LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-12-2005, 01:35 PM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Rep: Reputation: 60
squid (Transparent proxy) & Dansguardian


I am using SUSE 10, Squid 2.5 Stable 10, Dansguardian 2.8.0.6. I have the proxy working. It is set on port 3128(default)/

http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir ufs /var/cache/squid 100 16 256
#redirect_program /local/squid/bin/squidGuard -c /local/squid/bin/squidguard.conf
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl lan src 192.168.3.0/255.255.255.128
acl lan src 192.168.4.0/255.255.255.128
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow lan
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname sludge.local.net
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
httpd_accel_host virtual

here is my dansguardian.conf:

reportinglevel = 3
languagedir = '/etc/dansguardian/languages'
loglevel = 2
logexceptionhits = on
logfileformat = 1
filterip = 192.168.3.2
filterport = 3128
proxyip = 192.168.3.2
proxyport = 3128
accessdeniedaddress = 'http://192.168.3.2/cgi-bin/dansguardian.pl'
nonstandarddelimiter = on
usecustombannedimage = 1
custombannedimagefile = '/etc/dansguardian/transparent1x1.gif'
filtergroups = 1
filtergroupslist = '/etc/dansguardian/filtergroupslist'
bannediplist = '/etc/dansguardian/bannediplist'
exceptioniplist = '/etc/dansguardian/exceptioniplist'
banneduserlist = '/etc/dansguardian/banneduserlist'
exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 1000
urlcacheage = 900
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = 0
forcequicksearch = 0
reverseaddresslookups = off
reverseclientiplookups = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
usernameidmethodproxyauth = on
usernameidmethodident = off
preemptivebanning = on
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
nodaemon = off
nologger = off
softrestart = off

My iptables rule for redirection:

iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 3128 -j REDIRECT --to-port 8080

My questions is as such:

When any of my users on my network go into there web browsers settings and choose to connect directly to the internet, they can bypass my proxy settings and go to whatever website they want to! why is that! and I would like to use squidguards format of using there blacklists to filter out websites for DANSGUARDIAN. Can somebody point me in the right directions
 
Old 12-12-2005, 03:31 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
You've got squid and dg on the wrong ports..

Put squid on port 3128.. listening only on 127.0.0.1
http_port 127.0.0.1:3128

Put dg on port 8080
filterport = 8080
talking to squid on 127.0.0.1
proxyip = 127.0.0.1

Then change REDIRECT rules in nat PREROUTING to push http traffic to 192.168.3.2:8080
Users can then set their proxy to 192.168.3.2:8080

Last edited by peter_robb; 12-12-2005 at 03:35 PM.
 
Old 12-12-2005, 05:11 PM   #3
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
Is this right? $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 3128 -j REDIRECT --to-port 192.168.3.2:8080

And what about the filterip and proxyport in Dansguardian?

Last edited by metallica1973; 12-13-2005 at 11:06 AM.
 
Old 12-14-2005, 09:04 AM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Quote:
And what about the filterip and proxyport in Dansguardian?
They are ok in your original post. Just change what I mentioned..
Quote:
$IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 3128 -j REDIRECT --to-port 192.168.3.2:8080
That depends on your EXTIF. I would expect it to be the INTIF from the Lan.
If someone in the lan sent anything to port 3128 it wouldn't matter, there's nothing listening on it anyway. Squid will be on only 127.0.0.1, not the local eth, so a rule really isn't necessary..

REDIRECT is a target to pass traffic direct to 127.0.0.1.

Last edited by peter_robb; 12-14-2005 at 09:05 AM.
 
Old 12-14-2005, 11:47 AM   #5
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
here is my network:

Cable modem
#
#
#
(eth0 - dhcp)
|
|
Linux-Firewall-Router-DMZ-(eth2-192.168.2.0)-VOIPModem)
|
|
(eth1- 192.168.3.0)
|
|
Dlink wireless router(192.168.4.0)
|
|
Windows 2k wireless clients (192.168.4.0)

I have made all of those changes and all works on my 192.168.3.0 network but I can get my 192.168.4.0 network to work. Nothing on my 4 network will work!
 
Old 12-14-2005, 03:20 PM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Either you need to put a SNAT on the 3.0 side of the wireless router, or place a static route in the firewall to say which gateway address to use to find the 4.0 network..
 
Old 12-14-2005, 07:36 PM   #7
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
I just put statics routes in linux laptop (route add -net 192.168.3.0 netmask 255.255.255.128 dev eth0) and then I simply put 192.168.3.2:8080 in my browsers on my 192.168.4.0 cpu's. It worked.
Can you give me an example of a rule that I could put in my firewall to allow traffic from my 192.168.4.0 network to see my 192.168.3.0 network and why did things change after what you suggested. I dont understand what happened as far as my routing!
 
Old 12-15-2005, 07:57 AM   #8
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
I'm not so sure it is working..

You may have a connection but it may also timeout or not survive a reboot..

For routing, any box needs to know what is local and what is not.
When interfaces come up, they are added to the routing tables, making their nets 'local'
The firewall needs to know where to find the 4.0 net
So if it's not local it will use it's default gateway, the internet.
A static route can be added to say the 4.0 network can be found by using the wireless router as a gateway, eg
ip route add 192.168.4.0/24 via 192.168.3.?
(Whatever the wireless router's 3.? ip address is.)

The wireless router may have a NAT built-in which translates 4.0 to 3.?, in which case anything started in the 4.0 net will be replied to.
However, no-one still knows where to find the 4.0 net without the static route.
The static route needs to be added when eth1 on the firewall is started, and that is Suse specific, I can't help there.

If the wireless router is in bridge mode, (ie doesn't have ip numbers), it should be supplying 3.0 addresses rather than 4.0 addresses.

To see each other's networks, you will need to start a wins server on the firewall and get each pc to register with it when they start.
WINS is a built in feature of Samba.

Last edited by peter_robb; 12-15-2005 at 08:03 AM.
 
Old 12-15-2005, 07:52 PM   #9
bye
LQ Newbie
 
Registered: Dec 2005
Location: peking
Posts: 6

Rep: Reputation: 0
If the port of the APACHE must be modified to "LISTEN 8080"?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Proxy won't let me connect, iptables, squid and dansguardian hindenbergbaby Linux - Networking 4 12-02-2009 03:45 AM
Proxy Server - Squid, Samba, Dansguardian RedCamel Linux - Security 0 03-14-2005 02:16 AM
Squid Transparent Proxy 1jamie Linux - Security 7 09-26-2003 06:09 AM
Squid with Transparent Proxy MarleyGPN Linux - Networking 1 08-28-2003 02:51 PM
squid transparent proxy...... hitesh_linux Linux - Networking 1 06-13-2003 03:24 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration