LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 01-19-2009, 03:50 AM   #1
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,628

Rep: Reputation: Disabled
Squid+DansGuardian not working properly. squid blocking sites that shouldnt be


Hello all,

I have got squid working properly. I use it for internet sharing as well as content filtering. There are about 150 clients that use my squid. Some of the clients are allowed to access all the sites without filtering. Only exception is that they are not allowed porn sites.
Rest of the clients are not allowed full access. Mailing sites, pornography and some unwanted sites that could chock up the bandwidth are banned.
It is a transparent proxy and I do it this way.
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
I tired to integrate dansguardian in the existing setup and changed 3128 to 8080 in the above command keeping other things as it is. It does work but not the way I want it to.
Clients that are allowed to browse emailing sites such as yahoo rediff and gmail are getting blocked with error from squid if the connections are redirected to 8080 but if connections are redirected to 3128 everything works fine.

For example:

I have acl allowed_stations
acl allowed_stations src 192.168.1.71 192.168.1.71 192.168.1.57

http_access allow allowed_stations
http_access deny blocked_sites where this acl mentions which sites are to be blocked. This contains mailing sites as well.
If I redirect it to 3128 it works properly.

But if I redirect it to 8080 allowed_stations are not able to browse banned sites. And the error is from squid not from dansguardian.

Any help will be appreciated.

Last edited by linuxlover.chaitanya; 01-20-2009 at 04:18 AM.
 
Old 01-19-2009, 05:41 AM   #2
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,628

Original Poster
Rep: Reputation: Disabled
This is what I got while searching the web. It says I should be putting my squid in front of Dansguardian.

Quote:
That is correct. The source ip of the request to squid is localhost as it is DansGuardian making the request which is running locally on the server. There are two solutions. One is to put squid in front of DansGuardian and have DansGuardian use an uprstream proxy such as the ISPs. The other is to install the patch available to make squid use the X-Forwarded-For entry from DansGuardian which would make the ACLs work again.
Now can anyone please help me understand me exactly what do I need to do? What does this mean?
 
Old 01-20-2009, 01:28 AM   #3
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,628

Original Poster
Rep: Reputation: Disabled
I dont really like to bump my own thread but if there was need of more information I would be more than willing to give if I knew what I should be. But please help me understand the above FAQ from dansguardian website that I seem not to understand as well I should.
 
Old 01-22-2009, 04:13 AM   #4
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,628

Original Poster
Rep: Reputation: Disabled
It started working. I guess there was some problem with iptables rules. It is working but I want to tweak it more to put more security now.
 
Old 04-08-2009, 04:33 PM   #5
parmeshwary2k
LQ Newbie
 
Registered: Apr 2009
Posts: 20

Rep: Reputation: 0
HI,

I have also same requirement,is it possible that both squid ACL and dansguardian filtering rule work at same time,according to me if we redirect traffic to 8080 then dansguardin should be apply and redirect traffic to 3128 then squid acl should apply if it is possible that dansguardin and squid acl work at same time please advise me and send me all code this will be appriciable.

thanks
 
Old 04-09-2009, 05:26 AM   #6
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,628

Original Poster
Rep: Reputation: Disabled
I started this thread more than couple of months ago. And nobody has posted since then. And I resolved it myself. If you have got some issue start your own thread rather than hijacking this oldie. And post as much information as possible when starting your thread.
 
Old 04-09-2009, 05:48 PM   #7
linx win
Member
 
Registered: Jan 2004
Posts: 390

Rep: Reputation: 31
Quote:
Originally Posted by linuxlover.chaitanya View Post
I resolved it myself.
I suggest that you show how you solved it here so others can benefit also and do not waste time searching for info that you have. The reason for having such a great forum is to share knowledge not to blame others.
 
Old 04-10-2009, 05:45 PM   #8
parmeshwary2k
LQ Newbie
 
Registered: Apr 2009
Posts: 20

Rep: Reputation: 0
Squid(transparent)+Dansguardian

Hi Chaitnaya


I am working on squid and dans for more than 2 year but i am new for this forum. if i would be this forum i must haply help you. but i am not able to use both acl together if i transfer traffic to 8080 then dans acl work and when transfer traffic to 3128 then squid acl work i pass my linux ip on client gateway not on browser i have more than 400 pc's.if you are able to use both acl together please help me. I have already posted my own thread but answer is not like my thought. according to your thread you already done this therefore i want from your side if you help me this will be appreciable.

Thanks
 
Old 04-11-2009, 12:53 AM   #9
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,628

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by linx win View Post
I suggest that you show how you solved it here so others can benefit also and do not waste time searching for info that you have. The reason for having such a great forum is to share knowledge not to blame others.
I would have posted the solution if I knew the exact one. And if you read the complete thread I have mentioned this before as well that I have no idea how it started working out of the blue and that I also mentioned that probably there were issues with iptables rules which I changed to make it work.
 
Old 04-11-2009, 12:56 AM   #10
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,628

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by parmeshwary2k View Post
Hi Chaitnaya


I am working on squid and dans for more than 2 year but i am new for this forum. if i would be this forum i must haply help you. but i am not able to use both acl together if i transfer traffic to 8080 then dans acl work and when transfer traffic to 3128 then squid acl work i pass my linux ip on client gateway not on browser i have more than 400 pc's.if you are able to use both acl together please help me. I have already posted my own thread but answer is not like my thought. according to your thread you already done this therefore i want from your side if you help me this will be appreciable.

Thanks
It would have been better if you started your own thread but still if you could just redirect the traffic from port 80 to 8080 it should work. If your squid and dansguardian are configured properly then just this redirection should work.
 
Old 08-04-2010, 03:54 AM   #11
ssamir81@hotmail.com
LQ Newbie
 
Registered: Aug 2010
Posts: 3

Rep: Reputation: 0
ssamir

AOA

In order to work Squid ACL and dansguardian both at a time you have to do two things.

1. In dansguardian.conf set the 2 tags like this.

forwardedfor = on
usexforwardedfor = on

2. Now in squid.conf you have to use x-forwarded option. Set the tags like this. By default these tags are commented. Search these tags and Remove the '#' and set like this:

follow_x_forwarded_for deny all
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on

And finally in writing ACL see the example below

acl my_network src 192.168.41.60
follow_x_forwarded_for allow my_network
http_access deny all

where 192.168.41.60 is the ip of my squid server and dansguardian in on the same machine.

Last edited by ssamir81@hotmail.com; 08-04-2010 at 04:17 AM.
 
Old 12-18-2010, 03:12 PM   #12
rdsingh
LQ Newbie
 
Registered: Dec 2010
Posts: 1

Rep: Reputation: 0
Quote:
Originally Posted by ssamir81@hotmail.com View Post
AOA

In order to work Squid ACL and dansguardian both at a time you have to do two things.

1. In dansguardian.conf set the 2 tags like this.

forwardedfor = on
usexforwardedfor = on

2. Now in squid.conf you have to use x-forwarded option. Set the tags like this. By default these tags are commented. Search these tags and Remove the '#' and set like this:

follow_x_forwarded_for deny all
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on

And finally in writing ACL see the example below

acl my_network src 192.168.41.60
follow_x_forwarded_for allow my_network
http_access deny all

where 192.168.41.60 is the ip of my squid server and dansguardian in on the same machine.

You da man!! You solved my riddle of the week. Thank you!
 
Old 12-20-2010, 12:47 AM   #13
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,628

Original Poster
Rep: Reputation: Disabled
Marking this grandma solved so that no one comes and digs it out of its grave. Let it RIP.
 
Old 11-10-2014, 11:34 AM   #14
droidshan
LQ Newbie
 
Registered: Nov 2014
Posts: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by ssamir81@hotmail.com View Post
AOA

In order to work Squid ACL and dansguardian both at a time you have to do two things.

1. In dansguardian.conf set the 2 tags like this.

forwardedfor = on
usexforwardedfor = on

2. Now in squid.conf you have to use x-forwarded option. Set the tags like this. By default these tags are commented. Search these tags and Remove the '#' and set like this:

follow_x_forwarded_for deny all
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on

And finally in writing ACL see the example below

acl my_network src 192.168.41.60
follow_x_forwarded_for allow my_network
http_access deny all

where 192.168.41.60 is the ip of my squid server and dansguardian in on the same machine.
I had searched a lot forums , & not found any solution for the same question.
But even after following this steps. I cant resolve my problem.. so I bumped this old post.. anyone here to help me?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
squid 2.6 not blocking sites even i entered ACL to block sites mohantorvalds Linux - Server 1 01-08-2009 05:17 AM
Running squid (w/ dansguardian) on centos 5.2 blocking all google searches bsd13 Linux - Software 0 07-31-2008 12:45 PM
squid url_regex is not blocking the sites nsampath Linux - Server 3 03-29-2007 06:04 AM
Squid / Dansguardian not blocking anymore jocast Linux - Networking 0 07-06-2006 10:30 AM
Squid Error while blocking sites winxandlinx Linux - Networking 15 06-29-2006 09:32 AM


All times are GMT -5. The time now is 04:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration