LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 06-01-2006, 06:50 PM   #76
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30

Code:
root@scs:/etc/dhcpc# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
I have NO IDEA what happened with that gateway thing. I do NOT remember ever changing that. I checked all the way back through this thread and NO ONE told me to do that. I have no idea how I ended up with 192.168.1.254 let me change that back to gateway=""
 
Old 06-01-2006, 06:54 PM   #77
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
Quote:
Quote:
IPADDR[lo]="127.0.0.1"
NETMASK[lo]="255.0.0.0"

This should never be needed! I hope you did not edit your /etc/rc.d/rc.inet1 file?
Again I have NO IDEA where those lines came from. Again, they were never discussed in this thread before. I suppose I should delete them or comment them out...correct?
 
Old 06-01-2006, 07:06 PM   #78
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
OK,I removed those 127.0.0.1 lines and restored gateway="" and rebooted. Still, no transparent proxy.

This was run AFTER changing to gateway=""
Code:
root@scs:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
Same result. I did some investigating by accessing my dsl modem. According to my dsl modem "192.168.1.254" is the DSL modem's local ip address.

Here is some useful information I found in one of the "Expert" tabs

Code:
  IP Interfaces

   
Address               Netmask      Name
192.168.1.254      255.255.255.0   eth0
<ip address>      255.255.255.255  ppp1
Notice that the IP address and Netmask from my ISP contains the weird netmask of "255.255.255.255"

Now through my DSL modem I can change some things with regard to DHCP. It has options to change the modem's ip address (from 192.168.1.254 to whatever), subnet mask and start and stop addresses. One thing that is VERY interesting is that the DHCP of my modem starts addresses at 192.168.1.1 and ENDS at 192.168.1.253 which leaves out 254 and 255. I don't know if that may be helpful, but I thought you might want to know.

Here is some more info
Code:
IP Passthrough/DMZ Configuration

   
Please share which device will share your public IP address.

  If "User Configured PC" is selected, a local PC must be manually configured to use the public IP address.

  WAN IP Address :  <ip address removed for security reasons>

  Options: User Configured PC
           192.168.1.96 

  IP Passthrough is currently disabled.
Does IP Passthrough mean "transparent proxy" or am I getting terminology confused? I hope this might help.

Last edited by tubatodd; 06-01-2006 at 07:45 PM.
 
Old 06-02-2006, 03:40 AM   #79
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
Well, I guess you filled the GATEWAY parameter at some point in time with the value you saw on your box. It does not really matter then if you set it or not (the value is correct anyway) but letting it be set by the DHCP client is cleaner.
Also the two lines with the XXXXXX[lo]="yyyy" variables are indeed not needed and can be deleted.

Quote:
Originally Posted by tubatodd
Here is some useful information I found in one of the "Expert" tabs

Code:
IP Interfaces
Address               Netmask      Name
192.168.1.254      255.255.255.0   eth0
<ip address>      255.255.255.255  ppp1
Notice that the IP address and Netmask from my ISP contains the weird netmask of "255.255.255.255"
actually, for a ppp address, the netmask of 255.255.255.255 is correct.
Quote:
Here is some more info
Code:
IP Passthrough/DMZ Configuration
Please share which device will share your public IP address.

  If "User Configured PC" is selected, a local PC must be manually configured to use the public IP address.

  WAN IP Address :  <ip address removed for security reasons>

  Options: User Configured PC
           192.168.1.96 

  IP Passthrough is currently disabled.
Does IP Passthrough mean "transparent proxy" or am I getting terminology confused? I hope this might help.
You should disable or remove any configuration which has anything to do with the 192.168.1.96 address of your server. DMZ, autoforward, passthrough, whatever - it all adds to the confusion.
If you can not convince your DHCP server to supply a netmask of 255.255.255.0 to the server, then you will have to setup the server for a static IP address/netmask/gateway.
It would be nice if you can reconfigure your router to not use the complete range from 1-254 but instead leave a few addresses out that you can use for static assignment (like, give the DHCP Server the range 192.168.1.1-192.168.1.100 to use - you will probably never have a 100 PC's in your house anyway).
Then, make sure you pick an IP address that the DHCP server no longer uses, or if you cannot change the IP address range try to pick an address the DHCP server probably will not use, for instance 192.168.1.111.

Then, modify /etc/rc.d/rc.inet1.conf for the eth0 interface and fill in the GATEWAY variable:
Code:
# Config information for eth0:
IPADDR[0]="192.168.1.111"
NETMASK[0]="255.255.255.0"
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""

GATEWAY="192.168.1.254"
Then, restart the eth0 interface or reboot the server:
Code:
/etc/rc.d/rc.inet1 eth0_restart
NOTE: if you decide to use another IP address for the server's external address, don't forget to change the address in the tinyproxy.conf as well or the mix-up will even get bigger.

Maybe this will help.

Eric
 
Old 06-02-2006, 01:54 PM   #80
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
I told my DSL modem to limit the range from 1-100. Here is my current ip setup.

Code:
root@scs:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:04:5A:77:38:D8
          inet addr:192.168.1.111  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1570 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1693 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:899905 (878.8 KiB)  TX bytes:244072 (238.3 KiB)
          Interrupt:6 Base address:0x9400

eth1      Link encap:Ethernet  HWaddr 00:04:5A:77:38:DC
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:593 errors:0 dropped:0 overruns:0 frame:0
          TX packets:706 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:104222 (101.7 KiB)  TX bytes:412553 (402.8 KiB)
          Interrupt:9 Base address:0x9000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2734 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2734 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:584258 (570.5 KiB)  TX bytes:584258 (570.5 KiB)
The network is functioning with the change of ip addresses...HOWEVER...no transparent proxy. I read your note about tinyproxy, but I don't see what I need to change in my tinyproxy.conf.

Code:
root@scs:~# cat /etc/rc.d/rc.firewall | grep -v "^$" | grep -v "^#"
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A PREROUTING -t nat -p tcp -s 192.168.2.1 --destination-port 80 -j RETURN
iptables -A PREROUTING -t nat -p tcp -s 192.168.2.1 --destination-port 443 -j RETURN
iptables -A PREROUTING -t nat -p tcp --destination-port 80 -j REDIRECT --to-ports 8080
iptables -A PREROUTING -t nat -p tcp --destination-port 443 -j REDIRECT --to-ports 8080
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@scs:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.1.254   0.0.0.0         UG    1      0        0 eth0
Here is my tinyproxy.conf What needs to be changed?

Code:
root@scs:~# cat /etc/tinyproxy/tinyproxy.conf | grep -v "^$" | grep -v "^#"
User nobody
Group nobody
Port 3128
Listen 127.0.0.1
Bind 192.168.1.96
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy.log"
LogLevel Info
PidFile "/var/run/tinyproxy.pid"
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
Allow 192.168.1.0/24
Allow 192.168.2.0/24
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563
Any ideas?
 
Old 06-02-2006, 02:21 PM   #81
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
This line in tinyproxy.conf:

Bind 192.168.1.96

needs to match the external IP address of your firewall, i.e. it should be
Code:
Bind 192.168.1.111
Eric
 
Old 06-02-2006, 02:45 PM   #82
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
Ok I changed Bind 192.168.1.111, still no transparent proxy. My question is...why are we not binding to 192.168.1.254...the gateway?
 
Old 06-02-2006, 03:47 PM   #83
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
Because the tinyproxy.conf has this to say right before the "Bind" line
Quote:
# Bind: This allows you to specify which interface will be used for
# outgoing connections. This is useful for multi-home'd machines where
# you want all traffic to appear outgoing from one particular interface.
On my server, this works.

Eric
 
Old 06-02-2006, 03:51 PM   #84
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
I think I am officially done with this project. I'm gonna give this machine back to the media director who gave it to me. It works...sorta. He may get it on the school network and be happy configuring each machine. Thanks again for all of your help Eric. I wouldn't have gotten this far with out help from the Netherlands. Thanks!
 
Old 06-02-2006, 05:49 PM   #85
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
Good luck with it tubatodd. I had fun and learnt some new things about proxying, too.

Cheers, Eric
 
Old 06-06-2006, 05:37 PM   #86
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
WOOOO HOOOO!!!! UPDATE:

I installed the content filter machine at the school and showed it to our media director. He was impressed. We had to change a couple settings for the school network (the eth1 HAD to be 192.168.1.1) but other than that...it was a success. When we installed it on the school's network it FILTERED. The transparent proxying that we battled with WORKS. Now all of the machines on the school's network (including the one I am typing on right NOW) are using filtering in order to access the internet. Thanks a 10^6 for all of your help Eric. I highly recommend you create a page on your website for tinyproxy and dansguardian like you had mentioned. I think it may be a weath of knowledge!!!

**EDIT**
New assignment:

My media director wants to know if there is a way to setup the filter machine in such a way that we can access it from any machine on the network. We would like to do a "remote desktop" kind of thing from a Windows machine on the network. The idea is that we would like to be able to update the bannedsiteslist in dansguardian and run other maintanence commands (ie swaret, reboot, etc) from a remote machine. I have NO IDEA how to set this up. I suspect this is a VNC task, which I know nothing about.

Last edited by tubatodd; 06-06-2006 at 06:51 PM.
 
Old 06-06-2006, 07:21 PM   #87
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
just configure the sshd daemon on the box and then from windows use putty to connect... it's kinda weird to be running a GUI on a server...
 
Old 06-07-2006, 04:45 AM   #88
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
Tubatodd, this is good news!
I guess there is something completely whacko in your home network setup which prevented transparent proxying from working...

What win32sux said is valid of course - you would not want to steal away precious CPU cycles by running a GUI on your server. But there might still be cases where you do have the need of a GUI, especially when there is no alternative, or in cases you are not too familiar with commandline equivalents of GUI based programs.
VNC is what I would use in such a case. Actually that is what I use on some of my servers. I do combine it with a light-weight Window Manager - you should think about using XFCE or fluxbox, and stay away from Gnome or KDE. There is no harm in installing the KDE libraries and programs, but I would advise to stay away from running KDE based programs in your VNC session (any KDE program starting will cause a cascade of other core KDE background programs to be started as well).

So, this is what you should do:
  • install VNC (any flavour would do, I have a package for RealVNC at http://www.slackware.com/~alien/slackbuilds/vnc/)
  • login under your own non-root account and run "vncserver" from the commandline. This will setup your VNC password (vncserver will ask for it) and generate the ~/.vnc/xstartup file. It will also tell you at which display port it will be listening (by default this will be :1 if there are no other VNC servers running).
  • try running vncviewer from a client machine, pointing it to <your.server.name>:1 and look if you can connect (if you have a firewall blocking port 5901 then you'd have to open that port first). Also look if you're happy with the default Window Manager (RealVNC starts twm by default).
  • close the vncviewer and kill the running vncserver like this: "vncserver -kill :1"
  • now, edit ~/.vnc/xstartup after your own taste.
My xstartup file looks like this:
Code:
$ cat ~/.vnc/xstartup
#!/bin/sh

[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
gkrellm &
xscreensaver -no-splash &
xscreensaver-command -lock &
exec /usr/bin/startxfce4
Which starts XFCE as the Window Manager, and locks the screen immediately (this might work only after you've manually configfured your screensaver first)

Now, after this was setup, you're ready to use VNC. From a client, "ssh" to the server and run "vncserver". Then, you can logout from your ssh session, and use the vncviewer to connect to the VNC session on your server.
I would advise not to run a VNC session as root. You can do any root business after running "sudo -i" in a X-term. I have documented how you can still run X programs after becoming root using "su" or "sudo" here: http://www.slackware.com/~alien/doku...kernelbuilding

The beauty of VNC is that you can close the vncviewer at any time, and the VNC server session will just continue. You can re-connect a vncviewer to this session at any later time.

For secure VNC connections you could look into tightvnc, or use ssh to "tunnel" your vncviewer traffic from client to server. People with a little knowledge can extract anything you type from a VNC connection if it is no secured (this includes passwords) if they can sniff your network.

Using SSH for securely connecting to VNC: first login to your server using the following ssh command with the "-L" option which creates a tunnel:
Code:
ssh -L 5901:127.0.0.1:5901 youruser@yourserver
Traffic directed at your client's local port 5901 (this is equivalent to vnc display port :1) will be tunneled to the other side of the ssh connection (aka your server, and delivered at IP address/port 127.0.0.1:5901 - the port where the VNC server will be listening.
You take advantage of this encrypted tunnel by running:
Code:
vncviewer localhost:1
The vncviewer will connect to the vncserver and all traffic will be ssh-encrypted. This way, you will not need to open up a port for the vncserver in your firewall, which adds another layer of security of course.

Hope this helps-

Cheers, Eric
 
Old 06-07-2006, 04:48 AM   #89
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
And by the way, if you really like this thread, you can rate it using the thread tools at the upper right, so that others will be informed about it's quality before reading it :-)

Eric
 
Old 06-07-2006, 10:05 AM   #90
tubatodd
Member
 
Registered: Jun 2003
Location: Birmingham, Alabama (USA)
Distribution: Slackware
Posts: 351

Original Poster
Rep: Reputation: 30
A "desktop" is NOT a requirement. What we want to be able to do is access the filter remotely and be able to change a few files through the command line. I use pico for all of my text editing and I can run swaret and reboot from command line. I taught my media director a few linux commands (enough so he can edit the "bannedsiteslist" file) and change/view directories. So, the only "remote functions" we truly need to do is CLI based. Would you still suggest VNC?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Need Help Configuring Linux 9 As gateway rml_85226 Linux - Networking 5 05-18-2006 12:36 AM
Configuring Fedora 3 as an internet gateway justiceisblind Fedora 1 05-27-2005 01:42 PM
configuring gateway - help jhar Linux - Newbie 6 01-30-2005 09:54 AM
configuring 2nd nic/gateway spooge Slackware 2 12-24-2004 03:22 PM
configuring a gateway for a windows xp box joshuadonz *BSD 0 03-23-2003 02:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 02:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration