LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-30-2006, 02:23 PM   #46
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116

Well then I'd like to see the output of
Code:
iptables -t nat -L -n --line-numbers
which will show the current NAT firewall ruleset.

Something must be wrong in the firewall rules, in that case. Also, please post your current output of
Code:
cat /etc/rc.d/rc.firewall | grep -v "^$" | grep -v "^#"
with transparent proxying enabled but nonfunctional - maybe there is another script of application that messes with the firewall?

Eric
 
Old 05-30-2006, 06:31 PM   #47
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
I will post the results of those commands after dinner. Eric, I really appreciate all that you have done for me and my school. This whole project has taught me quite a bit about networking that I never knew. Once we conquer the transparent proxy problem, then we should have a VERY SWEET content filter!
 
Old 05-30-2006, 07:08 PM   #48
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
I enjoyed this thread a lot - it finally gave me a much needed push to build the required packages and implement a transparent proxy for my son's PC in the LAN :-)
Also, I see that Slackware Dansguardian users might soon find their way to my package: http://dansguardian.org/downloads/2/Alpha/slackware.txt

Now, it is time to sleep.

Eric
 
Old 05-30-2006, 09:45 PM   #49
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
Here is the input of "iptables -t nat -L -n --line-numbers"

Code:
root@scs:~# iptables -t nat -L -n --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Problem #1....rc.firewall was NOT loading on startup. I believe I have fixed that. the NEW output is...
Code:
root@scs:/etc/rc.d# iptables -t nat -L -n --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 redir ports 8080

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Something tells me we're not SUPPOSED to have so many zeros in there.

Here is the output for "cat /etc/rc.d/rc.firewall | grep -v "^$" | grep -v "^#""

Code:
SYSCTL="/sbin/sysctl -w"
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"
INET_IFACE="eth0"
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.2.1"
LOCAL_NET="192.168.2.0/24"
LOCAL_BCAST="192.168.2.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"
if [ "$1" = "save" ]
then
        echo -n "Saving firewall to /etc/sysconfig/iptables ... "
        $IPTS > /etc/sysconfig/iptables
        echo "done"
        exit 0
elif [ "$1" = "restore" ]
then
        echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
        $IPTR < /etc/sysconfig/iptables
        echo "done"
        exit 0
fi
echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/ip_forward
else
    $SYSCTL net.ipv4.ip_forward="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
    $SYSCTL net.ipv4.conf.all.log_martians="1"
fi
echo "Flushing Tables ..."
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
        echo "Firewall completely flushed!  Now running with no firewall."
        exit 0
fi
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "Create and populate custom rule chains ..."
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
SYSCTL="/sbin/sysctl -w"
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"
INET_IFACE="eth0"
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.2.1"
LOCAL_NET="192.168.2.0/24"
LOCAL_BCAST="192.168.2.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"
if [ "$1" = "save" ]
then
        echo -n "Saving firewall to /etc/sysconfig/iptables ... "
        $IPTS > /etc/sysconfig/iptables
        echo "done"
        exit 0
elif [ "$1" = "restore" ]
then
        echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
        $IPTR < /etc/sysconfig/iptables
        echo "done"
        exit 0
fi
echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/ip_forward
else
    $SYSCTL net.ipv4.ip_forward="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
    $SYSCTL net.ipv4.conf.all.log_martians="1"
fi
echo "Flushing Tables ..."
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
        echo "Firewall completely flushed!  Now running with no firewall."
        exit 0
fi
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "Create and populate custom rule chains ..."
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
    --log-prefix "Illegal source: "
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
    --log-prefix "Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
    --log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.2.1"
LOCAL_NET="192.168.2.0/24"
LOCAL_BCAST="192.168.2.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"
if [ "$1" = "save" ]
then
        echo -n "Saving firewall to /etc/sysconfig/iptables ... "
        $IPTS > /etc/sysconfig/iptables
        echo "done"
        exit 0
elif [ "$1" = "restore" ]
then
        echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
        $IPTR < /etc/sysconfig/iptables
        echo "done"
        exit 0
fi
echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/ip_forward
else
    $SYSCTL net.ipv4.ip_forward="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
    $SYSCTL net.ipv4.conf.all.log_martians="1"
fi
echo "Flushing Tables ..."
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
        echo "Firewall completely flushed!  Now running with no firewall."
        exit 0
fi
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "Create and populate custom rule chains ..."
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
    --log-prefix "Illegal source: "
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
    --log-prefix "Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
    --log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
    --log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 \
     -j ACCEPT
$IPT -A udp_inbound -p UDP -j RETURN
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
echo "Process INPUT chain ..."
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 \
     -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
     -j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "INPUT packet died: "
echo "Process FORWARD chain ..."
$IPT -A FORWARD -p ALL -j bad_packets
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
     -j ACCEPT
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "FORWARD packet died: "
echo "Process OUTPUT chain ..."
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "OUTPUT packet died: "
echo "Load rules for nat table ..."
$IPT -t nat -A PREROUTING -p tcp --destination-port 80 \
     -j REDIRECT --to-ports 8080
$IPT -t nat -A PREROUTING -p tcp --destination-port 443 \
     -j REDIRECT --to-ports 8080
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
echo "Load rules for mangle table ..."
 
Old 05-31-2006, 03:46 AM   #50
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
Quote:
Originally Posted by tubatodd
# iptables -t nat -L -n --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8080

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination[/code]

Something tells me we're not SUPPOSED to have so many zeros in there.
This looks better. The fact that the rc.firewall did not load was of course not helping :-)

But with these NAT rules, are you still not able to transparently browse using Dansguardian?

Did you remember to remove the proxy settings in your browser every time you tested if the transparent proxy works?

By the way, the rc.firewall script you pasted in that last post, was so completely screwed up that I hope this was the result of incorrect multiple copy/pastes into the "new post" window... because parts of the script keep repeating themselves and what you posted would not work by my estimate.

Eric
 
Old 05-31-2006, 01:18 PM   #51
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Alien Bob
But with these NAT rules, are you still not able to transparently browse using Dansguardian?
NO

Quote:
Did you remember to remove the proxy settings in your browser every time you tested if the transparent proxy works?
YES

Quote:
By the way, the rc.firewall script you pasted in that last post, was so completely screwed up that I hope this was the result of incorrect multiple copy/pastes into the "new post" window... because parts of the script keep repeating themselves and what you posted would not work by my estimate.
I don't know what happened to my rc.firewall, but you were right, it had duplicate entries. Now I fixed the problem my using your firewall generator, made sure to use the proper internal network settings AND enabled a transparent proxy, transparent proxy with ip forwarding and ip forwarding by itself. I tried them all (3 different rc.firewall files tested separately)...no luck.

Any ideas?
 
Old 05-31-2006, 01:24 PM   #52
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
Well... post your current rc.firewall? So far, you've had a zillion firewall scripts and none were really OK.
Plus, when it is active, also again post the output of
Code:
iptables -t nat -L -n --line-numbers
Eric
 
Old 05-31-2006, 01:50 PM   #53
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
Now I am getting frustrated (as if I wasn't already frustrated). Here's he deal. I used your firewall genrator. I said that the WAN was eth0 and he internal network was eth1 192.168.2.1 and made sure each of the other options regarding eth1 started with 192.168.2.<whatever> Then I selected the transparent proxy option ONLY (no ip forwarding) and put 8080 in the "Redirect" field as the help instructions suggested. Finally, I saved the output file in my /etc/rc.d folder as rc.firewall. Finally, I made sure that rc.firewall is executeable (which it is). My /etc/rc.d/rc.M file contains the following lines at the end of the file in order to guarantee that the rc.firewall will execute

rc.M
Code:
...
# Start the FIREWALL....DON'T FORGET THE FIREWALL!!
if [ -x /etc/rc.d/rc.firewall ]; then
  . /etc/rc.d/rc.firewall start
fi

# Start the local setup procedure.
# Since tinyproxy and dansguardian are BOTH loaded from this file
# AND since the firewall MUST be loaded BEFORE tinyproxy and dansguardian
# are loaded, you will notice rc.local is LAST
if [ -x /etc/rc.d/rc.local ]; then
  . /etc/rc.d/rc.local
fi
...
Next I rebooted my system.

Here are the results of the "iptables -t nat -L -n --line-numbers"

Code:
root@scs:~# iptables -t nat -L -n --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
GARBAGE! I know it is my fault.
 
Old 05-31-2006, 02:27 PM   #54
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
I could think of no better way than screenshotting the EFG screen just before it generates the firewall script: http://sox.homeip.net/firewall.jpg

Do you use those same settings?

Eric
 
Old 05-31-2006, 03:02 PM   #55
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Alien Bob
I could think of no better way than screenshotting the EFG screen just before it generates the firewall script: http://sox.homeip.net/firewall.jpg

Do you use those same settings?

Eric
Yes, those are my settings.

So, you said that YOU managed to get tinyproxy and dansguardian working together AND using a transparent proxy?

BTW, I did try your rc.transparent file from page 3 of this thread. I changed a couple lines to reflect MY internal network (192.168.2.1).

here is what I executed...

killall dansguardian
killall tinyproxy
rc.firewall stop
rc.transparent start
tinyproxy
dansguardian

iptables -t nat -L -n --line-numbers generated some output, BUT the transparent proxy did NOT work.

Last edited by tubatodd; 05-31-2006 at 03:08 PM.
 
Old 05-31-2006, 03:35 PM   #56
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
In case I fouled up my WinXP settings, here are some screenshots of my XP network settings

http://img180.imageshack.us/img180/2453/xpip29da.jpg
http://img171.imageshack.us/img171/781/xpip11qc.jpg
 
Old 05-31-2006, 04:15 PM   #57
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
Your XP settings look OK.
What does "iptables -t nat -L -n --line-numbers" show you now?
Is there anything being logged in /var/log/tinyproxy.log and /var/log/dansguardian/access.log while you are trying?

Eric
 
Old 05-31-2006, 04:32 PM   #58
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
I just saw you wrote this sequence of commands:
Quote:
killall dansguardian
killall tinyproxy
rc.firewall stop
rc.transparent start
tinyproxy
dansguardian
Now, that would be weird since rc.firewall is not restarted... I'd have thought you should run something like
Code:
/etc/rc.d/dansguardian stop
killall tinyproxy
rc.firewall stop
rc.firewall start
rc.transparent start
tinyproxy
/etc/rc.d/dansguardian start
Unless you changed that rc.transparent script so that it also does all the stuff that the generated rc.firewall does (especially the final masquerading rule "$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE" from rc.firewall which was no part of my original rc.transparent).
It gets kind of messy now with all the altered scripts...

Eric
 
Old 05-31-2006, 09:02 PM   #59
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
Believe it or not...I fixed something. Apparently, the rc.firewall that your generator generates declares some variables for iptables. The only problem was it was looking for iptables in /sbin/ instead of /usr/sbin. I don't know if that is an oddity of my machine, but iptables is in /usr/sbin on my machine. In any event, I tried it again.

With the newly corrected rc.firewall loading FIRST, the tinyproxy THEN dansguardian..I get the following output

Code:
root@scs:/etc/rc.d# iptables -t nat -L -n --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
With rc.ip_forward added to the mix I get the following output

Code:
root@scs:/etc/rc.d# iptables -t nat -L -n --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
My tinyproxy.log and dansguardian log files are huge. They are in fact keeping track of my progress. When I try and attempt transparent proxying neither dansguardian or tinyproxy produce any output. If I FORCE my browser to use the proxy it logs.

Here is the output of access.log from Dansguardian. My wife visited one OK site and 2 banned sites.

Code:
2006.5.31 19:58:24 - 192.168.2.7 http://www.google.com  GET 3189 0  1 200 text/html - 
2006.5.31 19:58:28 - 192.168.2.7 http://www.runescape.com *DENIED* Banned site: runescape.com GET 0 0 Banned Sites 1 403 text/html - 
2006.5.31 19:58:45 - 192.168.2.7 http://www.myspace.com/kellyflute *DENIED* Banned site: myspace.com GET 0 0 Banned Sites 1 403 text/html -
OK weird...tinyproxy is NOT recording a new tinyproxy.log file for the new access requests.
 
Old 06-01-2006, 01:35 AM   #60
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
yeah, the generator you used (i haven't read the rest of the thread) was probably focused on red hat based systems, which have iptables in /sbin, while slackware has iptables in /usr/sbin - no big deal... i'll try and read the complete thread to see if there's anything i can contribute...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Need Help Configuring Linux 9 As gateway rml_85226 Linux - Networking 5 05-18-2006 12:36 AM
Configuring Fedora 3 as an internet gateway justiceisblind Fedora 1 05-27-2005 01:42 PM
configuring gateway - help jhar Linux - Newbie 6 01-30-2005 09:54 AM
configuring 2nd nic/gateway spooge Slackware 2 12-24-2004 03:22 PM
configuring a gateway for a windows xp box joshuadonz *BSD 0 03-23-2003 02:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 06:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration