[Server-devel] .6 release and Dansguardian

Devon Connolly devcon at gmail.com
Sat Oct 17 09:46:12 EDT 2009


Ok.  So I'll give you guys an overview of applicable config files to see  
if we can't spot the problem.  I will only list applicable entries.   
First, the basic setup:

2 NICS, onboard and USB.  USB nic is eth0 with fixed IP 192.168.1.1.  eth1  
is bonded to create lanbond0 on 172.168.0.1

I still don't see why all traffic passing through lanbond0 is using squid  
and then bypassing dansguardian.

iptables-xs.in:
_______________________________________________________________________________

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
@@SQUID@@
-A POSTROUTING -o @@WAN@@ -j MASQUERADE
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8887
-A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8887
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
________________________________________________________________________________

dansguardian.conf
________________________________________________________________________________

filterip =
filterport = 8887
proxyip = 172.18.0.1
proxyport = 3128
daemonuser = 'squid'
daemongroup = 'squid'

_______________________________________________________________________________

squid-xs.conf
_______________________________________________________________________________

cache_effective_user squid
cache_effective_group squid

_______________________________________________________________________________

# nmap -T4 172.18.0.1
_______________________________________________________________________________


Not shown: 1703 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 5.1 (protocol 2.0)
53/tcp   open  domain
|  zone-transfer:
|  notredame.sn.        SOA      localhost. root.notredame.sn.
|  notredame.sn.        NS       localhost.
|  escuela.notredame.sn.        CNAME
|  library.notredame.sn.        A        172.18.0.1
|  ntp.notredame.sn.    A        172.18.0.1
|  presence.notredame.sn.       A        172.18.0.1
|  school.notredame.sn. A        172.18.0.1
|  schoolserver.notredame.sn.   A        172.18.0.1
|  conference.schoolserver.notredame.sn.        A        172.18.0.1
|  schoolserver1.notredame.sn.  A        172.18.1.1
|  schoolserver2.notredame.sn.  A        172.18.1.2
|  schoolserver3.notredame.sn.  A        172.18.1.3
|  schoolserver4.notredame.sn.  A        172.18.1.4
|  schoolserver5.notredame.sn.  A        172.18.1.5
|  schoolserver6.notredame.sn.  A        172.18.1.6
|  schoolserver7.notredame.sn.  A        172.18.1.7
|  schoolserver8.notredame.sn.  A        172.18.1.8
|  schule.notredame.sn. CNAME
|  time.notredame.sn.   A        172.18.0.1
|  www.notredame.sn.    A        172.18.0.1
|  xs.notredame.sn.     A        172.18.0.1
|_ notredame.sn.        SOA      localhost. root.notredame.sn.
80/tcp   open  http-proxy  DansGuardian HTTP proxy
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: NOTREDAME)
191/tcp  open  prospero?
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: NOTREDAME)
873/tcp  open  rsync        (protocol version 30)
3128/tcp open  http-proxy  DansGuardian HTTP proxy
3306/tcp open  mysql       MySQL (unauthorized)
8080/tcp open  http        Python SimpleXMLRPCServer (BaseHTTP 0.3; Python  
2.5.1)
8887/tcp open  http-proxy  DansGuardian HTTP proxy
_____________________________________________________________________________________

What else is applicable?


On Sat, 17 Oct 2009 08:08:47 -0000, Martin Langhoff  
<martin.langhoff at gmail.com> wrote:

> On Sat, Oct 17, 2009 at 2:15 AM, Devon Connolly <devcon at gmail.com> wrote:
>> Right, I appended the aforementioned entries to "iptables-xs.in" so that
>> the resulting iptables-xs file reflected the modifications, but the  
>> rules
>> still did not take affect.
>
> And you did "/etc/init.d/iptables restart" to make it take effect...
> right? I notice I forgot to mention that key step :-)
>
> (And Jerry's suggested change is also needed.)
>
> cheers,
>
>
>
> m


-- 

Devon Connolly


More information about the Server-devel mailing list