Networking with Dansguardian...please help!

Louie55 · 08-25-2004, 07:29 PM

I am building a Redhat 9 box to use as an internet filter with Dansguardian. I need my network to go in this order.

DSL Modem----------->RH9 Box---------->Wireless Router---------) ) ) ) Wireless Network

I have 2 network cards installed in the box. Right now, The filter is working ok if I am sitting on the RH9 box. But I cannot get it to work when I use a different computer connected to the internet through the RH9 box. The RH9 Box can get to the internet fine through eth1 and I am connecting it to my network on eth0. My question is, how do I setup my network cards? eth1 is setup to use DHCP and right now is getting a 10.0.0.13/24 address. Does eth0 need to be setup on the same 10.0.0.0/24 network? Or does it have to be on a different network? Please explain how I should address everything. thanks.

Louie

Robert0380 · 08-26-2004, 04:19 AM

i have **NO** clue what dansguardian is so i'll give you my script i made that sets up a gateway without any additional software and should work on any Linux system with iptables:

For this example, eth0 will be 192.168.0.1 and all computer on that side should be 192.168.0.2 to 192.168.0.254 i.e. 192.168.0.0/24. I run the IFCONFIG for you in this script also so when you get this edited to your liking, just call it from /etc/rc.local and it will set everything up on boot.

example rc.local if the path of the script is /ect/gateway.sh

Code:

sh /etc/gateway.sh

that's it

Also, there are examples at the bottom if you want to allow services like SMTP, SSH, HTTP....etc on the gateway box. Just uncomment the line with the IPTABLES rule an re-run the script as root.

Code:

#!/bin/bash

IPTABLES="/sbin/iptables"
NET_IFACE="eth1"    ######  change this to whatever NIC goes out to the interet #######
LAN_IFACE="eth0"    ######  change this to whatever NIC is on the LAN (non-internet side) #######
IFCONFIG="/sbin/ifconfig"
GATEWAY_IP="192.168.0.1"   
NETMASK="255.255.255.0"  
BCAST="192.168.0.255"      
LAN="192.168.0.0/24"       ##

### Make sure ip_forward is on ###
echo "1" > /proc/sys/net/ipv4/ip_forward

### Setup the LAN interface ####
$IFCONFIG $LAN_IFACE $GATEWAY_IP netmask $NETMASK broadcast $BCAST
$IFCONFIG $LAN_IFACE up

#### Flush tables ###
$IPTABLES -F
$IPTABLES -t nat -F

#### Security stuff #####
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### Allow forwarding to LAN ###
echo "Turning on forwarding to LAN"
$IPTABLES -A FORWARD -s $LAN -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

### Allow INPUT from LAN ####
echo "Allowing INPUT from LAN"
$IPTABLES -A INPUT -s $LAN -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT ## Allow iput from self


###  MAQUERADE ###
echo "MAQUERADEing"
$IPTABLES -A POSTROUTING -t nat -o $NET_IFACE -j MASQUERADE


### NOTES ####
# this makes your box pretty secure but u cant
# run any servers from it, uncomment the rules below to
# open up certain ports

## Open up SSH port#
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

## HTTP port (web server) ##
#$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

## Email server port ##
#$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT

again, i dont know what the hell that guadian software is so i make no mention of it here.

Louie55 · 08-26-2004, 10:22 AM

Thanks for the info and the script! Dansguardian is an Open Source Internet filter. http://dansguardian.org For those of you who do know what dansguardian is, I am also having trouble making it a transparent proxy using iptables firewall. I've read the HOWTO's and I don't know if it's working right. Is there any way to test if I did it right?

Louie

Louie55 · 08-26-2004, 11:17 AM

Robert0380....Thank you so much for the script! It now works perfectly! I just added a few lines to it to redirect port 80 requests to port 8080 to make it a transparent proxy. Thanks again.

Louie