LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables nat on raspbian pi with squid and dansguardian (https://www.linuxquestions.org/questions/linux-security-4/iptables-nat-on-raspbian-pi-with-squid-and-dansguardian-4175547163/)

Blue_Ice 07-03-2015 01:41 PM
iptables nat on raspbian pi with squid and dansguardian
 
I am a bit stuck on the configuration of iptables. I am trying to filter the traffic on port 80, which should go through Squid and Dansguardian. The server I am using is set up with Raspbian and iptables is configured as a NAT.

I have added 2 rules for Squid and Dansguardian. But when I enable them, they do not give me the wanted result. Actually I cannot load any page on port 80. When I disable these rules, the normal rules apply for port 80 and I am able to load pages. However now they are not filtered.

Code:
*mangle
:PREROUTING ACCEPT [106:9308]
:INPUT ACCEPT [53:3362]
:FORWARD ACCEPT [49:5746]
:OUTPUT ACCEPT [55:7996]
:POSTROUTING ACCEPT [100:13318]
COMMIT
*nat
:PREROUTING ACCEPT [17:1474]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [0:0]

# Beginning of the rules causing the issue
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -o eth0 -p tcp -m owner ! --uid-owner 13 -m tcp --dport 80 -j REDIRECT --to-ports 8080
# End of the rules causing the issue

-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [15:1154]
:FORWARD DROP [4:424]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
COMMIT
Can someone help me to solve this? It is probably something very simple, but I am not able to find the solution.

TIA

lazydog 07-03-2015 05:50 PM
Is your Squid and Dansguardian services on the same box as the firewall or another one?

Blue_Ice 07-03-2015 07:36 PM
Everything is on the same box. Is that even possible?

salasi 07-04-2015 02:27 PM
i) Yes possible, but possibly slow.
ii) I don't know anything about dansguardan, but have a link:
Link

I think that you need to tell us more about how the system is structured; what happens to eth0 and eth1, for example, and what is set as the 'listen on' port for squid (and probably stuff about dansguardian, but, as I implied earlier, I don't even know what questions to ask).

I think that there is also a potential problem with the handling of port 53, but that isn't this problem.

Blue_Ice 07-04-2015 06:10 PM
I already found it myself, although triggered by your replies...
I was missing the following line:
Code:
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT


All times are GMT -5. The time now is 09:31 AM.