Find the answer to your Linux question:
Results 1 to 3 of 3
OK, I am trying to set up a simple unit to cache/save bandwidth and filter the kid's internet. I'm using Fedora. I downloaded the Squid source, compiled, make, installed. I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2004
    Posts
    4

    Setting up Squid/Dansguardian - I keep getting "Access Denied."


    OK, I am trying to set up a simple unit to cache/save bandwidth and filter the kid's internet. I'm using Fedora. I downloaded the Squid source, compiled, make, installed. I change the folder owner of the log/cache folders, and set the cache_effective_user. I set my http_access list to:

    Code:
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager
    # Deny requests to unknown ports
    http_access deny !Safe_ports
    # Deny CONNECT to other than SSL ports
    http_access deny CONNECT !SSL_ports
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    http_access deny to_localhost
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    # Example rule allowing access from your local networks. Adapt
    # to list your (internal) IP networks from where browsing should
    # be allowed
    acl cortiaus src 192.168.0.0/24
    http_access allow cortiaus
    
    # And finally deny all other access to this proxy
    http_access deny all
    Kind of a mix of my stuff and the default setting (still getting familiar with this). I installed Dansguardian and set it up. The guide I was following told me to set this IPtables thing:

    Code:
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080
    According to the guide, I would point my computers at port 3128, and it would automatically forward them to 8080. So I go to a test machine, and set up the proxy. I point it to the IP. If I point it at port 3128, the internet runs fine but it doesn't block any pages (I have played with Dansguardian before and I know for sure it is configured correctly). If I point it at port 8080, I get this:

    Code:
    ERROR
    The requested URL could not be retrieved
    
    While trying to retrieve the URL: http://www.hardocp.com/
    
    The following error was encountered:
    
        * Access Denied.
    
          Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. 
    
    Your cache administrator is webmaster.
    Generated Tue, 09 May 2006 21:50:44 GMT by localhost.localdomain (squid/2.5.STABLE13)
    It says it's coming from Squid, but isn't port 8080 the one that Dansguardian listens on? What's up here guys? I'm new to all this, and am still wet around the ears with Linux, but I'm starting to get the hang of it. Any help?

  2. #2
    Just Joined!
    Join Date
    Jun 2006
    Posts
    1

    iptables rule for squid/dansguardian transparent proxy

    Hi - you've probably already resolved your issue by now, but by changing a couple of settings you can use the squid/firewall machine as a transparent proxy, and you won't need to set a proxy server in your client machines browsers.
    the iptables rule looks like:
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
    and you would set "proxyport = 3128" and "proxyip = your.internal.ip.address" in your /etc/dansguardian/dansguardian.conf.
    You'll probably also need to set the following to "on" in your squid.conf:
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on

    Although those may just be necessary for me as I also serve webpages from apache on this host as well

    Now if you want to bypass dansguardian, you can set proxy server in your client browser to your squid host's internal ip address, port 3128.

  3. #3
    Just Joined!
    Join Date
    Dec 2007
    Posts
    2
    Thanks Milkman_dan -

    In my case with redhat 8, Squid-2.6 and configured as a transparent router / bridge aka 'brouter', the Access Denied message was fixed by changing proxyip from 127.0.0.1 to what my bridge was set to; 192.168.1.117 in my case.

    Other show stoppers along the way, I recall were:
    - enable IP forwarding in /proc/sys/net/bridge
    - run iptables as you show
    - run ebtables (optional? .. per freshmeat.net: Tutorials - Configuring a Transparent Proxy/Webcache in a Bridge using Squid and ebtables )
    - kill the dhclient process on your linux box or it will reassign the IP address of your bridge interface (and to some the NICs as well).... which would no doubt muck up the proxyip setting.

    IMPORTANT: If you are using Squid 2.6 and newer, the tags:

    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on


    don't work!
    Instead, you need this directive:

    http_port 3128 transparent

    in the squid configuration file.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •