[Server-devel] .6 release and Dansguardian
Jerry Vonau
jvonau at shaw.ca
Sat Oct 17 13:07:08 EDT 2009
On Sat, 2009-10-17 at 13:46 +0000, Devon Connolly wrote:
> Ok. So I'll give you guys an overview of applicable config files to see
> if we can't spot the problem. I will only list applicable entries.
> First, the basic setup:
>
> 2 NICS, onboard and USB. USB nic is eth0 with fixed IP 192.168.1.1. eth1
> is bonded to create lanbond0 on 172.168.0.1
>
> I still don't see why all traffic passing through lanbond0 is using squid
> and then bypassing dansguardian.
>
Most of the installs I have seen, and that I build, use dansguardian on
top squid. The traffic flow is redirect www to dansguardian first, then
forwards to squid, then the output redirect rules are unneeded. Looks
like you have it squid -> dansquardian, based on the stock REDIRECT rule
in gen-iptables which is '-A PREROUTING -i %s -p tcp --dport 80 -j
REDIRECT --to-ports 3128 for the "bond" interfaces, not saying that is
wrong, just different from what I do. Any advantage to running this
layout?
> iptables-xs.in:
> _______________________________________________________________________________
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> @@SQUID@@
> -A POSTROUTING -o @@WAN@@ -j MASQUERADE
> -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8887
> -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8887
> COMMIT
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> COMMIT
> ________________________________________________________________________________
>
> dansguardian.conf
> ________________________________________________________________________________
>
> filterip =
> filterport = 8887
> proxyip = 172.18.0.1
> proxyport = 3128
> daemonuser = 'squid'
> daemongroup = 'squid'
>
> ___
What is the output of "iptables -t nat -L -v"
Jerry
More information about the Server-devel
mailing list