[Server-devel] .6 release and Dansguardian

Jerry Vonau jvonau at shaw.ca
Sat Oct 17 14:55:47 EDT 2009 

On Sat, 2009-10-17 at 17:48 +0000, Devon Connolly wrote:
> >  What is the output of "iptables -t nat -L -v"
> >
> 
> I can't cite any explicit benefits as this is my first XS install and my  
> first time using Dansguardian.  I'm still getting used to iptables and the  
> wonderful science of redirecting packets.  Google led me to believe this  
> is the best way to do it so folks have no chance of circumventing DG.
> 

Best is to have squid listen on 127.0.0.1 only, can't access squid
though the "bond" interfaces, then have DG use proxyip = 127.0.0.1
The gen-iptables file would need to be edited to match the port for DG

However, squid is configured to listen on all the msh/lanbond ip
addresses by default and I can see the need for not playing around too
much with the config files, but this would be just to edit the
http_port


> 
> # sudo iptables -t nat -L -v
> ========================================
> 
> Chain PREROUTING (policy ACCEPT 1643 packets, 150K bytes)
>   pkts bytes target     prot opt in     out     source                
> destination
>   2562  138K REDIRECT   tcp  --  lanbond0 any     anywhere              
> anywhere            tcp dpt:http redir ports 3128
>      0     0 REDIRECT   tcp  --  mshbond0 any     anywhere              
> anywhere            tcp dpt:http redir ports 3128
>      0     0 REDIRECT   tcp  --  mshbond1 any     anywhere              
> anywhere            tcp dpt:http redir ports 3128
>      0     0 REDIRECT   tcp  --  mshbond2 any     anywhere              
> anywhere            tcp dpt:http redir ports 3128
> 
> Chain POSTROUTING (policy ACCEPT 10613 packets, 544K bytes)
>   pkts bytes target     prot opt in     out     source                
> destination
>   4233  282K MASQUERADE  all  --  any    eth0    anywhere              
> anywhere
> 
> Chain OUTPUT (policy ACCEPT 12189 packets, 670K bytes)
>   pkts bytes target     prot opt in     out     source                
> destination
>   2037  122K ACCEPT     tcp  --  any    any     anywhere              
> anywhere            tcp dpt:http owner UID match squid
>    119  7140 ACCEPT     tcp  --  any    any     anywhere              
> anywhere            tcp dpt:squid owner UID match squid
>     96  5688 REDIRECT   tcp  --  any    any     anywhere              
> anywhere            tcp dpt:http redir ports 8887
>     17   940 REDIRECT   tcp  --  any    any     anywhere              
> anywhere            tcp dpt:squid redir ports 8887
> 
> =======================================
> 
> As you can see, everything 'should' be being redirected from squid to  
> dansguardian.  Before the upgrade, this worked flawlessly, so something  
> got mixed up with the new configs.  It seems to be ignoring the last rule  
> in the OUTPUT chain.  Again, squid access.log reports normal activity, but  
> dansguardian access.log isn't touched.
> 
That strange, kernel issue maybe, can't recall, the counter is clearly
hit...
 

> This is why I love gentoo cause you know everything that goes into your  
> build, so troubleshooting is a snap.  These highly customized builds that  
> run off an array of scripts can be tough to navigate unless you are very  
> familiar how everything works.
> 
You could disable service iptables and run your own firewall script to
help in the debugging.

Jerry

More information about the Server-devel mailing list