I did not take the time to really digest your post or rules (my apologies - just very busy) but that is the first thing that came to mind. I've not used DansGuardian but I do know that my transparent proxies failed until I realized I had not allowed internal traffic passing on interface lo. I suppose if you do a simple ifconfig or ip link ls you'll see if your system uses lo or lo0. Good luck - John On Thu, 2005-03-31 at 17:54 -0500, mark@xxxxxxxxxxxxxxxxxx wrote: > John - > > Thanks for your reply - most definately not silly, or off the cuff. I am a > complete iptables nubie, so I will listen to anything. > > Actually, that is a part that I didn't change from the script that I am, well, > borrowing. Might that be the reason that dansguardian hangs when I start it up? > It did seem to me that it was not able to 'listen to itself', so to speak. > > Thanks again! > > Mark Ehle > Computer Support Librarian > Willard Public Library > Battle Creek, Michigan > > Quoting "John A. Sullivan III" <jsullivan@xxxxxxxxxxxxxxxxxxx>: > > This may be a silly, off the cuff reply, but, in your rules allowing > > traffic within the gateway, do you want interface lo0 as you have > > written or lo? > > -- > > John A. Sullivan III > > Open Source Development Corporation > > +1 207-985-7880 > > jsullivan@xxxxxxxxxxxxxxxxxxx > > > > If you would like to participate in the development of an open source > > enterprise class network security management system, please visit > > http://iscs.sourceforge.net > > > > > > > On Thu, 2005-03-31 at 15:37 -0500, mark@xxxxxxxxxxxxxxxxxx wrote: > > > Hello - > > > > > > I am a complete iptables newbie who is trying to re-write a wireless > > hotspot > > > script that I found on the net to control internet access for our library > > patrons. > > > > > > I found the script at: > > > > > > http://www.feedface.com/folkert/study/hotspot/src/firewall.sh.txt > > > > > > I am trying to re-write it so that I can use squid and dansguardian to > > proxy and > > > filter the web. I need it to transparently proxy. I have a system set up > > now > > > that uses squid to grant or deny access, but it can only block web access; > > I my > > > need is for a firewall that can block all network access so that a given > > PC > > > can't chat or play online games as well as surf the net after time has run > > out. > > > > > > The script, as far as I have gotten, works well. When I fire it up, my test > > PC > > > can't go anywhere except the sign up page (which it is redirected to no > > matter > > > what), and when I add the PC to the access list (by typing firewall.sh add > > <ip> > > > <mac>), that PC is able to surf. > > > > > > My problem comes in when I try to do the transparent proxy part. when I try > > to > > > add the rule: > > > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports > > 8080 > > > > > > To the script, it does not work, and dansguardian will not even start. I > > have > > > played around with various permutations of this rule, and have gotten > > nowhere. > > > > > > Can anybody help? > > > > > > Thanks - > > > > > > Mark Ehle > > > ======= > > > Following is the script (firewall.sh) as far as I have it: > > > > > > #!/bin/bash > > > > > > > > ############################################################################### > > > # name: firewall.sh > > > # author: Mark Ehle > > > # date: 03-30-05 > > > # with much thanks given to Folkert Saathoff at > > http://www.feedface.com/folkert > > > > > ############################################################################### > > > > > > #=========================== > > > # variables > > > #=========================== > > > > > > # command-line arguments > > > COMMAND=$0 > > > ACTION=$1 > > > IP=$2 > > > MAC=$3 > > > > > > # program locations > > > IPTABLES=/sbin/iptables > > > MODPROBE=/sbin/modprobe > > > DEPMOD=/sbin/depmod > > > > > > # Local Network variables > > > LAN_GW="10.0.0.1" > > > LAN_NET="10.0.0.0/8" > > > LAN_INT="eth1" > > > > > > # External network variables > > > EXT_INT_IP="<insert external interface ip here>" > > > EXT_INT="eth0" > > > > > > #Name Server IP > > > NS="insert Name server ip here" > > > > > > #=========================== > > > # subroutines > > > #=========================== > > > load_modules() { > > > $DEPMOD -a > > > for module in "ip_conntrack ip_tables iptable_filter iptable_mangle > > > iptable_nat ipt_LOG ipt_limit ipt_MASQUERADE"; do > > > $MODPROBE $module > > > done > > > return > > > } > > > > > > start_ip_forwarding() { > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > return > > > } > > > > > > show_usage() > > > { > > > echo "usage:" > > > echo "$COMMAND reset" > > > echo "$COMMAND add IP MAC" > > > echo "$COMMAND del IP MAC" > > > exit 1; > > > } > > > > > > fferror() > > > { > > > echo "^_^'" > > > echo "error setting netfilter: $ACTION" > > > exit 1 > > > } > > > > > > flush_tables() { > > > for TABLE in filter nat mangle; do > > > for SWITCH in F X Z; do > > > $IPTABLES -t $TABLE -$SWITCH > > > done > > > done > > > return > > > } > > > > > > create_new_chains() { > > > #filter chain for accepting authenticated clients > > > $IPTABLES -t filter -N fclient > > > #filter chain for not rerouting authenticated clients > > > $IPTABLES -t nat -N dclient > > > #filter chain for routing from authenticated clients > > > $IPTABLES -t nat -N sclient > > > > > > #default filter policy is DROP > > > $IPTABLES -t filter -P INPUT DROP > > > $IPTABLES -t filter -P OUTPUT DROP > > > $IPTABLES -t filter -P FORWARD DROP > > > > > > return > > > } > > > > > > reset_firewall() { > > > > > > load_modules > > > start_ip_forwarding > > > flush_tables > > > create_new_chains > > > > > > #allow all local traffic > > > $IPTABLES -t filter -A INPUT -i lo0 -j ACCEPT > > > $IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT > > > > > > #allow all icmp traffic self<->lan > > > $IPTABLES -t filter -A INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p > > icmp -j > > > ACCEPT > > > $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p > > icmp -j > > > ACCEPT > > > > > > #allow all icmp traffic self<->inet > > > $IPTABLES -t filter -A INPUT -i $EXT_INT -d $EXT_INT_IP -p icmp -j > > ACCEPT > > > $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -p icmp -j > > ACCEPT > > > > > > #allow dhcp traffic self<->lan > > > $IPTABLES -t filter -A INPUT -i $LAN_INT -s 0.0.0.0/0 -d > > 255.255.255.255 -p > > > udp --dport 67:68 -j ACCEPT > > > $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p > > udp > > > --sport 67:68 -j ACCEPT > > > > > > #allow all web traffic self<->lan > > > for PORT in 80 443; do > > > $IPTABLES -t filter -A INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW -p > > tcp > > > --dport $PORT -j ACCEPT > > > $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET -p > > tcp > > > --sport $PORT -j ACCEPT > > > done > > > > > > #allow all ssh and smb traffic to/from self > > > for PORT in 22 139; do > > > $IPTABLES -t filter -A INPUT -p tcp --dport $PORT -j ACCEPT > > > $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT > > > done > > > > > > # allow dns > > > $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -d $NS -p > > udp > > > --dport 53 -j ACCEPT > > > $IPTABLES -t filter -A INPUT -i $EXT_INT -s $NS -d $EXT_INT_IP -p > > udp > > > --sport 53 -j ACCEPT > > > $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -d > > $NS -p > > > udp --dport 53 -j ACCEPT > > > $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -s $NS -d > > $LAN_NET -p > > > udp --sport 53 -j ACCEPT > > > > > > #enable source network address translation for dns > > > $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -p udp --dport 53 -d $NS > > -o > > > $EXT_INT -j SNAT --to $EXT_INT_IP > > > > > > #check for allowed clients -> inet > > > $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j > > fclient > > > #reject all other clients > > > $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET -j > > REJECT > > > --reject-with icmp-net-prohibited > > > > > > #allow established connections lan<->inet > > > $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -d $LAN_NET -m > > state > > > --state ESTABLISHED -j ACCEPT > > > > > > #snat traffic from authenticated clients > > > $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j sclient > > > > > > > > #do not dnat traffic from authenticated clients > > > $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -j dclient > > > > > > #enable dnat to self for all web traffic > > > for PORT in 80 443; do > > > $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -p tcp > > --dport > > > $PORT -j DNAT --to $LAN_GW > > > done > > > > > > #add default REJECT rule (just more polite than DROP) > > > for CHAIN in INPUT OUTPUT FORWARD; do > > > $IPTABLES -t filter -A $CHAIN -j REJECT; > > > done > > > return > > > > > > } > > > > > > add_usage() { > > > echo "usage:" > > > echo "$COMMAND add IP MAC" > > > exit 1; > > > } > > > > > > run_add() { > > > [ "ff"$IP != "ff" ] || show_addclient_usage; [ "ff"$MAC != "ff" ] || > > add_usage > > > #add client > > > > > > $IPTABLES -t filter -A fclient -s $IP -m mac --mac-source $MAC -j > > ACCEPT > > > || fferror $? > > > $IPTABLES -t nat -A dclient -s $IP -m mac --mac-source $MAC -j > > ACCEPT > > > || fferror $? > > > $IPTABLES -t nat -A sclient -s $IP -d ! $LAN_NET -j SNAT --to > > $EXT_INT_IP > > > || fferror $? > > > echo "added Client: IP $IP MAC $MAC"; > > > return > > > } > > > > > > del_usage() { > > > echo "usage:" > > > echo "$COMMAND del IP MAC" > > > exit 1; > > > } > > > > > > run_del() { > > > [ "ff"$IP != "ff" ] || show_delClient_usage; [ "ff"$MAC != "ff" ] || > > del_usage > > > #delete client > > > $IPTABLES -t filter -D fclient -s $IP -m mac --mac-source $MAC -j > > ACCEPT || > > > fferror $? > > > $IPTABLES -t nat -D dclient -s $IP -m mac --mac-source $MAC -j ACCEPT > > || > > > fferror $? > > > $IPTABLES -t nat -D sclient -s $IP -d ! $LAN_NET -j SNAT --to > > $EXT_INT_IP || > > > fferror $? > > > echo "removed Client: IP $IP MAC $MAC"; > > > return > > > } > > > > > > #=========================== > > > # Main > > > #=========================== > > > > > > case "$ACTION" in > > > reset ) reset_firewall;; > > > add ) run_add;; > > > del ) run_del;; > > > * ) show_usage;; > > > esac > > > > > > exit > > > > > -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx Financially sustainable open source development http://www.opensourcedevel.com
