LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Prevent user bypassing DansGuardian (https://www.linuxquestions.org/questions/linux-security-4/prevent-user-bypassing-dansguardian-805869/)

Aatifali 05-04-2010 11:26 AM
Prevent user bypassing DansGuardian
 
I need urgent help
Configuration are follows
Proxy = Squid 3.1 running on port 8080 (Transparent)
(without http_port virtual etc. its running fine)
http_port 127.0.0.1:8080
If required I will post my configuration files as well

Filtering = Dansguardian 2.10 running on port 3128

LAN IP's = 192.168.0.0/255.255.0.0
eth0 = 192.168.0.47/255.255.0.0 LAN Interface
eth0:1 = 192.168.0.61/255.255.0.0 (Virtually External Interface)

As we have no dual interfaces on single machine, we have only gateway/firewall address with DNS

IP Forwarding
Enable IP forwarding by modifying the value of net.ipv4.ip_forward = 1 in /etc/sysctl.conf
because our LAN users need to access mail servers out side our LAN

Redirecting Port 80 traffic to 3128 through IP tables
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j DNAT --to 192.168.0.47:3128
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 8080 -j DNAT --to 192.168.0.47:3128
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -d 192.168.0.61 -p tcp --dport 80 -j REDIRECT --to-port 3128

Every thing working perfect filtering with Dansguardian and other things by enforcing proxy address in browser
When I configured browser with no proxy, and configure (192.168.0.47) as a gateway. Users are able to access those site which are restricted

One more thing sometimes its working with the above settings sometimes not. Means sometime it filter the browsing sometime it doesn't.

Could any one help me, it's the first time that I have raised a question on linuxquestion.org, because I have to resolve this issues on urgent basis.

Thanks in advance

TB0ne 05-04-2010 12:51 PM
Quote:
Originally Posted by Aatifali (Post 3957008)
I need urgent help
Configuration are follows
Proxy = Squid 3.1 running on port 8080 (Transparent)
(without http_port virtual etc. its running fine)
http_port 127.0.0.1:8080
If required I will post my configuration files as well

Filtering = Dansguardian 2.10 running on port 3128

LAN IP's = 192.168.0.0/255.255.0.0
eth0 = 192.168.0.47/255.255.0.0 LAN Interface
eth0:1 = 192.168.0.61/255.255.0.0 (Virtually External Interface)

As we have no dual interfaces on single machine, we have only gateway/firewall address with DNS

IP Forwarding
Enable IP forwarding by modifying the value of net.ipv4.ip_forward = 1 in /etc/sysctl.conf
because our LAN users need to access mail servers out side our LAN

Redirecting Port 80 traffic to 3128 through IP tables
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j DNAT --to 192.168.0.47:3128
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 8080 -j DNAT --to 192.168.0.47:3128
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -d 192.168.0.61 -p tcp --dport 80 -j REDIRECT --to-port 3128

Every thing working perfect filtering with Dansguardian and other things by enforcing proxy address in browser
When I configured browser with no proxy, and configure (192.168.0.47) as a gateway. Users are able to access those site which are restricted

One more thing sometimes its working with the above settings sometimes not. Means sometime it filter the browsing sometime it doesn't.

Could any one help me, it's the first time that I have raised a question on linuxquestion.org, because I have to resolve this issues on urgent basis.

Thanks in advance
First, this is not 'urgent' for anyone here. We volunteer our time, so if you need **URGENT** support, use a distro that you pay for, and they'll be there for you.

And if I'm understanding what you wrote...your proxy is working fine...except when you bypass it? Yep...that sounds about right. If you don't want people to get out, block any other path.

orgcandman 05-04-2010 03:30 PM
Your network currently looks like:

Code:
Sys.  Sys.  Sys.  Proxy  Gateway
  []    []    []    []    []
[    ] [    ] [    ] [    ] [    ]
  |______|______|______|_____|

Figure 1: All systems on either the same segments, or multiple switched segments.
A solution could be:

Code:
Sys.  Sys.  Sys.  Proxy  Gateway
  []    []    []    []    []
[    ] [    ] [    ] [    ] [    ]
  |______|______|____|  |_____|

Figure 2: Two segments are coming from Proxy and are used to provide an exclusive tunnel.
It is left as an exercise to the reader to come up with other ways of making this work, or implement this at will.

Aatifali 05-05-2010 02:55 AM
Dear All,
Thanks for your help and assistance, Next time I will be careful about “URGENT”
The scenario here is

I need to provide internet access to our users transparently as they don't need to know about the proxy address. We have a router in place, through which I am accessing internet. Now I need to provide filtered internet to all of our users in the following way

[Internet]

| [Router/Gateway]
|
| [Squid/Dansguardian]
|
| [Client PCs]


PCs PCs PCs Proxy(Squid+Dansguardian) Gateway(Router)
[] [] [] [] []
[ ] [ ] [ ] [ ] [ ]
|______|_________|________________|___________________|


All are well connected with switches on a same segment.
Client PC's only has the access on Squid machine to get the internet. I want to do some magic with IP tables that the web traffic goes through DansGuardian---> Squid for filtration purpose. Remaining POP and SMTP traffic route through gateway without any interception.

Hope above will clear the situation and requirements

Once again thanks in advance

Aatifali 05-06-2010 08:10 AM
Thanks guys
I think i was unable to demonstrate my problem, But finally I got the solution


http://ubuntuforums.org/archive/index.php/t-479407.html


All times are GMT -5. The time now is 12:09 PM.