LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-26-2004, 04:51 PM   #1
kscott121
Member
 
Registered: Jul 2003
Location: NC
Distribution: Fedora,Mepis,Debian
Posts: 84

Rep: Reputation: 15
transparent proxy on a single machine


I am trying to build a single machine that performs web filtering (using DansGuardian) for several users.
The box (Morphix/Debian system) will be behind a cable router and has five users (kids). I have Dansguardian and Squid running correctly in normal proxy mode. The next step is to make the proxy transparent so that users cannot bypass the Danguardian/squid path simply by telling their browser to connect directly (ie without using the proxy).
I have looked around and see instructions on this at several places (mostly for non-single machine implementations) and know I need a line something like like:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8181

where 8181 is where Dansguardian is listening.

I also need to configure squid with (I think) :

http_port 3128 # where squid is listening
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
httpd_accel_single_host off

The question is, on a single machine, will this work? The part I can't figure out pertains to when squid finally wants to send out the actual request to the internet, isn't that a port 80 request that the above iptables rule will redirect back to Danguardian??
Is this the best strategy or is some other approach better?
Thanks in advance
Ken S.
 
Old 06-27-2004, 01:30 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
You have to redirect all request to port 80 to port 3128 and the destination address has to be changed to the IP of the interface that Squid is running on.
 
Old 06-27-2004, 08:37 PM   #3
kscott121
Member
 
Registered: Jul 2003
Location: NC
Distribution: Fedora,Mepis,Debian
Posts: 84

Original Poster
Rep: Reputation: 15
Finally figured out an elegant and easy solution (thanks to Dimitar Katerinski helping via the netfilter@list.netfilter.org mailing list)

1)Keep the normal settings for squid (no tranparent proxy needed since users are internal to the same machine)
2) Set up two iptables rules to only let squid reach port 80 and only let dansguardian reach port 3128 (where squid is listening).

# allow only squid to be able to connect to port 80
iptables -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner squid -j REJECT --reject-with tcp-reset

#allow only DG to be able to connect to 3128.
iptables -A OUTPUT -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j REJECT --reject-with tcp-reset

These rules force the users to put in the proper proxy info into their browsers in order to connect to internet.
Work great !!
Other boxes on the local lan can also access dansguardian webfiltering using same proxy address [ http://this_box_lan_ip_addr:8181 ] (although there is nothing forcing other boxes through this path) . The above iptables rules only require that local users on this machine use Dansguardian.
Cheers!
Ken
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to transparent proxy depam Linux - Software 3 12-30-2005 12:33 PM
Transparent Proxy krock923 Linux - Networking 1 04-28-2005 06:43 PM
Transparent Proxy ilnli Linux - Networking 3 10-18-2004 06:01 PM
Transparent Proxy vinhhv Linux - Networking 0 07-23-2003 01:01 AM
Mandrake Single Network Firewall and transparent proxy Nucklez Linux - Networking 1 11-29-2001 09:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration