tcygne wrote:
How are Squid and DansGuardian chained together? how does that fit with
the firewall interception rules?
I'm not sure what you are asking. The proxy/filter doesn't seem to have any
firewall installed. The traffic is rerouted to the filter by the ddwrt
router box at (192.168.1.1) using the following commands.
Ah, okay. You sound a little confused about your own network structure
but managed to answer my question anyway :) well done.
What you have is this:
Client->WRT->DansGuardian->Squid->WRT->Internet
(and back)
The WRT iptables is the firewall (even though its on a different box).
#!/bin/sh
PROXY_IP=192.168.1.2
PROXY_PORT=8080
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`
iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport
80 -j ACCEPT
... passes packets between internal machines without involving the proxy
box.
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j
DNAT --to $PROXY_IP:$PROXY_PORT
... passes all other port 80 to the proxy, except stuff from the proxy
box itself. Specifically to DG on the proxy box.
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j
SNAT --to $LAN_IP
... SNAT's everything from the local network to some IP belonging to the
WRT.
I assume (and hope) that is making internal IPs to some globally
routable IP. Not just making all traffic seem to be coming from 192.168.1.1.
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport
$PROXY_PORT -j ACCEPT
... lets stuff going to DG on the proxy box through.
iptables -t nat -I PREROUTING -i br0 -s 192.168.1.5 -j ACCEPT
I'm a little suspicious about that "iptables -t nat -I PREROUTING -i br0
-s 192.168.1.5 -j ACCEPT"
the final command allows 192.168.1.5 to bypass the filter. This would be the
only device in which apt-get and spybot updates work from. (Nevermind how
... the proxy box also is in that state.
one device can do both of those things) It looks like all traffic is
rerouted to port 8080 (dansguardian answers) so maybe it isn't hitting squid
at all. And this isn't a squid issue. ;-( I'm not real slick with iptables,
but maybe the router box is dropping all non port 80 traffic except for
device 192.168.1.5? More than likely apt and spybot use https, so what would
be the iptables rule to allow all traffic on port 443 to bypass the filter?
It should already be bypassing the filter. Only port-80 is handled
specially. At most you may need:
iptables -I FORWARD -i br0 -p tcp -s $LAN_NET --dport 443 -j ACCEPT
Regarding the HTTP breakage, try adding
iptables -t nat -I POSTROUTING -j MASQUERADE
... if that does not fix the proxy access out again then look at
DansGuardian and see if its passing stuff to Squid.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE8 or 3.0.STABLE24
Current Beta Squid 3.1.0.16
