Results 1 to 3 of 3
Hi All, Hope someone can help me with this problem. I have squid and dansguardian working correctly having altered the routers IPTABLES rules to direct traffic on port 80 to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 10-24-2008 #1
- Join Date
- Oct 2008
Netgear DG834GT - Transparent proxy using Squid and DG
Hope someone can help me with this problem.
I have squid and dansguardian working correctly having altered the routers IPTABLES rules to direct traffic on port 80 to dansguardian port 8080 and then from there to squid on port 3128.
Whenever a client uses the internet via the transparent proxy I only get listed items saying they are coming from the router and not the IP address of the client machine.
This is causing a problem not just with logging but also with the exceptioniplist for dansguardian. Since it's only listing all clients appearing to come from the router itself I can not add in exception IP addresses to bypass dansguardian.
If I change the client to use the proxy directly the logging is correct as is the exceptioniplist config.
Here is what I have config wise :-
/usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.50 -p tcp --dport 80 -j DNAT --to 192.168.0.50:8080 /usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/24 -d 192.168.0.50 -j SNAT --to 192.168.0.1 /usr/sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.50 -i br0 -o br0 -p tcp --dport 8080 -j ACCEPT
SQUID 2.7 Config:-
acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl router src 192.168.0.1 acl squid-server src 192.168.0.50 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access deny all icp_access allow localnet icp_access deny all follow_x_forwarded_for allow localhost follow_x_forwarded_for allow router follow_x_forwarded_for allow squid-server acl_uses_indirect_client on delay_pool_uses_indirect_client on log_uses_indirect_client on http_port 192.168.0.50:3128 transparent hierarchy_stoplist cgi-bin ? logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh %mt access_log /usr/local/squid/var/logs/access.log common debug_options ALL,9 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server ^Apache broken_vary_encoding allow apache coredump_dir /usr/local/squid/var/cache
reportinglevel = 3 languagedir = '/usr/local/share/dansguardian/languages' language = 'ukenglish' loglevel = 2 logexceptionhits = 2 logfileformat = 1 filterip = filterport = 8080 proxyip = 192.168.0.50 proxyport = 3128 accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl' nonstandarddelimiter = on usecustombannedimage = on custombannedimagefile = '/usr/local/share/dansguardian/transparent1x1.gif' filtergroups = 1 filtergroupslist = '/usr/local/etc/dansguardian/lists/filtergroupslist' bannediplist = '/usr/local/etc/dansguardian/lists/bannediplist' exceptioniplist = '/usr/local/etc/dansguardian/lists/exceptioniplist' showweightedfound = on weightedphrasemode = 2 urlcachenumber = 1000 urlcacheage = 900 scancleancache = on phrasefiltermode = 2 preservecase = 0 hexdecodecontent = off forcequicksearch = off reverseaddresslookups = off reverseclientiplookups = off logclienthostnames = off createlistcachefiles = on maxuploadsize = -1 maxcontentfiltersize = 256 maxcontentramcachescansize = 2000 maxcontentfilecachescansize = 20000 filecachedir = '/tmp' deletedownloadedtempfiles = on initialtrickledelay = 20 trickledelay = 10 downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/fancy.conf' downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/default.conf' contentscannertimeout = 60 contentscanexceptions = off recheckreplacedurls = off forwardedfor = on usexforwardedfor = on logconnectionhandlingerrors = on logchildprocesshandling = off maxchildren = 10 minchildren = 2 minsparechildren = 1 preforkchildren = 2 maxsparechildren = 5 maxagechildren = 500 maxips = 0 ipcfilename = '/tmp/.dguardianipc' urlipcfilename = '/tmp/.dguardianurlipc' ipipcfilename = '/tmp/.dguardianipipc' nodaemon = off nologger = off logadblocks = off loguseragent = off softrestart = off
- 10-25-2008 #2
- Join Date
- Oct 2008
you are rewriting source ip of all requests to router ip. i dont understand why are you doing this.
if you have squid box, dansguardian and iptables on same machine, the do it this way assuming internal interface eth0
your rules ----------
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
your rules --------------
intercept each request which comes over protocol tcp and marked for destination port 3128 (squid box)
this way your source ip will not be stripped and will be available in log and your acl's will work
if you have squidbox on different ip then the following will do
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination squidboxip:3128
you have to remove the source nat rule as it is the one that is stripping your client ips
- 10-25-2008 #3
- Join Date
- Oct 2008
Thanks for the reply.
The squid and dansguardian servers are on a different machine 192.168.0.50.
Hence, iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.50 -p tcp --dport 80 -j DNAT --to 192.168.0.50:8080
Now having this rule alone doesn't appear to work.
What I tried from the mentioned url was also suggested here :- Transparent Proxy - DD-WRT Wiki
What now ?