LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-25-2007, 07:45 PM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Rep: Reputation: 60
IPTABLES, SQUID, DANSGUARDIAN and Transparent Proxy


I have a network setup using IPTABLES scripts, SQUID (proxy) and DANSGUARDIAN (Filter web traffic). Everything works fine but I cannot control my users from getting around my proxy. All they do is just go into IE or Firefox and change the connections settings to automatically detect my settings and they can go to the internet and bypass my proxy and filtering and go to whatever website they want. I thought that I had everything (web browsers) going through my system Transparently by add this rule

PHP Code:
$IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 8080 -j REDIRECT --to-port 192.168.3.2:3128 
SQUID

PHP Code:
http_port 127.0.0.1:3128 
DANSGUARDIAN

PHP Code:
# the port that DansGuardian listens to.
filterport 8080 

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip 127.0.0.1

# the port DansGuardian connects to proxy on
proxyport 3128 

Last edited by metallica1973; 04-25-2007 at 07:46 PM.
 
Old 04-25-2007, 08:58 PM   #2
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 78
Still not a fullproof solution, but: why not change 8080 to plain old 80. That should do transparent proxying of general web traffic.
 
Old 04-25-2007, 09:06 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
yeah, regarding the iptables rule: you need to change the 8080 to 80, as that's what most HTTP packets use (you can use an additional rule for 8080 if you wish)... you also probably wanna change the 3128 to 8080, unless you don't want them to go through dansguardian before squid...
Quote:
Originally Posted by metallica1973
PHP Code:
$IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 8080 -j REDIRECT --to-port 192.168.3.2:3128 
one more thing: this needs to happen on your internal interface, not your external one... judging by the name "$EXTIF" it would seem you are doing this on the external...

Last edited by win32sux; 04-25-2007 at 09:22 PM.
 
Old 04-26-2007, 10:57 AM   #4
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
Those are both great points. WIN32SUX, After what you had said it hit me like a ton of bricks.

PHP Code:
$IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 8080 -j REDIRECT --to-port 192.168.3.2:3128 
This chain is send info inside the network! So for my clients going back out should it be something like:

PHP Code:
$IPTABLES -A PREROUTING -t nat -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 192.168.3.2:8080 
Dont I need a POSTROUTING Statement to control my outgoing requests from my users?

PHP Code:
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -p tcp -j SNAT --to-source 192.168.3.2:8080 
What I am trying to say in this statement is route all web traffic going to the internet from the Squid Server/DANSGAURDIAN to the internet only!

help!

Last edited by metallica1973; 04-26-2007 at 12:56 PM.
 
Old 04-26-2007, 12:03 PM   #5
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
The transparent proxing through squid is working fine. On the client machines I just set IE or Firefox to auto -pilot and everything is fine. The problem is that nothing is filtering unless I manually put in my proxy server IP and port. I want everything on auto-pilot. It appears that the nothing is being filtered through DANSGUARDIAN unless I manually put the settings in.thanks

P.S

Another point that I wanted to make was that in my setup the proxy server, Dansguardian are on the same server and the firewall is another. I read a lot of examples and then seems to reference everything on one server.

Last edited by metallica1973; 04-26-2007 at 12:11 PM.
 
Old 04-26-2007, 06:06 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by metallica1973
Another point that I wanted to make was that in my setup the proxy server, Dansguardian are on the same server and the firewall is another. I read a lot of examples and then seems to reference everything on one server.
oh ok... well, you'll need to forget about the REDIRECT target (it's only for local ports)... you need the DNAT and SNAT ones instead: http://www.faqs.org/docs/Linux-mini/...tProxy.html#s6

Last edited by win32sux; 04-26-2007 at 06:16 PM.
 
Old 05-09-2007, 09:33 AM   #7
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
I am going to read that and give it a shot. many thanks winsux32 you have been a great help in the learning curve on teach myself linux.
 
Old 05-09-2007, 01:04 PM   #8
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
I gave it a shot and the transparent proxinig works fine once again. When I set everything to auto pilot on the web browsers my clients can still go whereever they want. That article that you recommended is for Transparent proxing only not the Danguardian/SQUID filtering. This is my office setup to give you a better picture:


Internet
+
+
(eth0)EXTIF
Firewall
(eth1)INTIF
+
+
SQUID/DANSGAURDIAN
+
+
LAN
+
+
Worstations

I want all webtraffic from the LAN to automatically go through SQUID/DANSGUARDIAN and then to the internet. I want everything to be automatic. help!
 
Old 05-12-2007, 08:30 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by metallica1973
I gave it a shot and the transparent proxinig works fine once again. When I set everything to auto pilot on the web browsers my clients can still go whereever they want. That article that you recommended is for Transparent proxing only not the Danguardian/SQUID filtering.
what you want to accomplish is exactly what transparent proxying is all about... in other words, you want to make sure that all TCP port 80 packets (from the LAN clients) which would have hit the FORWARD chain on the router (outbound) get automatically/transparently sent to your proxy server...

Quote:
This is my office setup to give you a better picture:


Internet
+
+
(eth0)EXTIF
Firewall
(eth1)INTIF
+
+
SQUID/DANSGAURDIAN
+
+
LAN
+
+
Worstations
okay this isn't how i had pictured it... in this scenario (unless i'm misunderstanding your drawing), you don't need to do transparent proxying AFAICT... since LAN clients have to go through the squid/DG box, you could simply make sure the squid/DG box isn't doing any NAT, and therefore they would be forced to use DG (you'd have the port squid is listening on filtered)...

of course, if you wanna do NAT also (as most people probably do), then things change... but then again, i'm not exactly sure i understand your schema properly... like, for example, the way you drew the proxy directly connected to the LAN would imply that the LAN has to go through the proxy, which would mean the proxy has two interfaces, yet you didn't mark that...

this is the scenario i thought you had, as it is i think the most typical one for situations in which the squid/DG box is separate from the firewall:
Code:
                   (eth0)
                  FIREWALL
                   (eth1)
                      |
                      |
                      |
        +----------SWITCH----------+
        |        |        |        |
        |        |        |        |
        |        |        |        |
       PC1      PC2      Etc.     DansGuardian/Squid
Quote:
I want all webtraffic from the LAN to automatically go through SQUID/DANSGUARDIAN and then to the internet. I want everything to be automatic. help!
i hear ya, but it should work fine doing it like the link i posted, if your network is structured as the diagram i posted here... in other words, to get the setup in my diagram to work, these rules on the firewall box should do it IIRC as far as iptables on the firewall box is concerned:
Code:
SQUIDBOX="192.168.3.2"
DGPORT="8080"
LAN_IFACE="eth1"
LAN="192.168.3.0/24"

iptables -t nat -A PREROUTING -p TCP -i $LAN_IFACE -s ! $SQUIDBOX \
--dport 80 -j DNAT --to-destination ${SQUIDBOX}:${DGPORT}

iptables -A FORWARD -p TCP -i $LAN_IFACE -o $LAN_IFACE \
--dport $DGPORT -s $LAN -d $SQUIDBOX -j ACCEPT

iptables -t nat -A POSTROUTING -o $LAN_IFACE -j MASQUERADE

Last edited by win32sux; 05-12-2007 at 08:39 PM.
 
Old 05-17-2007, 02:03 PM   #10
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
thanks for your reply. Let me try and clarify my network:


Internet
|
|
|
(eth0)
Firewall
(eth1) 192.168.3.0/27
|
|
|
switch (All LAN traffic is using the 192.168.3.0/27 subnet)
|
|
|
LAN 192.168.3.0/27 -------SQUID/DANSGUARDIAN Server 192.168.3.X
|
|
|
PC1- 192.168.3.X - PC2 - 192.168.3.X - PC3 192.168.3.X

Should I create another subnet like 192.168.4.0/27 and then have my SQUID/DANSGUARDIAN server route the traffic on that subnet? I know that way the traffic will be forced to go through my SQUID/DANSGUARDIAN!
 
Old 05-17-2007, 03:21 PM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
yeah, have your squid/DG box on another subnet, it's all good (make sure you set the alias properly, use SNAT with the IP specified instead of MASQUERADE, etc.)...

not sure what you mean by "have my SQUID/DANSGUARDIAN server route the traffic on that subnet", as the squid/DG box doesn't have to do any routing at all in your setup for this to work (only the firewall needs to route)...

keep in mind that there is no *real* security added by having the box on a different subnet in the same zone (compared to on the same subnet in the same zone)... not sure if that's the reason you wanna use a separate subnet, though...

Last edited by win32sux; 05-17-2007 at 03:31 PM.
 
Old 05-18-2007, 09:48 AM   #12
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
Quote:
not sure what you mean by "have my SQUID/DANSGUARDIAN server route the traffic on that subnet", as the squid/DG box doesn't have to do any routing at all in your setup for this to work (only the firewall needs to route)...
This is the reason that I say that. Let me draw. I always seem to do better at that. Here is my proposed adjustment:

Internet
|
|
|
(eth0)
Firewall
(eth1) 192.168.3.0/27
|
|
|
switch
|
|
|
(eth0)192.168.3.0/27
SQUID/DANSGUARDIAN Server (route traffic from 4.0 to 3.0 subnet)
(eth1)192.168.4.0/27
|
|
|
PC1- 192.168.4.X - PC2 - 192.168.4.X - PC3 192.168.4.X

thanks

Last edited by metallica1973; 05-18-2007 at 09:49 AM.
 
Old 05-18-2007, 03:40 PM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by metallica1973
Code:
Internet
|
|
|
(eth0)
Firewall
(eth1) 192.168.3.0/27
|
|
|
switch 
|
|
|
(eth0)192.168.3.0/27
SQUID/DANSGUARDIAN Server (route traffic from 4.0  to 3.0 subnet)
(eth1)192.168.4.0/27
|
|
|
PC1- 192.168.4.X - PC2 - 192.168.4.X - PC3 192.168.4.X
cool, the ubiquitous REDIRECT target scenario... did you get it going yet?? i'm not sure what part you need help with anymore...
 
Old 05-19-2007, 02:01 PM   #14
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
AS far as using the redirect, can you give me an example. I dig for some information using the web. Many thanks
 
Old 05-19-2007, 08:23 PM   #15
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by metallica1973
AS far as using the redirect, can you give me an example. I dig for some information using the web. Many thanks
it would go something like this:
Code:
SQUIDBOX="192.168.3.2"
DGPORT="8080"
WAN_IFACE="eth0"
LAN_IFACE="eth1"
LAN="192.168.3.0/27"

iptables -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d ! $SQUIDBOX \
--dport 80 -j REDIRECT --to-ports $DGPORT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p TCP -i $LAN_IFACE -s $LAN --dport $DGPORT \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -s $LAN -o $WAN_IFACE \
-m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
(this assumes FORWARD and INPUT policies are set to DROP, OUTPUT chain is properly configured, etc...)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Proxy won't let me connect, iptables, squid and dansguardian hindenbergbaby Linux - Networking 4 12-02-2009 03:45 AM
FC4 - How to setup Transparent Proxy with Dansguardian RTX Networks Linux - Networking 1 09-12-2006 12:49 AM
squid (Transparent proxy) & Dansguardian metallica1973 Linux - Security 8 12-15-2005 07:52 PM
Proxy Server - Squid, Samba, Dansguardian RedCamel Linux - Security 0 03-14-2005 02:16 AM
iptables, DansGuardian, and Squid. cth3 Linux - Networking 1 02-10-2005 09:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration