LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 04-15-2006, 01:13 PM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Rep: Reputation: 60
proxy/dansguardian trouble


This is my network:

Firewall
|
|
|
PROXY(Squid/Dansgaurdian)
|
|
|
workstation-------(Thunderbird)

I use squid for a proxy and Dansguardian for Filtering. When I try and setup POP3 using thunderbird it does not work. I have setup the proxy settings in thunderbird and also cleared the settings in thunderbird and it still does not work. I ran a traceroute and it stops at my proxy. I can ping MTA/SMTP server from my proxy so I know it is my proxy. I looked at the filter rules in Dansguardian and I do not see anything unusual. I dont think that I understand this correctly but I thought that when using a proxy which I have all my internet traffic going through port 3128 only affects websites that want to be accessed. I have even whitelisted in Dansguardian the mail domain example mail.verizon.net and still I cannot get to the domain.

Last edited by metallica1973; 04-17-2006 at 09:37 AM.
 
Old 04-17-2006, 01:11 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
dansguardian is a http content filter. why do you think that it is related to the routing of pop3 packets? you need to enable ip forwarding to make the box actually route traffic.
 
Old 04-17-2006, 09:43 AM   #3
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
But isnt my proxy server already routing traffic,any of my workstations on my network can go to the internet through my proxy.Let me clarify myself. I can ping mail.verizon.net from my proxy but I cannot ping that same mail.verizon.net from behind my proxy from any workstation so therefore I cannot use my pop3 using thunderbird.

Firewall
|
|
|
PROXY(Squid/Dansgaurdian)
(mail.verizon.net can be pinged from here)
|
|
|
workstation-------(Thunderbird)
(mail.verizon.net cannot be pinged from this point)
 
Old 04-17-2006, 09:52 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
an http proxy does not route a single thing. that's what a proxy is there for.. to not need to route traffic. in a proxy, you ask the proxy server to go away and get a webpage for you. without a proxy it is you that goes out onto the web to get the http data. if your proxy server was doing routing then you would be able to ping from behind it, not just on it. that's the first thing you'd do to test whether you're routing or not - can i ping google.com?

so you need to enable ip forwarding and masquarading on your proxy machine to let it act as a router too.
 
Old 04-17-2006, 10:55 AM   #5
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
so what I have to do it enable iptables and add:

ECHO 1 > /PROC/SYS/IPV4/IP_FORWARD
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE

would that be sufficient or is there a preferred method. thanks
 
Old 04-17-2006, 12:14 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
that would work if 1) it was in the right case and 2) you reliase that $EXTIF is a variable for the script this was copied from, and would be replaced by your external nic alias if you just use those commands directly.

i wouild personally recommend using a firewall tool like firestarter which as well as giving you a decent firewall config will enabled tweaks like this for erm.. "free" as it were.
 
Old 04-18-2006, 12:10 AM   #7
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
I'll give it a shot. Thanks
 
Old 04-20-2006, 11:36 PM   #8
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
I made some adjustments and it worked like a charm.

Last edited by metallica1973; 04-21-2006 at 12:27 AM.
 
Old 04-21-2006, 12:23 AM   #9
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
You were right, Acid Keypie, it was the routing. This is what I did to resolve the issue for future readers:

1 - Redesigned my network and realized that routers cannot route in the same subnet (Lesson Learned).Ex 192.168.3.0 <<--->> 192.168.3.0

2 - After I designed my new network I use nmap,traceroute and ping to troubleshoot any issues that I was having with routing and security.

3 - Designed a very basic Firewall script to route to my different subnets for my Proxy/Router.

4 - I had to make some minor adjustments to my squid.conf (Squid) and dansguardian (ContentFilter) to get them to point to the correct interfaces and or IP address.

5 - Finally I was able to use POP3 (110) and SMTP (25) was able to use Thunderbird and other services outside of my network.

6 - After several hours of a tedious but meaningful learning experience I bought a huge bottle of wine and and gladfully celebrated! Cheers!!!!!

Here is the end result from a not routing network to a routing OneHop network:

Firewall
(192.168.3.0)
|
|
(192.168.3.0)
PROXY(Squid/Dansgaurdian)
(192.168.3.0)
(mail.verizon.net can be pinged from here)
|
|---------------------Wireless AP-----Laptops - Thunderbird
| (mail.verizon.net cannot be pinged from this point
(192.168.3.0)
workstation-------(Thunderbird)
(mail.verizon.net cannot be pinged from this point)

New Network

Filtering Firewall
(192.168.2.0)
|
|
(192.168.3.0)
PROXY/Router-no filtering(Squid/Dansgaurdian)
(192.168.4.0)
(successful reply from mail.verizon.net)
|
|---------------------Wireless AP-----Laptops - Thunderbird
| (successful reply from mail.verizon.net)
(192.168.4.0)
workstations-------(Thunderbird)
(successful reply from mail.verizon.net )

Last edited by metallica1973; 04-21-2006 at 05:48 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Proxy won't let me connect, iptables, squid and dansguardian hindenbergbaby Linux - Networking 4 12-02-2009 03:45 AM
configure squid proxy with microsoft proxy as a parent proxy nintykola Linux - Software 1 08-28-2007 01:38 AM
squid (Transparent proxy) & Dansguardian metallica1973 Linux - Security 8 12-15-2005 07:52 PM
Dante Proxy Server - Trouble Starting Jubalint Linux - Networking 0 09-07-2005 01:32 PM
Proxy Server - Squid, Samba, Dansguardian RedCamel Linux - Security 0 03-14-2005 02:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration