Hi…

I read an article about linux web filtering by using Squid, DansGuardian and IPTables. So, I try to implement it on my single computer. I used Redhat Enterprise Edition 4 AS that already have squid-2.5.STABLE6-3 and iptables-1.2.11-3.1.RHEL4. So, I just need to install dansguardian. I install DG 2.8.0.6-1 by using rpm. The configuration as below:

Squid Configuration
Add or edit the file on ( /etc/squid/squid.conf )

http_port 127.0.0.1:3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
cache_effective_user squid
cache_effective_group squid

On the command prompt type :
groupadd -r squid
useradd -g squid -d /var/spool/squid -s /bin/false -r squid

DansGuardian Configuration
Add or edit the file on ( /etc/dansguardian/dansguardian.conf)

reportinglevel = 3
filterip = 127.0.0.1
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
daemonuser = 'squid'
daemongroup = 'squid'

Iptables Command
Setting up the transparent proxy using iptables. ( allow the user squid to access both the Internet and the Squid proxy )

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT

The next command redirects Internet traffic from all users, other than squid and any exempt users, to the filter on port 8080:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080

iptables-save > /etc/sysconfig/iptables

chkconfig iptables on
service iptables restart

chkconfig squid on
chkconfig dansguardian on

service squid restart
service dansguardian restart

MY PROBLEM :
All seems okay except for the command “service dansguardian restart” where my DG stop OK, but start failed!! So I just start it manually using Redhat system setting-service.
After that I try to open the web site but my computer can’t rach the internet!!there’s a prompt pop out saying that “cannot attempt to reach the connection…” a sort like that! I can’t browse the internet at all. My computer can enter the internet like normal again after i disable (stop) iptables. But then I can reach the prohibited site!! Can anyone help me???

"iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT"

Perhaps the --uid-owner should be dansguardian or whatever user dansguardian runs as.

It might help to give the output of iptables -L to see everything. You could also activate logging of things to see what is being dropped and the particulars.

thanx for the reply....
do i need to change these two lines too??

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT

and what about the "owner"...do i need to change it too ??
how i want to know about the 'owner'??

Here is an excerpt from man iptables:
" owner
This module attempts to match various characteristics of the packet
creator, for locally-generated packets. It is only valid in the OUT-
PUT chain, and even this some packets (such as ICMP ping responses)
may have no owner, and hence never match.

--uid-owner userid
Matches if the packet was created by a process with the given
effective user id.
"

It seems "owner" is simply naming the owner module and the uid-owner is a parameter that tells the module to check the owner userid. If it matches, the appropriate action is taken.

Below are the error when I’m restarting DG using command!! SO WHAT’S THE PROBLEM HERE?

[root@localhost ~]# service dansguardian restart
Shutting down Web Content Filter (dansguardian): [FAILED]
Starting Web Content Filter (dansguardian): [FAILED]
Error opening/creating log file. (check ownership and access rights).
I am running as squid and I am trying to open /var/log/dansguardian/access.log

On my system dasguardian's logs are owned by user dansguardian. They are world readable but you could read them as root, perhaps. Check /var/log/messages or daemon.log or syslog for information on why the dansguardian helper did not start.

tq RobertP...

the main problem is about the file (var/log/dansguardian/access.log)

just do the following command :

cd /var/log/dansguardian (if it doesn't exist, then mkdir /var/log/dansguardian then cd /var/log/dansguardian.

touch access.log (this will create the file)
chown root.root access.log (this sets owner and group)
chmod 666 access.log (this sets r/w permissions)

then run command again :
service dansguardian restart
service iptables restart
service squid restart

and the filter is now available...... well done!!

So if mu yser and grour are 'squid' the lione would be
"iptables -t nat -A OUTPUT -p tcp --dport 3128 -m squid --uid-squid squid -j ACCEPT"????