LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-16-2004, 10:58 PM   #1
jwgeurk
LQ Newbie
 
Registered: Jun 2004
Distribution: fedora 2
Posts: 4

Rep: Reputation: 0
DansGuardian, Squid, and Firewall rules


Hello all and thanks in advance...

I have been trying to work on a "router replacement" that will add content filtering. Basically, I want to replace a Linksys Cable/DSL router with a Linux box (currently have Fedora 2). I have everything working to a point.

To my knowledge I need the following (all of which I have): DansGuardian, Squid, iptables, dhcpd - I have also installed shorewall and webmin.

Here is the problem - whenever I add the rules to make iptables forward all traffic through port 8080 (for DG) it erases all of the rules regarding the firewall, thus (to my understanding) reducing the security of the box - right?

Without the rules added however (the nat prerouting redirect rules listed in these forums many times) traffic is not routed through dansguardian.

When I manually edited the iptables file to include the above rule it does not allow any traffic to pass through.

My basic setup is a Fedora 2 box with 2 nics - eth0 is the WAN interface, eth1 is the LAN interface. I am completely stuck and would appreciate any help that is offered. Perhaps I just need to dive further into iptables rules and learn to manually manipulate the file - but if anyone has any hints I could really use the help!
 
Old 06-17-2004, 12:49 PM   #2
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
have u added the following lines in squid.conf to run squid as transparent proxy? if u didnt do that, squid cannot understand http port redirection.

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on


if your trouble didnt solved try the following:

there is a simple iptables script generator at www.iptables-script.dk u may try it instead of shorewall. i think it is not more secure than shorewall but it is enough secure.

i hope these helps u.
 
Old 06-17-2004, 02:49 PM   #3
jwgeurk
LQ Newbie
 
Registered: Jun 2004
Distribution: fedora 2
Posts: 4

Original Poster
Rep: Reputation: 0
maxut,

Thanks for the help - the iptables script generator seems to be on the mark except for the forwarding of all traffice from the LAN port 80 through DansGuardian on port 8080. Do I just add that rule manually? How do I make both the firewall work securely and the forwarding of all web traffic through DansGuardian? To my understanding these both have to work.

Thanks for the reminder regarding the transparent proxy rules in squid - yes I had already changed them.

The real problem is that though everything works fine with just the nat table in iptables as far as forwarding traffic through DansGuardian - I am not confident that that has sufficiently secured the WAN interface to keep the whole thing secure. Perhaps I want to combine two things that just don't go together - like peanut butter and beer.

Thanks again
 
Old 06-17-2004, 05:22 PM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Hey, don't knock peanut butter and beer,...
just not in the same glass...

Set your squid to listen only on 127.0.0.1 port 3128
Set DansGuardian to listen only on the LAN interface port 8080 and talk to squid on 127.0.0.1 port 3128
Set a DNAT rule for ports 80, 8080, 3128 and 443 on the LAN interface to the LAN ip port 8080

Which file are you editing the rules in?

Last edited by peter_robb; 06-17-2004 at 05:24 PM.
 
Old 06-17-2004, 05:41 PM   #5
jwgeurk
LQ Newbie
 
Registered: Jun 2004
Distribution: fedora 2
Posts: 4

Original Poster
Rep: Reputation: 0
Squid is set to listen only on 127.0.0.1:3128
DansGuardian is set to listen on port 8080 (how do it make it only listen on LAN interface?) and to talk to squid on 127.0.0.1:3128
How do I set the DNAT rule though? I don't know the syntax of the commands.

I am a newbie who knows just enough to be dangerous and to medle in things beyond my grasp...

and by the way...I love peanut butter, I love beer they are two great tastes but they just don't taste great together.

Thanks!
 
Old 06-17-2004, 07:09 PM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
In dansguardian.conf..

filterip=x.x.x.x

Best to use your GUI to set the DNAT rules for the moment..
Some of these systems have some crazy syntaxes and playing with files manually can break them..
The order of the rules is very important and the GUI will set that correctly..

And if one set of rules is being chewed by Shorewall, there are probably 2 sets in existance.
One from the standard FC2 setup and one from Shorewall

The standard ones are controlled by /etc/init.d/iptables start (or stop)
chkconfig --del iptables will stop them automatically starting.
 
Old 06-17-2004, 11:49 PM   #7
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Rep: Reputation: 58
setup your firewall script

Add the redirect rules from the command line using iptables -I

then run this..

service iptables save
 
Old 06-18-2004, 03:26 AM   #8
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
jwgeurk
u r right, u must add redirect or other commands in the script manually.

first remove shorewall and delete iptables save file (rm /etc/sysconfig/iptables)
/etc/init.d/iptables restart . then run the script
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Selective Filetering using Squid + DansGuardian landuchi Linux - Networking 5 09-25-2005 07:16 PM
Dansguardian/Squid HELP! Prizam Linux - Software 3 09-23-2005 07:30 PM
iptables, DansGuardian, and Squid. cth3 Linux - Networking 1 02-10-2005 10:04 AM
DansGuardian/Squid/SquidGuardian problems :-( Sn7 Linux - Security 1 06-21-2004 10:22 AM
squid + dansguardian + compact flash cyph3r7 Linux - Software 1 06-20-2003 01:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration