tcygne wrote:
> How are Squid and DansGuardian chained together? how does that fit with
> the firewall interception rules?
>
> I'm not sure what you are asking. The proxy/filter doesn't seem to have any
> firewall installed. The traffic is rerouted to the filter by the ddwrt
> router box at (192.168.1.1) using the following commands.
>
Ah, okay. You sound a little confused about your own network structure
but managed to answer my question anyway :) well done.
What you have is this:
Client->WRT->DansGuardian->Squid->WRT->Internet
(and back)
The WRT iptables is the firewall (even though its on a different box).
> #!/bin/sh
> PROXY_IP=192.168.1.2
> PROXY_PORT=8080
> LAN_IP=`nvram get lan_ipaddr`
> LAN_NET=$LAN_IP/`nvram get lan_netmask`
> iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport
> 80 -j ACCEPT
... passes packets between internal machines without involving the proxy
box.
> iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j
> DNAT --to $PROXY_IP:$PROXY_PORT
... passes all other port 80 to the proxy, except stuff from the proxy
box itself. Specifically to DG on the proxy box.
> iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j
> SNAT --to $LAN_IP
... SNAT's everything from the local network to some IP belonging to the
WRT.
I assume (and hope) that is making internal IPs to some globally
routable IP. Not just making all traffic seem to be coming from 192.168.1.1.
> iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport
> $PROXY_PORT -j ACCEPT
... lets stuff going to DG on the proxy box through.
> iptables -t nat -I PREROUTING -i br0 -s 192.168.1.5 -j ACCEPT
I'm a little suspicious about that "iptables -t nat -I PREROUTING -i br0
-s 192.168.1.5 -j ACCEPT"
>
> the final command allows 192.168.1.5 to bypass the filter. This would be the
> only device in which apt-get and spybot updates work from. (Nevermind how
... the proxy box also is in that state.
> one device can do both of those things) It looks like all traffic is
> rerouted to port 8080 (dansguardian answers) so maybe it isn't hitting squid
> at all. And this isn't a squid issue. ;-( I'm not real slick with iptables,
> but maybe the router box is dropping all non port 80 traffic except for
> device 192.168.1.5? More than likely apt and spybot use https, so what would
> be the iptables rule to allow all traffic on port 443 to bypass the filter?
>
It should already be bypassing the filter. Only port-80 is handled
specially. At most you may need:
iptables -I FORWARD -i br0 -p tcp -s $LAN_NET --dport 443 -j ACCEPT
Regarding the HTTP breakage, try adding
iptables -t nat -I POSTROUTING -j MASQUERADE
... if that does not fix the proxy access out again then look at
DansGuardian and see if its passing stuff to Squid.
Amos
-- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE24 Current Beta Squid 3.1.0.16Received on Tue Feb 16 2010 - 04:46:14 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 16 2010 - 12:00:05 MST