John - I made that change (lo0 -> lo), and while I can't test it fully as I'm at home and can only ssh into the proxy, dansguardian does now load correctly. I will know more when I get to work tomorrow, but it looks like a step in the right direction. I'm surprised that iptables did not complain. Thanks! You da man! Mark Quoting "John A. Sullivan III" <jsullivan@xxxxxxxxxxxxxxxxxxx>: > I did not take the time to really digest your post or rules (my > apologies - just very busy) but that is the first thing that came to > mind. I've not used DansGuardian but I do know that my transparent > proxies failed until I realized I had not allowed internal traffic > passing on interface lo. I suppose if you do a simple ifconfig or ip > link ls you'll see if your system uses lo or lo0. Good luck - John > > On Thu, 2005-03-31 at 17:54 -0500, mark@xxxxxxxxxxxxxxxxxx wrote: > > John - > > > > Thanks for your reply - most definately not silly, or off the cuff. I am > a > > complete iptables nubie, so I will listen to anything. > > > > Actually, that is a part that I didn't change from the script that I am, > well, > > borrowing. Might that be the reason that dansguardian hangs when I start it > up? > > It did seem to me that it was not able to 'listen to itself', so to speak. > > > > > Thanks again! > > > > Mark Ehle > > Computer Support Librarian > > Willard Public Library > > Battle Creek, Michigan > > > > Quoting "John A. Sullivan III" <jsullivan@xxxxxxxxxxxxxxxxxxx>: > > > This may be a silly, off the cuff reply, but, in your rules allowing > > > traffic within the gateway, do you want interface lo0 as you have > > > written or lo? > > > -- > > > John A. Sullivan III > > > Open Source Development Corporation > > > +1 207-985-7880 > > > jsullivan@xxxxxxxxxxxxxxxxxxx > > > > > > If you would like to participate in the development of an open source > > > enterprise class network security management system, please visit > > > http://iscs.sourceforge.net > > > > > > > > > > > On Thu, 2005-03-31 at 15:37 -0500, mark@xxxxxxxxxxxxxxxxxx wrote: > > > > Hello - > > > > > > > > I am a complete iptables newbie who is trying to re-write a wireless > > > hotspot > > > > script that I found on the net to control internet access for our > library > > > patrons. > > > > > > > > I found the script at: > > > > > > > > http://www.feedface.com/folkert/study/hotspot/src/firewall.sh.txt > > > > > > > > I am trying to re-write it so that I can use squid and dansguardian > to > > > proxy and > > > > filter the web. I need it to transparently proxy. I have a system set > up > > > now > > > > that uses squid to grant or deny access, but it can only block web > access; > > > I my > > > > need is for a firewall that can block all network access so that a > given > > > PC > > > > can't chat or play online games as well as surf the net after time has > run > > > out. > > > > > > > > The script, as far as I have gotten, works well. When I fire it up, my > test > > > PC > > > > can't go anywhere except the sign up page (which it is redirected to > no > > > matter > > > > what), and when I add the PC to the access list (by typing firewall.sh > add > > > <ip> > > > > <mac>), that PC is able to surf. > > > > > > > > My problem comes in when I try to do the transparent proxy part. when I > try > > > to > > > > add the rule: > > > > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT > --to-ports > > > 8080 > > > > > > > > To the script, it does not work, and dansguardian will not even start. > I > > > have > > > > played around with various permutations of this rule, and have gotten > > > nowhere. > > > > > > > > Can anybody help? > > > > > > > > Thanks - > > > > > > > > Mark Ehle > > > > ======= > > > > Following is the script (firewall.sh) as far as I have it: > > > > > > > > #!/bin/bash > > > > > > > > > > > > ############################################################################### > > > > # name: firewall.sh > > > > # author: Mark Ehle > > > > # date: 03-30-05 > > > > # with much thanks given to Folkert Saathoff at > > > http://www.feedface.com/folkert > > > > > > > > ############################################################################### > > > > > > > > #=========================== > > > > # variables > > > > #=========================== > > > > > > > > # command-line arguments > > > > COMMAND=$0 > > > > ACTION=$1 > > > > IP=$2 > > > > MAC=$3 > > > > > > > > # program locations > > > > IPTABLES=/sbin/iptables > > > > MODPROBE=/sbin/modprobe > > > > DEPMOD=/sbin/depmod > > > > > > > > # Local Network variables > > > > LAN_GW="10.0.0.1" > > > > LAN_NET="10.0.0.0/8" > > > > LAN_INT="eth1" > > > > > > > > # External network variables > > > > EXT_INT_IP="<insert external interface ip here>" > > > > EXT_INT="eth0" > > > > > > > > #Name Server IP > > > > NS="insert Name server ip here" > > > > > > > > #=========================== > > > > # subroutines > > > > #=========================== > > > > load_modules() { > > > > $DEPMOD -a > > > > for module in "ip_conntrack ip_tables iptable_filter > iptable_mangle > > > > iptable_nat ipt_LOG ipt_limit ipt_MASQUERADE"; do > > > > $MODPROBE $module > > > > done > > > > return > > > > } > > > > > > > > start_ip_forwarding() { > > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > > return > > > > } > > > > > > > > show_usage() > > > > { > > > > echo "usage:" > > > > echo "$COMMAND reset" > > > > echo "$COMMAND add IP MAC" > > > > echo "$COMMAND del IP MAC" > > > > exit 1; > > > > } > > > > > > > > fferror() > > > > { > > > > echo "^_^'" > > > > echo "error setting netfilter: $ACTION" > > > > exit 1 > > > > } > > > > > > > > flush_tables() { > > > > for TABLE in filter nat mangle; do > > > > for SWITCH in F X Z; do > > > > $IPTABLES -t $TABLE -$SWITCH > > > > done > > > > done > > > > return > > > > } > > > > > > > > create_new_chains() { > > > > #filter chain for accepting authenticated clients > > > > $IPTABLES -t filter -N fclient > > > > #filter chain for not rerouting authenticated clients > > > > $IPTABLES -t nat -N dclient > > > > #filter chain for routing from authenticated clients > > > > $IPTABLES -t nat -N sclient > > > > > > > > #default filter policy is DROP > > > > $IPTABLES -t filter -P INPUT DROP > > > > $IPTABLES -t filter -P OUTPUT DROP > > > > $IPTABLES -t filter -P FORWARD DROP > > > > > > > > return > > > > } > > > > > > > > reset_firewall() { > > > > > > > > load_modules > > > > start_ip_forwarding > > > > flush_tables > > > > create_new_chains > > > > > > > > #allow all local traffic > > > > $IPTABLES -t filter -A INPUT -i lo0 -j ACCEPT > > > > $IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT > > > > > > > > #allow all icmp traffic self<->lan > > > > $IPTABLES -t filter -A INPUT -i $LAN_INT -s $LAN_NET -d $LAN_GW > -p > > > icmp -j > > > > ACCEPT > > > > $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET > -p > > > icmp -j > > > > ACCEPT > > > > > > > > #allow all icmp traffic self<->inet > > > > $IPTABLES -t filter -A INPUT -i $EXT_INT -d $EXT_INT_IP -p icmp > -j > > > ACCEPT > > > > $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -p icmp > -j > > > ACCEPT > > > > > > > > #allow dhcp traffic self<->lan > > > > $IPTABLES -t filter -A INPUT -i $LAN_INT -s 0.0.0.0/0 -d > > > 255.255.255.255 -p > > > > udp --dport 67:68 -j ACCEPT > > > > $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d $LAN_NET > -p > > > udp > > > > --sport 67:68 -j ACCEPT > > > > > > > > #allow all web traffic self<->lan > > > > for PORT in 80 443; do > > > > $IPTABLES -t filter -A INPUT -i $LAN_INT -s $LAN_NET -d > $LAN_GW -p > > > tcp > > > > --dport $PORT -j ACCEPT > > > > $IPTABLES -t filter -A OUTPUT -o $LAN_INT -s $LAN_GW -d > $LAN_NET -p > > > tcp > > > > --sport $PORT -j ACCEPT > > > > done > > > > > > > > #allow all ssh and smb traffic to/from self > > > > for PORT in 22 139; do > > > > $IPTABLES -t filter -A INPUT -p tcp --dport $PORT -j ACCEPT > > > > $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT > > > > done > > > > > > > > # allow dns > > > > $IPTABLES -t filter -A OUTPUT -o $EXT_INT -s $EXT_INT_IP -d $NS > -p > > > udp > > > > --dport 53 -j ACCEPT > > > > $IPTABLES -t filter -A INPUT -i $EXT_INT -s $NS -d $EXT_INT_IP > -p > > > udp > > > > --sport 53 -j ACCEPT > > > > $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET > -d > > > $NS -p > > > > udp --dport 53 -j ACCEPT > > > > $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -s $NS -d > > > $LAN_NET -p > > > > udp --sport 53 -j ACCEPT > > > > > > > > #enable source network address translation for dns > > > > $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -p udp --dport 53 -d > $NS > > > -o > > > > $EXT_INT -j SNAT --to $EXT_INT_IP > > > > > > > > #check for allowed clients -> inet > > > > $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET > -j > > > fclient > > > > #reject all other clients > > > > $IPTABLES -t filter -A FORWARD -i $LAN_INT -o $EXT_INT -s $LAN_NET > -j > > > REJECT > > > > --reject-with icmp-net-prohibited > > > > > > > > #allow established connections lan<->inet > > > > $IPTABLES -t filter -A FORWARD -i $EXT_INT -o $LAN_INT -d $LAN_NET > -m > > > state > > > > --state ESTABLISHED -j ACCEPT > > > > > > > > #snat traffic from authenticated clients > > > > $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j > sclient > > > > > > > > > > > #do not dnat traffic from authenticated clients > > > > $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -j > dclient > > > > > > > > #enable dnat to self for all web traffic > > > > for PORT in 80 443; do > > > > $IPTABLES -t nat -A PREROUTING -i $LAN_INT -d ! $LAN_GW -p > tcp > > > --dport > > > > $PORT -j DNAT --to $LAN_GW > > > > done > > > > > > > > #add default REJECT rule (just more polite than DROP) > > > > for CHAIN in INPUT OUTPUT FORWARD; do > > > > $IPTABLES -t filter -A $CHAIN -j REJECT; > > > > done > > > > return > > > > > > > > } > > > > > > > > add_usage() { > > > > echo "usage:" > > > > echo "$COMMAND add IP MAC" > > > > exit 1; > > > > } > > > > > > > > run_add() { > > > > [ "ff"$IP != "ff" ] || show_addclient_usage; [ "ff"$MAC != "ff" ] > || > > > add_usage > > > > #add client > > > > > > > > $IPTABLES -t filter -A fclient -s $IP -m mac --mac-source $MAC -j > > > ACCEPT > > > > || fferror $? > > > > $IPTABLES -t nat -A dclient -s $IP -m mac --mac-source $MAC -j > > > ACCEPT > > > > || fferror $? > > > > $IPTABLES -t nat -A sclient -s $IP -d ! $LAN_NET -j SNAT --to > > > $EXT_INT_IP > > > > || fferror $? > > > > echo "added Client: IP $IP MAC $MAC"; > > > > return > > > > } > > > > > > > > del_usage() { > > > > echo "usage:" > > > > echo "$COMMAND del IP MAC" > > > > exit 1; > > > > } > > > > > > > > run_del() { > > > > [ "ff"$IP != "ff" ] || show_delClient_usage; [ "ff"$MAC != "ff" ] > || > > > del_usage > > > > #delete client > > > > $IPTABLES -t filter -D fclient -s $IP -m mac --mac-source $MAC -j > > > ACCEPT || > > > > fferror $? > > > > $IPTABLES -t nat -D dclient -s $IP -m mac --mac-source $MAC -j > ACCEPT > > > || > > > > fferror $? > > > > $IPTABLES -t nat -D sclient -s $IP -d ! $LAN_NET -j SNAT --to > > > $EXT_INT_IP || > > > > fferror $? > > > > echo "removed Client: IP $IP MAC $MAC"; > > > > return > > > > } > > > > > > > > #=========================== > > > > # Main > > > > #=========================== > > > > > > > > case "$ACTION" in > > > > reset ) reset_firewall;; > > > > add ) run_add;; > > > > del ) run_del;; > > > > * ) show_usage;; > > > > esac > > > > > > > > exit > > > > > > > > > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan@xxxxxxxxxxxxxxxxxxx > > Financially sustainable open source development > http://www.opensourcedevel.com > >
