Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Netgear DG834GT - Transparent proxy using Squid and DG

    Hi All,

    Hope someone can help me with this problem.

    I have squid and dansguardian working correctly having altered the routers IPTABLES rules to direct traffic on port 80 to dansguardian port 8080 and then from there to squid on port 3128.

    Whenever a client uses the internet via the transparent proxy I only get listed items saying they are coming from the router and not the IP address of the client machine.
    This is causing a problem not just with logging but also with the exceptioniplist for dansguardian. Since it's only listing all clients appearing to come from the router itself I can not add in exception IP addresses to bypass dansguardian.

    If I change the client to use the proxy directly the logging is correct as is the exceptioniplist config.

    Here is what I have config wise :-

    /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! -p tcp --dport 80 -j DNAT --to
    /usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s -d -j SNAT --to
    /usr/sbin/iptables -A FORWARD -s -d -i br0 -o br0 -p tcp --dport 8080 -j ACCEPT
    This config was taken from Transparent Proxy with Linux and Squid mini-HOWTO: Transparent Proxy to a Remote Box

    SQUID 2.7 Config:-
    acl all src all
    acl manager proto cache_object
    acl localhost src
    acl to_localhost dst
    acl localnet src # RFC1918 possible internal network
    acl router src
    acl squid-server src
    acl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localnet
    http_access deny all
    icp_access allow localnet
    icp_access deny all
    follow_x_forwarded_for allow localhost
    follow_x_forwarded_for allow router
    follow_x_forwarded_for allow squid-server
    acl_uses_indirect_client on
    delay_pool_uses_indirect_client on
    log_uses_indirect_client on
    http_port transparent
    hierarchy_stoplist cgi-bin ?
    logformat common &#37;>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh %mt
    access_log /usr/local/squid/var/logs/access.log common
    debug_options ALL,9
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320
    acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
    upgrade_http0.9 deny shoutcast
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    coredump_dir /usr/local/squid/var/cache
    Dansguardian 2.10 :-
    reportinglevel = 3
    languagedir = '/usr/local/share/dansguardian/languages'
    language = 'ukenglish'
    loglevel = 2
    logexceptionhits = 2
    logfileformat = 1
    filterip =
    filterport = 8080
    proxyip =
    proxyport = 3128
    accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/'
    nonstandarddelimiter = on
    usecustombannedimage = on
    custombannedimagefile = '/usr/local/share/dansguardian/transparent1x1.gif'
    filtergroups = 1
    filtergroupslist = '/usr/local/etc/dansguardian/lists/filtergroupslist'
    bannediplist = '/usr/local/etc/dansguardian/lists/bannediplist'
    exceptioniplist = '/usr/local/etc/dansguardian/lists/exceptioniplist'
    showweightedfound = on
    weightedphrasemode = 2
    urlcachenumber = 1000
    urlcacheage = 900
    scancleancache = on
    phrasefiltermode = 2
    preservecase = 0
    hexdecodecontent = off
    forcequicksearch = off
    reverseaddresslookups = off
    reverseclientiplookups = off
    logclienthostnames = off
    createlistcachefiles = on
    maxuploadsize = -1
    maxcontentfiltersize = 256
    maxcontentramcachescansize = 2000
    maxcontentfilecachescansize = 20000
    filecachedir = '/tmp'
    deletedownloadedtempfiles = on
    initialtrickledelay = 20
    trickledelay = 10
    downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/fancy.conf'
    downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/default.conf'
    contentscannertimeout = 60
    contentscanexceptions = off
    recheckreplacedurls = off
    forwardedfor = on 
    usexforwardedfor = on
    logconnectionhandlingerrors = on
    logchildprocesshandling = off
    maxchildren = 10
    minchildren = 2 
    minsparechildren = 1
    preforkchildren = 2
    maxsparechildren = 5
    maxagechildren = 500
    maxips = 0
    ipcfilename = '/tmp/.dguardianipc'
    urlipcfilename = '/tmp/.dguardianurlipc'
    ipipcfilename = '/tmp/.dguardianipipc'
    nodaemon = off
    nologger = off
    logadblocks = off
    loguseragent = off
    softrestart = off
    I hope this is a simple fix, but I have searched and searched and can not seem to find an answer.


  2. #2
    you are rewriting source ip of all requests to router ip. i dont understand why are you doing this.
    if you have squid box, dansguardian and iptables on same machine, the do it this way assuming internal interface eth0
    your rules ----------
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    your rules --------------
    intercept each request which comes over protocol tcp and marked for destination port 3128 (squid box)
    this way your source ip will not be stripped and will be available in log and your acl's will work
    if you have squidbox on different ip then the following will do
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination squidboxip:3128
    you have to remove the source nat rule as it is the one that is stripping your client ips

  3. #3

    Thanks for the reply.

    The squid and dansguardian servers are on a different machine
    Hence, iptables -t nat -A PREROUTING -i br0 -s ! -p tcp --dport 80 -j DNAT --to

    Now having this rule alone doesn't appear to work.

    What I tried from the mentioned url was also suggested here :- Transparent Proxy - DD-WRT Wiki

    What now ?


  4. $spacer_open

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts