LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-21-2007, 09:44 AM   #1
jlw253
LQ Newbie
 
Registered: Jul 2007
Posts: 4

Rep: Reputation: 0
Question iptables dansguardian and squid - dropping URL


I have used iptables, dansguardian and squid for quite some time to both firewall my home network and to provide some level of intelligent web filtering.

What I have just begun to try to do is configure iptables to force all outgoing web requests over through dansguardian. Heretofore, direct connections would simply go out to port 80 without filter but specific browsers could be set to proxy through ADA:8080 (ADA is the name of my iptables/dansguardian/squid box).

I've done loads of reading and have experimented to various degrees of success for several hours.

What I have now still allows PC's with explicit ADA:8080 as their browser's proxy to get out through the proxy to the web. However, PC's simply making requests directly to 80 are not able to make it past squid.

With a direct-connection PC, requests to pages that dansguardian has blocked will be blocked as expected. No problem there. Normally when dansguardian determines that a request should be allowed, it forwards the request over to squid and then squid makes the request on behalf of the requestor.

What I see is that when I'm using the direct connection with itpables rerouting the request to ADA_IP:8080 (dansguardian) when dansguardian passes the request over to squid the request URI is gone. What should be "parseHttpRequest: URI is 'http://www.lycos.com/' " is coming in to squid as "parseHttpRequest: URI is '/'"). This obvioiusly gives squid fits and results in "clientReadRequest: FD 15 (192.168.XYZ.XYZ:46825) Invalid Request" errors.

Interestingly enough, the request header appears intact. It's just the URI that comes through as missing.

I've obviously increased the logging level of squid to be able to see these requests and failures come through in my /var/log/squid/cache.log file but I haven't been able to figure out how to raise my dansguardian logging high enough to see what's coming in and out of dansguarding at a low enough level to continue troubleshooting from here.

From all the other posts and how-to's, I'm certain this is a common configuration but for some reason just can't get it to work properly.

Config's follow:

IPTABLES (1.3.6.0debian1-5)
---------------------------
ADA_IP="192.168.ABC.123"
iptables -t nat -A PREROUTING -i $INTERNAL -p tcp --dport 80 -j DNAT --to-destination $ADA_IP:8080
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 80 -j REDIRECT --to-port 8080

SQUID (2.6.13-2)
----------------
Default configs. Includes:

#Default:
http_port 3128
debug_options ALL,9

DANSGUARDIAN (2.8.0.6-antivirus-6.4.4.1-4)
------------------------------------------
Default configs. Includes:

loglevel = 3
filterip =
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128


Any help would be greatly appreciated at this point ...
 
Old 07-21-2007, 05:41 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by jlw253
ADA_IP="192.168.ABC.123"
iptables -t nat -A PREROUTING -i $INTERNAL -p tcp --dport 80 -j DNAT --to-destination $ADA_IP:8080
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 80 -j REDIRECT --to-port 8080
Shouldn't these be the other way around? Like, outgoing (LAN to WAN) HTTP connections get redirected to the DG on your gateway (DG/Squid/IPtables) box, while incoming (WAN to gateway box) HTTP connections get forwarded to a web server on your LAN? On a two-interface setup, such as the one I get the impression you have, one common setup (aside from external port forwarding) looks something like:

#1 - Get Squid to listen only on localhost.
#2 - Get DansGuardian to listen only on $INTERNAL.
#3 - Get DansGuardian to communicate upstream via Squid on localhost.
#4 - Get Netfilter/IPtables to block direct connections to Squid, and redirect outgoing (LAN to WAN) HTTP connections to DG.

It seems you've gotten #1-3 knocked-out, but are having issues with #4.

Here's an example, pulled from an old script of mine which ran on a setup much like yours:
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -P PREROUTING ACCEPT

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p TCP -i $INTERNAL --dport 8080 -s 192.168.1.0/24 \
-m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -p TCP -i $INTERNAL --dport 80 \
-j REDIRECT --to-port 8080
In this example, users will be transparently proxied to DG. But they can also configure their browsers to use the DG box as a proxy. What they *can't* do is get forwarded straight out to the Internet, they will go through DG in one way or another. It sounds like you want to make an exception here, in the sense that you want to specify some IP addresses which should in fact get forwarded through without any proxying involved. I've done this on separate interfaces, but never on the same one. That said, I would imagine it would go like this (differences between this example and the one above are in bold):
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -P PREROUTING ACCEPT

iptables -t nat -P POSTROUTING ACCEPT

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p TCP -i $INTERNAL --dport 8080 -s 192.168.1.0/24 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -p TCP -i $INTERNAL -o $EXTERNAL \
--dport 80 -m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -p TCP -i $INTERNAL --dport 80 \
-m iprange ! --src-range 192.168.1.65-192.168.1.79 \
-j REDIRECT --to-port 8080

iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
Adding rules to forward port 80 on the WAN side to a web server on the LAN side would go like (assuming 192.168.1.145 is the IP of the web server on the LAN and that it is listening on port 7777):
Code:
iptables -t nat -A PREROUTING -p TCP -i $EXTERNAL --dport 80 \
-j DNAT --to-destination 192.168.1.145:7777

iptables -A FORWARD -p TCP -i $EXTERNAL -o $INTERNAL --dport 7777 \
-d 192.168.1.145 -m state --state NEW -j ACCEPT

Last edited by win32sux; 07-21-2007 at 07:14 PM. Reason: Typo.
 
Old 07-21-2007, 07:30 PM   #3
jlw253
LQ Newbie
 
Registered: Jul 2007
Posts: 4

Original Poster
Rep: Reputation: 0
Cleaner iptables but still empty URI when redirected

Yes. The second iptables line (from $EXTERNAL) was backwards but wasn't the real issue as the previous line actually caught the traffic I was interested in and did the forcing over to dg on the way out.

You have pointed me in a good direction for my next iptables (discriminating between internal IP's that should be forced through DG and those that should not.)

I've reduced the relevant section of iptables to:

iptables -t name -A PREROUTING -i $INTERNAL -p tcp --dport 80 -j REDIECT --to-port 8080.

Works fine. All "direct" traffic is forced through dg and then over to squid. Item #4 is checked off the list.

There's an implicit #5 where dg and squid communicate properly. This works no problem for me when browsers use an explicit proxy and point request right to dg (ADA_IP:8080). It doesn't work (everything except iptables is EXACTLY the same) and the URI passed from dg to squid is empty. I end up with a squid error instead of the page I'd requested.

With the iptables REDIRECT in place, if I point a PC out through dg directly it works fine. I make not changes on the server and only cange the PC to route "direct" and iptables redirects to DG, I get the squid error.

I don't think this is an issue with the iptables set up as the redirect is working and the request that goes from dg to squid has the proper HTTP request header just an empty URI.

Any way to increase the dansguardian logging to see what's really happening?

Thanks again - Jackson
 
Old 07-21-2007, 08:10 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Not sure how to increase DG's logging beyond 3.

BTW: Are you sure you have Squid in transparent mode?

For Squid 2.5 it's like:
Code:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
On Squid 2.6 I think it's like:
Code:
http_port 127.0.0.1:3128 transparent

Last edited by win32sux; 07-21-2007 at 08:25 PM.
 
Old 07-21-2007, 11:01 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
I just tried an experiment: I setup a Squid box, configured iptables for transparent proxying, but did *not* set the "transparent" option in squid.conf, and the result were symptoms just like what you describe.
Code:
2007/07/21 22:55:33| parseHttpRequest: Client HTTP version 1.1.
2007/07/21 22:55:33| parseHttpRequest: Method is 'GET'
2007/07/21 22:55:33| parseHttpRequest: URI is '/'
2007/07/21 22:55:33| parseHttpRequest: req_hdr = {Host: www.wikipedia.org
2007/07/21 22:55:33| parseHttpRequest: end = {}
2007/07/21 22:55:33| parseHttpRequest: prefix_sz = 417, req_line_sz = 16
2007/07/21 22:55:33| parseHttpRequest: Request Header is
2007/07/21 22:55:33| parseHttpRequest: Client HTTP version 1.1.
2007/07/21 22:55:33| parseHttpRequest: Method is 'GET'
2007/07/21 22:55:33| parseHttpRequest: URI is '/favicon.ico'
2007/07/21 22:55:33| parseHttpRequest: req_hdr = {Host: www.wikipedia.org
2007/07/21 22:55:33| parseHttpRequest: end = {}
2007/07/21 22:55:33| parseHttpRequest: prefix_sz = 348, req_line_sz = 27
2007/07/21 22:55:33| parseHttpRequest: Request Header is
Setting "transparent" in squid.conf fixes the problem on my test box, so I think it'll fix it for you also.

The Squid error page I would get read:
Quote:
The following error was encountered:

* Invalid Request

Some aspect of the HTTP Request is invalid. Possible problems:

* Missing or unknown request method
* Missing URL
* Missing HTTP Identifier (HTTP/1.0)
* Request is too large
* Content-Length missing for POST or PUT requests
* Illegal character in hostname; underscores are not allowed
I'm posting it for Google's spiders.

Last edited by win32sux; 07-21-2007 at 11:03 PM.
 
Old 07-22-2007, 03:29 PM   #6
jlw253
LQ Newbie
 
Registered: Jul 2007
Posts: 4

Original Poster
Rep: Reputation: 0
That's it

Though I'm sure I'd tried "transparent" earlier in the process, it likely got wrapped up and undeservingly dismissed along the way.

Adding "transparent" following the http_port option did the trick.

My version of squid (2.6.13-2) complained about the httpd_accel attributes, though. Research indicates that those options have changed considerably for Squid 3 and I guess it's possible that they've changed somewhere between 2.5 and 2.6 (which I'm using.)

Suffice it to say, though all I needed was the "transparent"

Thanks for your detailed help. Hopefully someone with the same problem can find this thread helpful in the future.

- Jackson
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Proxy won't let me connect, iptables, squid and dansguardian hindenbergbaby Linux - Networking 4 12-02-2009 03:45 AM
IPTABLES, SQUID, DANSGUARDIAN and Transparent Proxy metallica1973 Linux - Networking 18 09-03-2007 07:17 PM
iptables -> squid -> dansguardian (same box) knichel Linux - Security 1 05-14-2007 01:16 PM
setting up dansguardian, squid and iptables as webfilter!! cryonics Linux - Security 1 03-10-2006 06:29 PM
iptables, DansGuardian, and Squid. cth3 Linux - Networking 1 02-10-2005 09:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration