elmar283
Guru
Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands
|
 Posted: Sat Oct 26, 2013 7:39 pm Post subject: Getting Dansguardian work with squid and iptables |
 |
|
I'm trying to get Dansguardian work with squid and iptables.
I had squid and iptables configured for a while and this is working fine.
Basicly my setup is:
I have a Gentoo Linux server on a FIT PC-2. It has a wlan and an ethernet network interface.
Network interface wlp3s0 is connected through wlan on the internal network 192.168.178.0. # WORKING
Network interface enp2s0 is a ethernet interface that is connected to a wireless access-point # WORKING
Al my computers in my house connects to this wireless access-point. # WORKING
All internet requests are transferred through the FIT PC-2 without any configuration on the other computers.
This is my old http configuration:
all http from port 80 is redirected to port 3128 (iptables rule: iptables -t nat -A PREROUTING -i enp2s0 -p tcp --dport 80 -j REDIRECT --to-port 3128) #WORKING
Squid intercepts this traffic (http_port 3128 intercept) #WORKING
What I want to do is instead of redirecting to port 3128 to redirect to port 8080 like this:
| Code: |
iptables -t nat -A PREROUTING -i enp2s0 -p tcp --dport 80 -j REDIRECT --to-port 8080
|
Dansguardian intercepts the traffic form port 8080 and sends it to port 3128.
Problem is that when I do that squid denies this:
| Code: |
Error messeage form squid:
ERROR
The requested URL could not be retrieved
De volgende fout is opgetreden tijdens het ophalen van URL: http://www.nrc.nl/
Toegang niet toegestaan.
U heeft geen toegang tot de URL die u probeerde op te vragen van deze server. Neem contact op met uw service provider als u denkt dat dit niet klopt.
De beheerder van deze cache is <removed>.
Gegenereerd Sat, 26 Oct 2013 19:35:02 GMT door ZaphodBeeblebrox (squid/3.2.13)
|
What must I do to make squid accept dansguardian?
Here are some config files:
| Code: |
ZaphodBeeblebrox ~ # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
|
| Code: |
elmarotter@ZaphodBeeblebrox ~ $ sed -e 's/#.*//' -e '/^$/ d' /etc/squid/squid.conf
acl localnet src 192.168.0.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl CONNECT method CONNECT
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 8080
acl CONNECT method CONNECT
acl DansGuardian src 192.168.0.1
acl ALL src all
http_access allow manager localhost
http_access allow localnet
http_access deny CONNECT !SSL_ports
http_access deny manager
http_access deny !Safe_ports
http_access allow DansGuardian
http_access deny to_localhost
http_access deny all
http_port 3128 intercept
cache_dir ufs /var/cache/squid 100 16 256
cache_mem 256 MB
cache_dir ufs /usr/tmp/squid/cache 50000 64 512
coredump_dir /usr/tmp/squid/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid
|
| Code: |
elmarotter@ZaphodBeeblebrox ~ $ sed -e 's/#.*//' -e '/^$/ d' /etc/dansguardian/dansguardian.conf
reportinglevel = 3
languagedir = '/usr/share/dansguardian/languages'
language = 'ukenglish'
loglevel = 3
logexceptionhits = 2
logfileformat = 1
loglocation = '/var/log/dansguardian/access.log'
filterip =
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
accessdeniedaddress = 'http://elmarotter.eu/cgi-bin/dansguardian.pl'
nonstandarddelimiter = on
usecustombannedimage = on
custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'
filtergroups = 1
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
bannediplist = '/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'
showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 1000
urlcacheage = 900
scancleancache = on
phrasefiltermode = 1
preservecase = 0
hexdecodecontent = off
forcequicksearch = off
reverseaddresslookups = off
reverseclientiplookups = off
logclienthostnames = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
maxcontentramcachescansize = 2000
maxcontentfilecachescansize = 20000
filecachedir = '/tmp'
deletedownloadedtempfiles = on
initialtrickledelay = 20
trickledelay = 10
downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'
downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'
contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'
contentscannertimeout = 60
contentscanexceptions = off
recheckreplacedurls = off
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
logchildprocesshandling = off
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
maxips = 0
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
ipipcfilename = '/tmp/.dguardianipipc'
nodaemon = off
nologger = off
logadblocks = off
loguseragent = off
daemonuser = 'clamav'
daemongroup = 'clamav'
softrestart = off
mailer = '/usr/sbin/sendmail -t'
originalip = off
|
| Code: |
elmarotter@ZaphodBeeblebrox ~ $ sed -e 's/#.*//' -e '/^$/ d' /etc/dansguardian/dansguardianf1.conf
groupmode = 1
groupname = 'group_one'
bannedphraselist = '/etc/dansguardian/lists/bannedphraselist'
weightedphraselist = '/etc/dansguardian/lists/weightedphraselist'
exceptionphraselist = '/etc/dansguardian/lists/exceptionphraselist'
bannedsitelist = '/etc/dansguardian/lists/bannedsitelist'
greysitelist = '/etc/dansguardian/lists/greysitelist'
exceptionsitelist = '/etc/dansguardian/lists/exceptionsitelist'
bannedurllist = '/etc/dansguardian/lists/bannedurllist'
greyurllist = '/etc/dansguardian/lists/greyurllist'
exceptionurllist = '/etc/dansguardian/lists/exceptionurllist'
exceptionregexpurllist = '/etc/dansguardian/lists/exceptionregexpurllist'
bannedregexpurllist = '/etc/dansguardian/lists/bannedregexpurllist'
picsfile = '/etc/dansguardian/lists/pics'
contentregexplist = '/etc/dansguardian/lists/contentregexplist'
urlregexplist = '/etc/dansguardian/lists/urlregexplist'
blockdownloads = off
exceptionextensionlist = '/etc/dansguardian/lists/exceptionextensionlist'
exceptionmimetypelist = '/etc/dansguardian/lists/exceptionmimetypelist'
bannedextensionlist = '/etc/dansguardian/lists/bannedextensionlist'
bannedmimetypelist = '/etc/dansguardian/lists/bannedmimetypelist'
exceptionfilesitelist = '/etc/dansguardian/lists/exceptionfilesitelist'
exceptionfileurllist = '/etc/dansguardian/lists/exceptionfileurllist'
headerregexplist = '/etc/dansguardian/lists/headerregexplist'
bannedregexpheaderlist = '/etc/dansguardian/lists/bannedregexpheaderlist'
naughtynesslimit = 50
categorydisplaythreshold = 0
embeddedurlweight = 0
enablepics = off
bypass = 0
bypasskey = ''
infectionbypass = 0
infectionbypasskey = ''
infectionbypasserrorsonly = on
disablecontentscan = off
deepurlanalysis = off
usesmtp = off
mailfrom = ''
avadmin = ''
contentadmin = ''
avsubject = 'dansguardian virus block'
contentsubject = 'dansguardian violation'
notifyav = off
notifycontent = off
thresholdbyuser = off
violations = 0
threshold = 0
|
| Code: |
elmarotter@ZaphodBeeblebrox ~ $ ifconfig
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::201:c0ff:fe09:bd9a prefixlen 64 scopeid 0x20<link>
ether 00:01:c0:09:bd:9a txqueuelen 1000 (Ethernet)
RX packets 2017928 bytes 1461779926 (1.3 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1385694 bytes 1150461380 (1.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 38769 bytes 18607657 (17.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38769 bytes 18607657 (17.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.178.21 netmask 255.255.255.0 broadcast 192.168.178.255
inet6 fe80::20d:f0ff:fe7d:ed98 prefixlen 64 scopeid 0x20<link>
inet6 2001:981:88b0:1:20d:f0ff:fe7d:ed98 prefixlen 64 scopeid 0x0<global>
ether 00:0d:f0:7d:ed:98 txqueuelen 1000 (Ethernet)
RX packets 5233510 bytes 1673947926 (1.5 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5695352 bytes 3096026591 (2.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
|
|
Networking & Security
