Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
06-01-2006, 06:50 PM
|
#76
|
Member
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351
Original Poster
Rep:
|
Code:
root@scs:/etc/dhcpc# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
I have NO IDEA what happened with that gateway thing. I do NOT remember ever changing that. I checked all the way back through this thread and NO ONE told me to do that. I have no idea how I ended up with 192.168.1.254 let me change that back to gateway=""
|
|
|
06-01-2006, 06:54 PM
|
#77
|
Member
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351
Original Poster
Rep:
|
Quote:
Quote:
IPADDR[lo]="127.0.0.1"
NETMASK[lo]="255.0.0.0"
This should never be needed! I hope you did not edit your /etc/rc.d/rc.inet1 file?
|
Again I have NO IDEA where those lines came from. Again, they were never discussed in this thread before. I suppose I should delete them or comment them out...correct?
|
|
|
06-01-2006, 07:06 PM
|
#78
|
Member
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351
Original Poster
Rep:
|
OK,I removed those 127.0.0.1 lines and restored gateway="" and rebooted. Still, no transparent proxy.
This was run AFTER changing to gateway=""
Code:
root@scs:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
Same result. I did some investigating by accessing my dsl modem. According to my dsl modem "192.168.1.254" is the DSL modem's local ip address.
Here is some useful information I found in one of the "Expert" tabs
Code:
IP Interfaces
Address Netmask Name
192.168.1.254 255.255.255.0 eth0
<ip address> 255.255.255.255 ppp1
Notice that the IP address and Netmask from my ISP contains the weird netmask of "255.255.255.255"
Now through my DSL modem I can change some things with regard to DHCP. It has options to change the modem's ip address (from 192.168.1.254 to whatever), subnet mask and start and stop addresses. One thing that is VERY interesting is that the DHCP of my modem starts addresses at 192.168.1.1 and ENDS at 192.168.1.253 which leaves out 254 and 255. I don't know if that may be helpful, but I thought you might want to know.
Here is some more info
Code:
IP Passthrough/DMZ Configuration
Please share which device will share your public IP address.
If "User Configured PC" is selected, a local PC must be manually configured to use the public IP address.
WAN IP Address : <ip address removed for security reasons>
Options: User Configured PC
192.168.1.96
IP Passthrough is currently disabled.
Does IP Passthrough mean "transparent proxy" or am I getting terminology confused? I hope this might help.
Last edited by tubatodd; 06-01-2006 at 07:45 PM.
|
|
|
06-02-2006, 03:40 AM
|
#79
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
Well, I guess you filled the GATEWAY parameter at some point in time with the value you saw on your box. It does not really matter then if you set it or not (the value is correct anyway) but letting it be set by the DHCP client is cleaner.
Also the two lines with the XXXXXX[lo]="yyyy" variables are indeed not needed and can be deleted.
Quote:
Originally Posted by tubatodd
Here is some useful information I found in one of the "Expert" tabs
Code:
IP Interfaces
Address Netmask Name
192.168.1.254 255.255.255.0 eth0
<ip address> 255.255.255.255 ppp1
Notice that the IP address and Netmask from my ISP contains the weird netmask of "255.255.255.255"
|
actually, for a ppp address, the netmask of 255.255.255.255 is correct.
Quote:
Here is some more info
Code:
IP Passthrough/DMZ Configuration
Please share which device will share your public IP address.
If "User Configured PC" is selected, a local PC must be manually configured to use the public IP address.
WAN IP Address : <ip address removed for security reasons>
Options: User Configured PC
192.168.1.96
IP Passthrough is currently disabled.
Does IP Passthrough mean "transparent proxy" or am I getting terminology confused? I hope this might help.
|
You should disable or remove any configuration which has anything to do with the 192.168.1.96 address of your server. DMZ, autoforward, passthrough, whatever - it all adds to the confusion.
If you can not convince your DHCP server to supply a netmask of 255.255.255.0 to the server, then you will have to setup the server for a static IP address/netmask/gateway.
It would be nice if you can reconfigure your router to not use the complete range from 1-254 but instead leave a few addresses out that you can use for static assignment (like, give the DHCP Server the range 192.168.1.1-192.168.1.100 to use - you will probably never have a 100 PC's in your house anyway).
Then, make sure you pick an IP address that the DHCP server no longer uses, or if you cannot change the IP address range try to pick an address the DHCP server probably will not use, for instance 192.168.1.111.
Then, modify /etc/rc.d/rc.inet1.conf for the eth0 interface and fill in the GATEWAY variable:
Code:
# Config information for eth0:
IPADDR[0]="192.168.1.111"
NETMASK[0]="255.255.255.0"
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""
GATEWAY="192.168.1.254"
Then, restart the eth0 interface or reboot the server:
Code:
/etc/rc.d/rc.inet1 eth0_restart
NOTE: if you decide to use another IP address for the server's external address, don't forget to change the address in the tinyproxy.conf as well or the mix-up will even get bigger.
Maybe this will help.
Eric
|
|
|
06-02-2006, 01:54 PM
|
#80
|
Member
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351
Original Poster
Rep:
|
I told my DSL modem to limit the range from 1-100. Here is my current ip setup.
Code:
root@scs:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:04:5A:77:38:D8
inet addr:192.168.1.111 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1570 errors:0 dropped:0 overruns:0 frame:0
TX packets:1693 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:899905 (878.8 KiB) TX bytes:244072 (238.3 KiB)
Interrupt:6 Base address:0x9400
eth1 Link encap:Ethernet HWaddr 00:04:5A:77:38:DC
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:593 errors:0 dropped:0 overruns:0 frame:0
TX packets:706 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:104222 (101.7 KiB) TX bytes:412553 (402.8 KiB)
Interrupt:9 Base address:0x9000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2734 errors:0 dropped:0 overruns:0 frame:0
TX packets:2734 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:584258 (570.5 KiB) TX bytes:584258 (570.5 KiB)
The network is functioning with the change of ip addresses...HOWEVER...no transparent proxy. I read your note about tinyproxy, but I don't see what I need to change in my tinyproxy.conf.
Code:
root@scs:~# cat /etc/rc.d/rc.firewall | grep -v "^$" | grep -v "^#"
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A PREROUTING -t nat -p tcp -s 192.168.2.1 --destination-port 80 -j RETURN
iptables -A PREROUTING -t nat -p tcp -s 192.168.2.1 --destination-port 443 -j RETURN
iptables -A PREROUTING -t nat -p tcp --destination-port 80 -j REDIRECT --to-ports 8080
iptables -A PREROUTING -t nat -p tcp --destination-port 443 -j REDIRECT --to-ports 8080
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@scs:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.254 0.0.0.0 UG 1 0 0 eth0
Here is my tinyproxy.conf What needs to be changed?
Code:
root@scs:~# cat /etc/tinyproxy/tinyproxy.conf | grep -v "^$" | grep -v "^#"
User nobody
Group nobody
Port 3128
Listen 127.0.0.1
Bind 192.168.1.96
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy.log"
LogLevel Info
PidFile "/var/run/tinyproxy.pid"
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
Allow 192.168.1.0/24
Allow 192.168.2.0/24
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563
Any ideas?
|
|
|
06-02-2006, 02:21 PM
|
#81
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
This line in tinyproxy.conf:
Bind 192.168.1.96
needs to match the external IP address of your firewall, i.e. it should be Eric
|
|
|
06-02-2006, 02:45 PM
|
#82
|
Member
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351
Original Poster
Rep:
|
Ok I changed Bind 192.168.1.111, still no transparent proxy. My question is...why are we not binding to 192.168.1.254...the gateway?
|
|
|
06-02-2006, 03:47 PM
|
#83
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
Because the tinyproxy.conf has this to say right before the "Bind" line
Quote:
# Bind: This allows you to specify which interface will be used for
# outgoing connections. This is useful for multi-home'd machines where
# you want all traffic to appear outgoing from one particular interface.
|
On my server, this works.
Eric
|
|
|
06-02-2006, 03:51 PM
|
#84
|
Member
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351
Original Poster
Rep:
|
I think I am officially done with this project. I'm gonna give this machine back to the media director who gave it to me. It works...sorta. He may get it on the school network and be happy configuring each machine. Thanks again for all of your help Eric. I wouldn't have gotten this far with out help from the Netherlands. Thanks!
|
|
|
06-02-2006, 05:49 PM
|
#85
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
Good luck with it tubatodd. I had fun and learnt some new things about proxying, too.
Cheers, Eric
|
|
|
06-06-2006, 05:37 PM
|
#86
|
Member
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351
Original Poster
Rep:
|
WOOOO HOOOO!!!! UPDATE:
I installed the content filter machine at the school and showed it to our media director. He was impressed. We had to change a couple settings for the school network (the eth1 HAD to be 192.168.1.1) but other than that...it was a success. When we installed it on the school's network it FILTERED. The transparent proxying that we battled with WORKS. Now all of the machines on the school's network (including the one I am typing on right NOW) are using filtering in order to access the internet. Thanks a 10^6 for all of your help Eric. I highly recommend you create a page on your website for tinyproxy and dansguardian like you had mentioned. I think it may be a weath of knowledge!!!
**EDIT**
New assignment:
My media director wants to know if there is a way to setup the filter machine in such a way that we can access it from any machine on the network. We would like to do a "remote desktop" kind of thing from a Windows machine on the network. The idea is that we would like to be able to update the bannedsiteslist in dansguardian and run other maintanence commands (ie swaret, reboot, etc) from a remote machine. I have NO IDEA how to set this up. I suspect this is a VNC task, which I know nothing about.
Last edited by tubatodd; 06-06-2006 at 06:51 PM.
|
|
|
06-06-2006, 07:21 PM
|
#87
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
just configure the sshd daemon on the box and then from windows use putty to connect... it's kinda weird to be running a GUI on a server...
|
|
|
06-07-2006, 04:45 AM
|
#88
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
Tubatodd, this is good news!
I guess there is something completely whacko in your home network setup which prevented transparent proxying from working...
What win32sux said is valid of course - you would not want to steal away precious CPU cycles by running a GUI on your server. But there might still be cases where you do have the need of a GUI, especially when there is no alternative, or in cases you are not too familiar with commandline equivalents of GUI based programs.
VNC is what I would use in such a case. Actually that is what I use on some of my servers. I do combine it with a light-weight Window Manager - you should think about using XFCE or fluxbox, and stay away from Gnome or KDE. There is no harm in installing the KDE libraries and programs, but I would advise to stay away from running KDE based programs in your VNC session (any KDE program starting will cause a cascade of other core KDE background programs to be started as well).
So, this is what you should do:
- install VNC (any flavour would do, I have a package for RealVNC at http://www.slackware.com/~alien/slackbuilds/vnc/)
- login under your own non-root account and run "vncserver" from the commandline. This will setup your VNC password (vncserver will ask for it) and generate the ~/.vnc/xstartup file. It will also tell you at which display port it will be listening (by default this will be :1 if there are no other VNC servers running).
- try running vncviewer from a client machine, pointing it to <your.server.name>:1 and look if you can connect (if you have a firewall blocking port 5901 then you'd have to open that port first). Also look if you're happy with the default Window Manager (RealVNC starts twm by default).
- close the vncviewer and kill the running vncserver like this: "vncserver -kill :1"
- now, edit ~/.vnc/xstartup after your own taste.
My xstartup file looks like this:
Code:
$ cat ~/.vnc/xstartup
#!/bin/sh
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
gkrellm &
xscreensaver -no-splash &
xscreensaver-command -lock &
exec /usr/bin/startxfce4
Which starts XFCE as the Window Manager, and locks the screen immediately (this might work only after you've manually configfured your screensaver first)
Now, after this was setup, you're ready to use VNC. From a client, "ssh" to the server and run "vncserver". Then, you can logout from your ssh session, and use the vncviewer to connect to the VNC session on your server.
I would advise not to run a VNC session as root. You can do any root business after running "sudo -i" in a X-term. I have documented how you can still run X programs after becoming root using "su" or "sudo" here: http://www.slackware.com/~alien/doku...kernelbuilding
The beauty of VNC is that you can close the vncviewer at any time, and the VNC server session will just continue. You can re-connect a vncviewer to this session at any later time.
For secure VNC connections you could look into tightvnc, or use ssh to "tunnel" your vncviewer traffic from client to server. People with a little knowledge can extract anything you type from a VNC connection if it is no secured (this includes passwords) if they can sniff your network.
Using SSH for securely connecting to VNC: first login to your server using the following ssh command with the "-L" option which creates a tunnel:
Code:
ssh -L 5901:127.0.0.1:5901 youruser@yourserver
Traffic directed at your client's local port 5901 (this is equivalent to vnc display port :1) will be tunneled to the other side of the ssh connection (aka your server, and delivered at IP address/port 127.0.0.1:5901 - the port where the VNC server will be listening.
You take advantage of this encrypted tunnel by running:
Code:
vncviewer localhost:1
The vncviewer will connect to the vncserver and all traffic will be ssh-encrypted. This way, you will not need to open up a port for the vncserver in your firewall, which adds another layer of security of course.
Hope this helps-
Cheers, Eric
|
|
|
06-07-2006, 04:48 AM
|
#89
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
And by the way, if you really like this thread, you can rate it using the thread tools at the upper right, so that others will be informed about it's quality before reading it :-)
Eric
|
|
|
06-07-2006, 10:05 AM
|
#90
|
Member
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351
Original Poster
Rep:
|
A "desktop" is NOT a requirement. What we want to be able to do is access the filter remotely and be able to change a few files through the command line. I use pico for all of my text editing and I can run swaret and reboot from command line. I taught my media director a few linux commands (enough so he can edit the "bannedsiteslist" file) and change/view directories. So, the only "remote functions" we truly need to do is CLI based. Would you still suggest VNC?
|
|
|
All times are GMT -5. The time now is 02:06 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|