Dansguardian problem

butek · 03-07-2018, 01:43 AM

Code:

eno1: 192.168.1.2/26 - WAN
eno2: 172.23.198.1/24 LAN

Squid block all. I can't see any website on workstation.
When I forward all on squid

Code:

iptables -t nat -A PREROUTING -s 172.23.198.0/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-port 3128

then everything work well.

but when I forward all on port 8080 ( Dansguardian) then workstation work bad.

Code:

iptables -t nat -A PREROUTING -s 172.23.198.0/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-port 8080

My firewall

Code:

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -X -t filter
iptables -t filter -P FORWARD DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT


iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED


iptables -t filter -A FORWARD -s 172.23.198.0/255.255.255.0 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.23.198.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.23.198.0/24 -d 0/0 -j MASQUERADE

iptables -A FORWARD -s 172.23.198.0/24 -j ACCEPT

iptables -t nat -A PREROUTING -i eno2 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eno2 -p tcp --dport 3124 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eno2 -p tcp --dport 3127 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eno2 -p tcp --dport 3128 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eno2 -p tcp --dport 8080 -j REDIRECT --to-port 8080

iptables -A INPUT -i eno2 -p tcp --dport 8080 -j ACCEPT
iptables -t nat -A PREROUTING -i eno2 -p tcp --dport 80 -j REDIRECT --to-ports 8080

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

squid.conf

Code:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl siec src 172.23.198.0/24
acl godziny_pracy time  00:01-21:30


acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

http_access allow localhost
http_access allow siec godziny_pracy

# And finally deny all other access to this proxy
http_access deny all

http_port 172.23.198.1:3128 transparent

dansguardian.conf

Code:

filterip =172.23.198.1
filterport = 8080
proxyip = 172.23.198.1

bcwagne · 03-15-2018, 02:01 AM

I had the runaround with dansguardian and squid. I don’t know your application, but if you just want a dans guardian filter and don’t need the caching capability of squid then you might try looking at a lighter weight proxy server. I tried a bunch of proxies and finally settled on tinyproxy. This was many years ago, however, and I haven’t needed or set up a proxy lately so I’m sure things have changed.

Squid is powerful, but sometimes it is like using a swiss army knife when all you need is a screwdriver—in other words, squid tries to do too many things.

Good Luck!