Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been trying to work on a "router replacement" that will add content filtering. Basically, I want to replace a Linksys Cable/DSL router with a Linux box (currently have Fedora 2). I have everything working to a point.
To my knowledge I need the following (all of which I have): DansGuardian, Squid, iptables, dhcpd - I have also installed shorewall and webmin.
Here is the problem - whenever I add the rules to make iptables forward all traffic through port 8080 (for DG) it erases all of the rules regarding the firewall, thus (to my understanding) reducing the security of the box - right?
Without the rules added however (the nat prerouting redirect rules listed in these forums many times) traffic is not routed through dansguardian.
When I manually edited the iptables file to include the above rule it does not allow any traffic to pass through.
My basic setup is a Fedora 2 box with 2 nics - eth0 is the WAN interface, eth1 is the LAN interface. I am completely stuck and would appreciate any help that is offered. Perhaps I just need to dive further into iptables rules and learn to manually manipulate the file - but if anyone has any hints I could really use the help!
have u added the following lines in squid.conf to run squid as transparent proxy? if u didnt do that, squid cannot understand http port redirection.
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
if your trouble didnt solved try the following:
there is a simple iptables script generator at www.iptables-script.dk u may try it instead of shorewall. i think it is not more secure than shorewall but it is enough secure.
Thanks for the help - the iptables script generator seems to be on the mark except for the forwarding of all traffice from the LAN port 80 through DansGuardian on port 8080. Do I just add that rule manually? How do I make both the firewall work securely and the forwarding of all web traffic through DansGuardian? To my understanding these both have to work.
Thanks for the reminder regarding the transparent proxy rules in squid - yes I had already changed them.
The real problem is that though everything works fine with just the nat table in iptables as far as forwarding traffic through DansGuardian - I am not confident that that has sufficiently secured the WAN interface to keep the whole thing secure. Perhaps I want to combine two things that just don't go together - like peanut butter and beer.
Hey, don't knock peanut butter and beer,...
just not in the same glass...
Set your squid to listen only on 127.0.0.1 port 3128
Set DansGuardian to listen only on the LAN interface port 8080 and talk to squid on 127.0.0.1 port 3128
Set a DNAT rule for ports 80, 8080, 3128 and 443 on the LAN interface to the LAN ip port 8080
Which file are you editing the rules in?
Last edited by peter_robb; 06-17-2004 at 04:24 PM.
Squid is set to listen only on 127.0.0.1:3128
DansGuardian is set to listen on port 8080 (how do it make it only listen on LAN interface?) and to talk to squid on 127.0.0.1:3128
How do I set the DNAT rule though? I don't know the syntax of the commands.
I am a newbie who knows just enough to be dangerous and to medle in things beyond my grasp...
and by the way...I love peanut butter, I love beer they are two great tastes but they just don't taste great together.
Best to use your GUI to set the DNAT rules for the moment..
Some of these systems have some crazy syntaxes and playing with files manually can break them..
The order of the rules is very important and the GUI will set that correctly..
And if one set of rules is being chewed by Shorewall, there are probably 2 sets in existance.
One from the standard FC2 setup and one from Shorewall
The standard ones are controlled by /etc/init.d/iptables start (or stop) chkconfig --del iptables will stop them automatically starting.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.