:58 PM

Still not a fullproof solution, but: why not change 8080 to plain old 80. That should do transparent proxying of general web traffic.

win32sux 04-25-2007 09:06 PM

yeah, regarding the iptables rule: you need to change the 8080 to 80, as that's what most HTTP packets use (you can use an additional rule for 8080 if you wish)... you also probably wanna change the 3128 to 8080, unless you don't want them to go through dansguardian before squid...
Quote:

Originally Posted by metallica1973
PHP Code:

$IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 8080 -j REDIRECT --to-port 192.168.3.2:3128 


one more thing: this needs to happen on your internal interface, not your external one... judging by the name "$EXTIF" it would seem you are doing this on the external...

metallica1973 04-26-2007 10:57 AM

Those are both great points. WIN32SUX, After what you had said it hit me like a ton of bricks.

PHP Code:

$IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 8080 -j REDIRECT --to-port 192.168.3.2:3128 

This chain is send info inside the network! So for my clients going back out should it be something like:

PHP Code:

$IPTABLES -A PREROUTING -t nat -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 192.168.3.2:8080 

Dont I need a POSTROUTING Statement to control my outgoing requests from my users?

PHP Code:

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -p tcp -j SNAT --to-source 192.168.3.2:8080 

What I am trying to say in this statement is route all web traffic going to the internet from the Squid Server/DANSGAURDIAN to the internet only!

help!

metallica1973 04-26-2007 12:03 PM

The transparent proxing through squid is working fine. On the client machines I just set IE or Firefox to auto -pilot and everything is fine. The problem is that nothing is filtering unless I manually put in my proxy server IP and port. I want everything on auto-pilot. It appears that the nothing is being filtered through DANSGUARDIAN unless I manually put the settings in.thanks

P.S

Another point that I wanted to make was that in my setup the proxy server, Dansguardian are on the same server and the firewall is another. I read a lot of examples and then seems to reference everything on one server.

win32sux 04-26-2007 06:06 PM

Quote:

Originally Posted by metallica1973
Another point that I wanted to make was that in my setup the proxy server, Dansguardian are on the same server and the firewall is another. I read a lot of examples and then seems to reference everything on one server.

oh ok... well, you'll need to forget about the REDIRECT target (it's only for local ports)... you need the DNAT and SNAT ones instead: http://www.faqs.org/docs/Linux-mini/...tProxy.html#s6

metallica1973 05-09-2007 09:33 AM

I am going to read that and give it a shot. many thanks winsux32 you have been a great help in the learning curve on teach myself linux.

metallica1973 05-09-2007 01:04 PM

I gave it a shot and the transparent proxinig works fine once again. When I set everything to auto pilot on the web browsers my clients can still go whereever they want. That article that you recommended is for Transparent proxing only not the Danguardian/SQUID filtering. This is my office setup to give you a better picture:


Internet
+
+
(eth0)EXTIF
Firewall
(eth1)INTIF
+
+
SQUID/DANSGAURDIAN
+
+
LAN
+
+
Worstations

I want all webtraffic from the LAN to automatically go through SQUID/DANSGUARDIAN and then to the internet. I want everything to be automatic. help!

win32sux 05-12-2007 08:30 PM

Quote:

Originally Posted by metallica1973
I gave it a shot and the transparent proxinig works fine once again. When I set everything to auto pilot on the web browsers my clients can still go whereever they want. That article that you recommended is for Transparent proxing only not the Danguardian/SQUID filtering.

what you want to accomplish is exactly what transparent proxying is all about... in other words, you want to make sure that all TCP port 80 packets (from the LAN clients) which would have hit the FORWARD chain on the router (outbound) get automatically/transparently sent to your proxy server...

Quote:

This is my office setup to give you a better picture:


Internet
+
+
(eth0)EXTIF
Firewall
(eth1)INTIF
+
+
SQUID/DANSGAURDIAN
+
+
LAN
+
+
Worstations
okay this isn't how i had pictured it... in this scenario (unless i'm misunderstanding your drawing), you don't need to do transparent proxying AFAICT... since LAN clients have to go through the squid/DG box, you could simply make sure the squid/DG box isn't doing any NAT, and therefore they would be forced to use DG (you'd have the port squid is listening on filtered)...

of course, if you wanna do NAT also (as most people probably do), then things change... but then again, i'm not exactly sure i understand your schema properly... like, for example, the way you drew the proxy directly connected to the LAN would imply that the LAN has to go through the proxy, which would mean the proxy has two interfaces, yet you didn't mark that...

this is the scenario i thought you had, as it is i think the most typical one for situations in which the squid/DG box is separate from the firewall:
Code:

                  (eth0)
                  FIREWALL
                  (eth1)
                      |
                      |
                      |
        +----------SWITCH----------+
        |        |        |        |
        |        |        |        |
        |        |        |        |
      PC1      PC2      Etc.    DansGuardian/Squid

Quote:

I want all webtraffic from the LAN to automatically go through SQUID/DANSGUARDIAN and then to the internet. I want everything to be automatic. help!
i hear ya, but it should work fine doing it like the link i posted, if your network is structured as the diagram i posted here... in other words, to get the setup in my diagram to work, these rules on the firewall box should do it IIRC as far as iptables on the firewall box is concerned:
Code:

SQUIDBOX="192.168.3.2"
DGPORT="8080"
LAN_IFACE="eth1"
LAN="192.168.3.0/24"

iptables -t nat -A PREROUTING -p TCP -i $LAN_IFACE -s ! $SQUIDBOX \
--dport 80 -j DNAT --to-destination ${SQUIDBOX}:${DGPORT}

iptables -A FORWARD -p TCP -i $LAN_IFACE -o $LAN_IFACE \
--dport $DGPORT -s $LAN -d $SQUIDBOX -j ACCEPT

iptables -t nat -A POSTROUTING -o $LAN_IFACE -j MASQUERADE


metallica1973 05-17-2007 02:03 PM

thanks for your reply. Let me try and clarify my network:


Internet
|
|
|
(eth0)
Firewall
(eth1) 192.168.3.0/27
|
|
|
switch (All LAN traffic is using the 192.168.3.0/27 subnet)
|
|
|
LAN 192.168.3.0/27 -------SQUID/DANSGUARDIAN Server 192.168.3.X
|
|
|
PC1- 192.168.3.X - PC2 - 192.168.3.X - PC3 192.168.3.X

Should I create another subnet like 192.168.4.0/27 and then have my SQUID/DANSGUARDIAN server route the traffic on that subnet? I know that way the traffic will be forced to go through my SQUID/DANSGUARDIAN!

win32sux 05-17-2007 03:21 PM

yeah, have your squid/DG box on another subnet, it's all good (make sure you set the alias properly, use SNAT with the IP specified instead of MASQUERADE, etc.)...

not sure what you mean by "have my SQUID/DANSGUARDIAN server route the traffic on that subnet", as the squid/DG box doesn't have to do any routing at all in your setup for this to work (only the firewall needs to route)...

keep in mind that there is no *real* security added by having the box on a different subnet in the same zone (compared to on the same subnet in the same zone)... not sure if that's the reason you wanna use a separate subnet, though...

metallica1973 05-18-2007 09:48 AM

Quote:

not sure what you mean by "have my SQUID/DANSGUARDIAN server route the traffic on that subnet", as the squid/DG box doesn't have to do any routing at all in your setup for this to work (only the firewall needs to route)...
This is the reason that I say that. Let me draw. I always seem to do better at that. Here is my proposed adjustment:

Internet
|
|
|
(eth0)
Firewall
(eth1) 192.168.3.0/27
|
|
|
switch
|
|
|
(eth0)192.168.3.0/27
SQUID/DANSGUARDIAN Server (route traffic from 4.0 to 3.0 subnet)
(eth1)192.168.4.0/27
|
|
|
PC1- 192.168.4.X - PC2 - 192.168.4.X - PC3 192.168.4.X

thanks

win32sux 05-18-2007 03:40 PM

Quote:

Originally Posted by metallica1973
Code:

Internet
|
|
|
(eth0)
Firewall
(eth1) 192.168.3.0/27
|
|
|
switch
|
|
|
(eth0)192.168.3.0/27
SQUID/DANSGUARDIAN Server (route traffic from 4.0  to 3.0 subnet)
(eth1)192.168.4.0/27
|
|
|
PC1- 192.168.4.X - PC2 - 192.168.4.X - PC3 192.168.4.X


cool, the ubiquitous REDIRECT target scenario... did you get it going yet?? i'm not sure what part you need help with anymore... :)

metallica1973 05-19-2007 02:01 PM

AS far as using the redirect, can you give me an example. I dig for some information using the web. Many thanks

win32sux 05-19-2007 08:23 PM

Quote:

Originally Posted by metallica1973
AS far as using the redirect, can you give me an example. I dig for some information using the web. Many thanks

it would go something like this:
Code:

SQUIDBOX="192.168.3.2"
DGPORT="8080"
WAN_IFACE="eth0"
LAN_IFACE="eth1"
LAN="192.168.3.0/27"

iptables -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d ! $SQUIDBOX \
--dport 80 -j REDIRECT --to-ports $DGPORT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p TCP -i $LAN_IFACE -s $LAN --dport $DGPORT \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -s $LAN -o $WAN_IFACE \
-m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

(this assumes FORWARD and INPUT policies are set to DROP, OUTPUT chain is properly configured, etc...)


All times are GMT -5. The time now is 10:43 AM.