Help needed with Squid and Dansguardian on Fedora 12
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Help needed with Squid and Dansguardian on Fedora 12
I've been pulling my hair out and can't figure out what's wrong. I have dhcp, squid, and dansguardian all running on my server, but when I point a client to it for a proxy (192.168.1.15:8080) and try to get to a website, nothing happens and the connection times out. When I don't bother with the proxy, the client has no trouble getting to the internet.
I've verified I can ping the server and gateway from both machines. And the services are running, no errors noted in the logs.
Do I need to do any iptables or selinux changes?
My network is very basic, several clients on the same network as the server, connected to a verizon gateway. Local addresses are 192.168.1.x. The server is 192.168.1.15, gateway is 192.168.1.1.
Any help for what to do or where to look appreciated.
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.1.0/32 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl localdomain src 192.168.1.15
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
My dansguardian.conf is all defaults at this point.
I have no idea how to do this, I've been reading various threads and websites, which all have various instructions for making a transparent proxy server, but I'm not sure this is what I want. I only have one ethernet card in the server, my plan is to give all clients addresses above 192.168.1.100 and then have the gateway filter any direct access from those IP's. So if a client doesn't go through the proxy, it won't get to the internet.
Help needed, I'm a bit clueless here.
Here is the output of iptables -L:
Quote:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
you are aware that fedora 12 is past it's END OF LIFE
there has been no support since Dec. 2 2010 ,and there will never be any .
NO bug fixes,NO security updates ,NO new software , NO nothing .
are you saying that iptables has changed dramatically and I shouldn't bother trying to make this work?
I don't think this is so much a problem with fedora 12 as that I need some help understanding how to modify iptables to make it work.
Let me know if I am wrong on this. I don't really relish the though of rebuilding my linux server at this point... everything works and has for a long time... just trying to add some functionality.
no iptables has not changed much
HOWEVER there will NEVER be any security fixes to the End Of Life fedora 12
NO NEW third party bugfixes or up to date rpms for it.
NO newer version of Dansguardian & Squid UNLESS you build ALL the dependencies from source FIRST , then them from source.
NO new version of ClamAV unless you build it from source ( no new rpm)
How is your network connections? Can you show it with a crude diagram here? And you need two ethernet cards for proxy to be running. One card should be connected to the internet and the other to the internal network on which the squid service should listen. Is this how your network is designed?
And you can think of having it to be transparent later when you have your proxy running fine. Let the clients get to the internet through proxy. Then worry about making it transparent.
So I went ahead and upgraded to Fedora 14 (hopefully that will stop the peanut gallery from complaining ;-)
As previously noted, though, nothing has changed, output from iptables -L is still the same, same issue going on.
My network config is very simple. I have a bunch of clients all connected directly through the router to the internet. The Linux box is NOT the router.
My intention is to have those clients needing direct internet access assigned static IP's on my network, while all other addresses will be filtered by the router to disallow direct access to the internet. They will be forced to go through a proxy.
I know it's probably not the most secure system in the world, but for my purposes, it will work just fine.
So network traffic will flow from the client computers into eth0 on the Linux server to access the proxy, then out through eth0 on the Linux server to the Internet, with a similar return path.
Question is, how do I set up iptables to accept traffic from the clients and forward the valid traffic on?
Your linux server can either listen on eth0 for client requests or connect to internet. How can you connect a single interface to both the connections? Am I still confused? Why dont you draw a small network diagram and show us how you want your network to be and where you want your proxy to be connected?
My network, there is only a single network card on the linux server.
router <-->
|<--> Linux Server (eth0)
|<--> client 1
|<--> client 2
|<--> ...
|<--> client n
Why can the traffic not flow from client to server, be filtered by the proxy, and then back out through the server?
There's no physical reason this won't work, will the software reject this configuration for some reason?
(ETA, sorry, couldn't get the forum tools to display the ASCII network diagram very well. Suffice it to say, All machines (including the Linux server) are connected directly to the same router.)
Just a minute. You need two interfaces for your proxy to work as the way you want. Right now your linux system is connected to the internet the same way your other clients are. And they are directly connected to the internet. What you should do is add one more interface that will face internet. And let eth0 face the clients. And run squid service listening on eth0.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.