Find the answer to your Linux question:
Results 1 to 3 of 3
Hi All, Hope someone can help me with this problem. I have squid and dansguardian working correctly having altered the routers IPTABLES rules to direct traffic on port 80 to ...
  1. 10-24-2008 #1
    g1ngerninja
    g1ngerninja is offline
    Just Joined!
    Join Date
    Oct 2008
    Posts
    2

    Netgear DG834GT - Transparent proxy using Squid and DG

    Hi All,

    Hope someone can help me with this problem.

    I have squid and dansguardian working correctly having altered the routers IPTABLES rules to direct traffic on port 80 to dansguardian port 8080 and then from there to squid on port 3128.

    Whenever a client uses the internet via the transparent proxy I only get listed items saying they are coming from the router and not the IP address of the client machine.
    This is causing a problem not just with logging but also with the exceptioniplist for dansguardian. Since it's only listing all clients appearing to come from the router itself I can not add in exception IP addresses to bypass dansguardian.

    If I change the client to use the proxy directly the logging is correct as is the exceptioniplist config.

    Here is what I have config wise :-

    IPTABLES :-
    Code:
    /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.50 -p tcp --dport 80 -j DNAT --to 192.168.0.50:8080
/usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s 192.168.0.0/24 -d 192.168.0.50 -j SNAT --to 192.168.0.1
/usr/sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.50 -i br0 -o br0 -p tcp --dport 8080 -j ACCEPT
    This config was taken from Transparent Proxy with Linux and Squid mini-HOWTO: Transparent Proxy to a Remote Box

    SQUID 2.7 Config:-
    Code:
    acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl router src 192.168.0.1
acl squid-server src 192.168.0.50
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow router
follow_x_forwarded_for allow squid-server
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on
http_port 192.168.0.50:3128 transparent
hierarchy_stoplist cgi-bin ?
logformat common &#37;>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh %mt
access_log /usr/local/squid/var/logs/access.log common
debug_options ALL,9
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /usr/local/squid/var/cache
    Dansguardian 2.10 :-
    Code:
    reportinglevel = 3
languagedir = '/usr/local/share/dansguardian/languages'
language = 'ukenglish'
loglevel = 2
logexceptionhits = 2
logfileformat = 1
filterip =
filterport = 8080
proxyip = 192.168.0.50
proxyport = 3128
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
nonstandarddelimiter = on
usecustombannedimage = on
custombannedimagefile = '/usr/local/share/dansguardian/transparent1x1.gif'
filtergroups = 1
filtergroupslist = '/usr/local/etc/dansguardian/lists/filtergroupslist'
bannediplist = '/usr/local/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/usr/local/etc/dansguardian/lists/exceptioniplist'
showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 1000
urlcacheage = 900
scancleancache = on
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = off
forcequicksearch = off
reverseaddresslookups = off
reverseclientiplookups = off
logclienthostnames = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
maxcontentramcachescansize = 2000
maxcontentfilecachescansize = 20000
filecachedir = '/tmp'
deletedownloadedtempfiles = on
initialtrickledelay = 20
trickledelay = 10
downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/fancy.conf'
downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/default.conf'
contentscannertimeout = 60
contentscanexceptions = off
recheckreplacedurls = off
forwardedfor = on 
usexforwardedfor = on
logconnectionhandlingerrors = on
logchildprocesshandling = off
maxchildren = 10
minchildren = 2 
minsparechildren = 1
preforkchildren = 2
maxsparechildren = 5
maxagechildren = 500
maxips = 0
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
ipipcfilename = '/tmp/.dguardianipipc'
nodaemon = off
nologger = off
logadblocks = off
loguseragent = off
softrestart = off
    I hope this is a simple fix, but I have searched and searched and can not seem to find an answer.

    Thanks
    g1ngerninja
    Reply With Quote Reply With Quote
  2. 10-25-2008 #2
    hexcode
    hexcode is offline
    Just Joined!
    Join Date
    Oct 2008
    Posts
    21
    you are rewriting source ip of all requests to router ip. i dont understand why are you doing this.
    if you have squid box, dansguardian and iptables on same machine, the do it this way assuming internal interface eth0
    your rules ----------
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    your rules --------------
    explanation
    intercept each request which comes over protocol tcp and marked for destination port 3128 (squid box)
    this way your source ip will not be stripped and will be available in log and your acl's will work
    if you have squidbox on different ip then the following will do
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination squidboxip:3128
    you have to remove the source nat rule as it is the one that is stripping your client ips
    Reply With Quote Reply With Quote
  3. 10-25-2008 #3
    g1ngerninja
    g1ngerninja is offline
    Just Joined!
    Join Date
    Oct 2008
    Posts
    2
    hexcode,

    Thanks for the reply.

    The squid and dansguardian servers are on a different machine 192.168.0.50.
    Hence, iptables -t nat -A PREROUTING -i br0 -s ! 192.168.0.50 -p tcp --dport 80 -j DNAT --to 192.168.0.50:8080

    Now having this rule alone doesn't appear to work.

    What I tried from the mentioned url was also suggested here :- Transparent Proxy - DD-WRT Wiki

    What now ?

    Thanks
    g1ngerninja
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

...