IPTABLES, SQUID, DANSGUARDIAN and Transparent Proxy
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IPTABLES, SQUID, DANSGUARDIAN and Transparent Proxy
I have a network setup using IPTABLES scripts, SQUID (proxy) and DANSGUARDIAN (Filter web traffic). Everything works fine but I cannot control my users from getting around my proxy. All they do is just go into IE or Firefox and change the connections settings to automatically detect my settings and they can go to the internet and bypass my proxy and filtering and go to whatever website they want. I thought that I had everything (web browsers) going through my system Transparently by add this rule
yeah, regarding the iptables rule: you need to change the 8080 to 80, as that's what most HTTP packets use (you can use an additional rule for 8080 if you wish)... you also probably wanna change the 3128 to 8080, unless you don't want them to go through dansguardian before squid...
one more thing: this needs to happen on your internal interface, not your external one... judging by the name "$EXTIF" it would seem you are doing this on the external...
The transparent proxing through squid is working fine. On the client machines I just set IE or Firefox to auto -pilot and everything is fine. The problem is that nothing is filtering unless I manually put in my proxy server IP and port. I want everything on auto-pilot. It appears that the nothing is being filtered through DANSGUARDIAN unless I manually put the settings in.thanks
P.S
Another point that I wanted to make was that in my setup the proxy server, Dansguardian are on the same server and the firewall is another. I read a lot of examples and then seems to reference everything on one server.
Last edited by metallica1973; 04-26-2007 at 12:11 PM.
Another point that I wanted to make was that in my setup the proxy server, Dansguardian are on the same server and the firewall is another. I read a lot of examples and then seems to reference everything on one server.
I gave it a shot and the transparent proxinig works fine once again. When I set everything to auto pilot on the web browsers my clients can still go whereever they want. That article that you recommended is for Transparent proxing only not the Danguardian/SQUID filtering. This is my office setup to give you a better picture:
Internet
+
+
(eth0)EXTIF
Firewall
(eth1)INTIF
+
+
SQUID/DANSGAURDIAN
+
+
LAN
+
+
Worstations
I want all webtraffic from the LAN to automatically go through SQUID/DANSGUARDIAN and then to the internet. I want everything to be automatic. help!
I gave it a shot and the transparent proxinig works fine once again. When I set everything to auto pilot on the web browsers my clients can still go whereever they want. That article that you recommended is for Transparent proxing only not the Danguardian/SQUID filtering.
what you want to accomplish is exactly what transparent proxying is all about... in other words, you want to make sure that all TCP port 80 packets (from the LAN clients) which would have hit the FORWARD chain on the router (outbound) get automatically/transparently sent to your proxy server...
Quote:
This is my office setup to give you a better picture:
Internet
+
+
(eth0)EXTIF
Firewall
(eth1)INTIF
+
+
SQUID/DANSGAURDIAN
+
+
LAN
+
+
Worstations
okay this isn't how i had pictured it... in this scenario (unless i'm misunderstanding your drawing), you don't need to do transparent proxying AFAICT... since LAN clients have to go through the squid/DG box, you could simply make sure the squid/DG box isn't doing any NAT, and therefore they would be forced to use DG (you'd have the port squid is listening on filtered)...
of course, if you wanna do NAT also (as most people probably do), then things change... but then again, i'm not exactly sure i understand your schema properly... like, for example, the way you drew the proxy directly connected to the LAN would imply that the LAN has to go through the proxy, which would mean the proxy has two interfaces, yet you didn't mark that...
this is the scenario i thought you had, as it is i think the most typical one for situations in which the squid/DG box is separate from the firewall:
I want all webtraffic from the LAN to automatically go through SQUID/DANSGUARDIAN and then to the internet. I want everything to be automatic. help!
i hear ya, but it should work fine doing it like the link i posted, if your network is structured as the diagram i posted here... in other words, to get the setup in my diagram to work, these rules on the firewall box should do it IIRC as far as iptables on the firewall box is concerned:
thanks for your reply. Let me try and clarify my network:
Internet
|
|
|
(eth0)
Firewall
(eth1) 192.168.3.0/27
|
|
|
switch (All LAN traffic is using the 192.168.3.0/27 subnet)
|
|
|
LAN 192.168.3.0/27 -------SQUID/DANSGUARDIAN Server 192.168.3.X
|
|
|
PC1- 192.168.3.X - PC2 - 192.168.3.X - PC3 192.168.3.X
Should I create another subnet like 192.168.4.0/27 and then have my SQUID/DANSGUARDIAN server route the traffic on that subnet? I know that way the traffic will be forced to go through my SQUID/DANSGUARDIAN!
yeah, have your squid/DG box on another subnet, it's all good (make sure you set the alias properly, use SNAT with the IP specified instead of MASQUERADE, etc.)...
not sure what you mean by "have my SQUID/DANSGUARDIAN server route the traffic on that subnet", as the squid/DG box doesn't have to do any routing at all in your setup for this to work (only the firewall needs to route)...
keep in mind that there is no *real* security added by having the box on a different subnet in the same zone (compared to on the same subnet in the same zone)... not sure if that's the reason you wanna use a separate subnet, though...
not sure what you mean by "have my SQUID/DANSGUARDIAN server route the traffic on that subnet", as the squid/DG box doesn't have to do any routing at all in your setup for this to work (only the firewall needs to route)...
This is the reason that I say that. Let me draw. I always seem to do better at that. Here is my proposed adjustment:
Internet
|
|
|
(eth0)
Firewall
(eth1) 192.168.3.0/27
|
|
|
switch
|
|
|
(eth0)192.168.3.0/27
SQUID/DANSGUARDIAN Server (route traffic from 4.0 to 3.0 subnet)
(eth1)192.168.4.0/27
|
|
|
PC1- 192.168.4.X - PC2 - 192.168.4.X - PC3 192.168.4.X
thanks
Last edited by metallica1973; 05-18-2007 at 09:49 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.