Re: [squid-users] Re: Squid with Dansguardian is killing apt-get and Spybot updates

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 16 Feb 2010 17:46:06 +1300

tcygne wrote:
> How are Squid and DansGuardian chained together? how does that fit with
> the firewall interception rules?
>
> I'm not sure what you are asking. The proxy/filter doesn't seem to have any
> firewall installed. The traffic is rerouted to the filter by the ddwrt
> router box at (192.168.1.1) using the following commands.
>

Ah, okay. You sound a little confused about your own network structure
but managed to answer my question anyway :) well done.

What you have is this:

  Client->WRT->DansGuardian->Squid->WRT->Internet
(and back)

The WRT iptables is the firewall (even though its on a different box).

> #!/bin/sh
> PROXY_IP=192.168.1.2
> PROXY_PORT=8080
> LAN_IP=`nvram get lan_ipaddr`
> LAN_NET=$LAN_IP/`nvram get lan_netmask`
> iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport
> 80 -j ACCEPT

... passes packets between internal machines without involving the proxy
box.

> iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j
> DNAT --to $PROXY_IP:$PROXY_PORT

... passes all other port 80 to the proxy, except stuff from the proxy
box itself. Specifically to DG on the proxy box.

> iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j
> SNAT --to $LAN_IP

... SNAT's everything from the local network to some IP belonging to the
WRT.
  I assume (and hope) that is making internal IPs to some globally
routable IP. Not just making all traffic seem to be coming from 192.168.1.1.

> iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport
> $PROXY_PORT -j ACCEPT

... lets stuff going to DG on the proxy box through.

> iptables -t nat -I PREROUTING -i br0 -s 192.168.1.5 -j ACCEPT

I'm a little suspicious about that "iptables -t nat -I PREROUTING -i br0
-s 192.168.1.5 -j ACCEPT"

>
> the final command allows 192.168.1.5 to bypass the filter. This would be the
> only device in which apt-get and spybot updates work from. (Nevermind how

... the proxy box also is in that state.

> one device can do both of those things) It looks like all traffic is
> rerouted to port 8080 (dansguardian answers) so maybe it isn't hitting squid
> at all. And this isn't a squid issue. ;-( I'm not real slick with iptables,
> but maybe the router box is dropping all non port 80 traffic except for
> device 192.168.1.5? More than likely apt and spybot use https, so what would
> be the iptables rule to allow all traffic on port 443 to bypass the filter?
>

It should already be bypassing the filter. Only port-80 is handled
specially. At most you may need:
  iptables -I FORWARD -i br0 -p tcp -s $LAN_NET --dport 443 -j ACCEPT

Regarding the HTTP breakage, try adding
   iptables -t nat -I POSTROUTING -j MASQUERADE

... if that does not fix the proxy access out again then look at
DansGuardian and see if its passing stuff to Squid.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE8 or 3.0.STABLE24
   Current Beta Squid 3.1.0.16
Received on Tue Feb 16 2010 - 04:46:14 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 16 2010 - 12:00:05 MST