[Server-devel] .6 release and Dansguardian

Devon Connolly devcon at gmail.com
Sat Oct 17 13:48:13 EDT 2009 

>  What is the output of "iptables -t nat -L -v"
>

I can't cite any explicit benefits as this is my first XS install and my  
first time using Dansguardian.  I'm still getting used to iptables and the  
wonderful science of redirecting packets.  Google led me to believe this  
is the best way to do it so folks have no chance of circumventing DG.


# sudo iptables -t nat -L -v
========================================

Chain PREROUTING (policy ACCEPT 1643 packets, 150K bytes)
  pkts bytes target     prot opt in     out     source                
destination
  2562  138K REDIRECT   tcp  --  lanbond0 any     anywhere              
anywhere            tcp dpt:http redir ports 3128
     0     0 REDIRECT   tcp  --  mshbond0 any     anywhere              
anywhere            tcp dpt:http redir ports 3128
     0     0 REDIRECT   tcp  --  mshbond1 any     anywhere              
anywhere            tcp dpt:http redir ports 3128
     0     0 REDIRECT   tcp  --  mshbond2 any     anywhere              
anywhere            tcp dpt:http redir ports 3128

Chain POSTROUTING (policy ACCEPT 10613 packets, 544K bytes)
  pkts bytes target     prot opt in     out     source                
destination
  4233  282K MASQUERADE  all  --  any    eth0    anywhere              
anywhere

Chain OUTPUT (policy ACCEPT 12189 packets, 670K bytes)
  pkts bytes target     prot opt in     out     source                
destination
  2037  122K ACCEPT     tcp  --  any    any     anywhere              
anywhere            tcp dpt:http owner UID match squid
   119  7140 ACCEPT     tcp  --  any    any     anywhere              
anywhere            tcp dpt:squid owner UID match squid
    96  5688 REDIRECT   tcp  --  any    any     anywhere              
anywhere            tcp dpt:http redir ports 8887
    17   940 REDIRECT   tcp  --  any    any     anywhere              
anywhere            tcp dpt:squid redir ports 8887

=======================================

As you can see, everything 'should' be being redirected from squid to  
dansguardian.  Before the upgrade, this worked flawlessly, so something  
got mixed up with the new configs.  It seems to be ignoring the last rule  
in the OUTPUT chain.  Again, squid access.log reports normal activity, but  
dansguardian access.log isn't touched.

This is why I love gentoo cause you know everything that goes into your  
build, so troubleshooting is a snap.  These highly customized builds that  
run off an array of scripts can be tough to navigate unless you are very  
familiar how everything works.

More information about the Server-devel mailing list