Firewall rules for openWRT/dd-wrt when using dansguardian/squid
Sorry if this duplicates another message, I just get a digest of the list traffic, so I'm often behind. I run Dansguardian (on port 8080) and Squid (on port 3128) on 10.0.1.50, and my dd-wrt router is 10.0.1.1 (connected to the internet via cablemodem). These are the rules I use on 10.0.1.1: iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -d 10.0.1.1 -j ACCEPT iptables -t nat -A PREROUTING -i br0 -s ! 10.0.1.50 -p tcp --dport 80 -j DNAT --to 10.0.1.50:8080 iptables -t nat -A POSTROUTING -o br0 -s 10.0.1.0/24 -d 10.0.1.50 -j SNAT --to 10.0.1.1 iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.50 -i br0 -p tcp --dport 8080 -j ACCEPT It grabs all outbound port 80 (web) traffic and diverts it to dansguardian, which uses squid as a caching proxy (see the tutorials for setting up squid as a transparent proxy - otherwise you get very weird errors when trying to access the internet). I believe br0 is the LAN side. I hope that helps. Note: be sure to verify that your proxy port is not open on the WAN side. Filtered or not, someone could use your connection for something you wouldn't like. Jeremy /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Linux Router Caching Proxy Content Filter?
Kimball Larsen wrote: > Howdy smart people! > > I've got a new Ubuntu Jaunty box (named "Silver") with 2 nics - > 192.168.0.4 and 192.168.0.5. My home gateway is 192.168.0.1. > > I'd like to set up the jaunty box to be the new gateway for all my in- > house traffic, such that all clients would connect like this: > > Client -> 192.168.0.5 -> Firewall/Content Filter -> 192.168.0.4 -> > 192.168.0.1 -> DSL Modem -> Internets. > > 192.168.0.1 is a WRT54G running OpenWRT with a firewall that I put > together myself. (dangerous, in my experience). > > Here is what I need some help with: > > a) Change the firewall on 192.168.0.1 to *only* allow traffic on all > ports from 192.168.0.4. Refuse to even accept connections from the > lan side from anything else. > > b) Set up silver to act as a router for the rest of the network, so > that all the clients use 0.5 as their gateway, and silver internally > routes everything from 0.5 to 0.4, which in turn uses 0.1 as its > gateway. > > c) Set up DansGuardian or somesuch in conjunction with squid or > whatever is the best for DG to allow for content filtering of all web > and IM traffic. > > > I've got a house full of kids that are getting old enough that the > sesame street and PBS sites are not keeping up with them anymore, but > I don't want to have to make huge whitelists of sites they can visit > on every computer in the house. I'd rather centralize the whole > affair as above, but I've never done the whole DansGuardian thing > before. Tips? Pointers? Someone want to do this for me? > Hrm. This seems a little complex to me. Doing what is basically a double NAT is probably overkill for this. You can probably do what you are wanting with about 2 iptables rules and no additional nic in 'Silver.' Basically, all you need to do is add a rule to your OpenWRT box so that anything coming in on from the LAN interface, and not from 'Silver', gets redirected to 'Silver' on what ever port you have the proxy running on. Doing this is actually not too far off from how the infamous 'Upside-Down-Ternet' works. [1] (it was fun to do this to roommates for april fools day). You basically would need the second iptables command listed but with the change of the -s to be something like '-s ! 192.168.0.4' and then the --to-destination to be 192.168.0.4. You might want to add a '-i br0' (or whatever your LAN interface is) to the rule so that it only matches traffic coming from the internal LAN side of the router. The second rule would be something that drops all traffic from source addresses that aren't 192.168.0.4. IIRC, OpenWRT does some funky layouts with its table layout for iptables. So you might have to do some hunting of where this will need to go. I would recommend against doing a default deny on outgoing traffic. But I still believe that not everything should have to go through a web page. Doing the deny will block lots of things that might be perfectly fine, such as non-web based email. And if you are behind this and want to do something like ssh to a server off your network, you will have to add rules allowing it. Things just get to be a pain. Also, doing this deny with only the one redirect from above, you will also lock out https access to web sites. You can do a similar rule for https that you do for http. But, redirecting https through your proxy using this method will be a little painful. You should get a lot of certificate errors cause you are basically doing a man in the middle on the SSL connections. Hopefully that gives you some helpful info. mike [1] http://www.ex-parrot.com/pete/upside-down-ternet.html /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: A little OT - looking for help designing electronics of embedded linux device
Jeff wrote: > Peter (and everyone), > > >Did you get any traction on this? > > I did find an answer just yesterday (from a different source though). > Thanks to everyone on the list though, the suggestions were great! Out of curiosity, what did you decide to do? Did you go the GPS route, the from-scratch route, or use some other kind of RF module? Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: A little OT - looking for help designing electronics of embedded linux device
Peter (and everyone), >Did you get any traction on this? I did find an answer just yesterday (from a different source though). Thanks to everyone on the list though, the suggestions were great! Jeff /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: tar: Removing leading `/' from member names
On Tue, Jul 21, 2009 at 11:20, Corey Edwards wrote: > Just remove the leading / yourself. -C / will change directories before > tar starts reading files, so this will clear up your warning: > > tar -czf webstoresDoc.tgz -C / home/www/docroot/webstores That looks like that fixed it. Thanks. -- Alan /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: tar: Removing leading `/' from member names
On Tue, Jul 21, 2009 at 09:19, Stuart Jansen wrote: > Use -P instead of -C / That's dangerous. When extracting data it will automatically overwrite the actual path instead of relative to the directory you are in. -- Alan /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: tar: Removing leading `/' from member names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan Young wrote: > I've got a cron job running a backup every night. It's a shell script > that looks like this: > > - > #!/bin/bash > > cd /backup > > tar -czf webstoresDoc.tgz -C / /home/www/docroot/webstores > - > > It works fine, but I keep getting the following email from the cron process: > > - > tar: Removing leading `/' from member names > tar: Removing leading `/' from member names Just remove the leading / yourself. -C / will change directories before tar starts reading files, so this will clear up your warning: tar -czf webstoresDoc.tgz -C / home/www/docroot/webstores Corey -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpl+MwACgkQwNwjtxfqOkPBwQCfaaH93QB0/qB7PocPmJhTzKHh jXYAmwTX7+siipnIuKkhewqE7xgP4Tq7 =VK/f -END PGP SIGNATURE- /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Linux Router Caching Proxy Content Filter?
Michael, On Jul 21, 2009, at 9:21 AM, Michael Torrie wrote: > Kimball Larsen wrote: >> 192.168.0.1 is a WRT54G running OpenWRT with a firewall that I put >> together myself. (dangerous, in my experience). > > Oh, why is this? Because I don't speak firewall very well, and (as Hans can attest) frequently get it wrong. ;-) > >> a) Change the firewall on 192.168.0.1 to *only* allow traffic on all >> ports from 192.168.0.4. Refuse to even accept connections from the >> lan side from anything else. > > I'm sure you could do this with iptables and static routes, but > seems to > be pointless to me. If your hell-bent on doing this, just put your > lan > and silver on a different subnet and then standard routing applies, > although this seems overly convoluted. Here is a diagram of what I have settled on for the physical connections: http://www.kimballlarsen.com/plug/homeNetwork.png I want to keep the OpenWRT box there because it already handles all the port forwarding and nat for traffic to Silver. (web, mail, dns, etc), and I'd prefer to have something between the internet and a physical ethernet connection to silver. Call me paranoid. I also want to have 2 separate subnets so that when I have house guests with some technical ability they can't just change their gateway IP and circumvent the filter. The idea here, then, is to set up Silver to act as a router/gateway between 192.168.0.x and 192.168.1.x. Silver's eth0 will be 192.168.0.1, eth1 will be 192.168.1.2. Also, I want to set up content filtering for whatever a careful parent should be filtering for their house (web, im (if possible), mail? Others?) Now, though our approaches do differ a bit, I would be interested in seeing whatever portions of your configurations you are willing to share. Thanks! -- Kimball /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Linux Router Caching Proxy Content Filter?
Kimball Larsen wrote: > 192.168.0.1 is a WRT54G running OpenWRT with a firewall that I put > together myself. (dangerous, in my experience). Oh, why is this? > a) Change the firewall on 192.168.0.1 to *only* allow traffic on all > ports from 192.168.0.4. Refuse to even accept connections from the > lan side from anything else. I'm sure you could do this with iptables and static routes, but seems to be pointless to me. If your hell-bent on doing this, just put your lan and silver on a different subnet and then standard routing applies, although this seems overly convoluted. > b) Set up silver to act as a router for the rest of the network, so > that all the clients use 0.5 as their gateway, and silver internally > routes everything from 0.5 to 0.4, which in turn uses 0.1 as its > gateway. > > c) Set up DansGuardian or somesuch in conjunction with squid or > whatever is the best for DG to allow for content filtering of all web > and IM traffic. I don't know of any way to filter IM traffic with DG. But for web, here's what I do: - on my openwrt router I run tinyproxy and set it to use DG on silver as the upstream proxy - set openwrt to redirect all http traffic that's not from silver to the local tinyproxy - set openwrt to allow http traffic from silver only - on silver, I use iptables rules to allow outbound HTTP traffic from the dansguardian user only), and transparently redirect all other local traffic to DG, so that silver itself is also filtered even though it's the trusted host. I can post iptables rules if you want, both for openwrt and silver. In any event maintaining the openwrt firewall would seem to be the best bet rather than mucking with 2 layers of routing. As I have demonstrated you can still use silver as a filter computer. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: tar: Removing leading `/' from member names
On Tue, 2009-07-21 at 09:03 -0600, Alan Young wrote: > tar: Removing leading `/' from member names Use -P instead of -C / tar -czf webstoresDoc.tgz -P /home/www/docroot/webstores -- "XML is like violence: if it doesn't solve your problem, you aren't using enough of it." - Chris Maden /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
tar: Removing leading `/' from member names
I've got a cron job running a backup every night. It's a shell script that looks like this: - #!/bin/bash cd /backup tar -czf webstoresDoc.tgz -C / /home/www/docroot/webstores - It works fine, but I keep getting the following email from the cron process: - tar: Removing leading `/' from member names tar: Removing leading `/' from member names - Originally, the '-C /' wasn't there, but after some googling I found this switch which is supposed to--among other things--get rid of this warning. I've tried 'czf' instead of '-czf' and '-C' instead of '-C /' in all the combinations I can think of. I'd prefer to avoid piping STDERR to /dev/null because I want to be notified if something goes wrong, but I don't want my inbox cluttered with useless messages either. Any pointers? -- Alan /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: Linux Router Caching Proxy Content Filter?
On Jul 20, 2009, at 9:32 PM, Kimball Larsen wrote: > Howdy smart people! > > I've got a new Ubuntu Jaunty box (named "Silver") with 2 nics - > 192.168.0.4 and 192.168.0.5. My home gateway is 192.168.0.1. > > I'd like to set up the jaunty box to be the new gateway for all my in- > house traffic, such that all clients would connect like this: > > Client -> 192.168.0.5 -> Firewall/Content Filter -> 192.168.0.4 -> > 192.168.0.1 -> DSL Modem -> Internets. > > 192.168.0.1 is a WRT54G running OpenWRT with a firewall that I put > together myself. (dangerous, in my experience). > Why not remove the WRT54g entirely and use .0.4 as your router? That's what I did at my parents house, I Aldo put a dhcp server on it so it could divy out ip addresses. I have squid guard running as a transparent proxy to filter the traffic. After I did that I disabled the dhcp server from the wireless router and and the plugged it onto the network (I simply ignored the Internet port on it) Might not be the beat in the world but it works very well. The. Other option is on the OpenWRT box setup squid on it and then filter all traffic against you .0.4 filter. Debian.org has a really nice tutorial about setting up squid as a transparent proxy. Even helps out with the iptables rules. Which in my opinion was the hardest part of the setup. > Here is what I need some help with: > > a) Change about the firewall on 192.168.0.1 to *only* allow traffic > on all > ports from 192.168.0.4. Refuse to even accept connections from the > lan side from anything else. > > b) Set up silver to act as a router for the rest of the network, so > that all the clients use 0.5 as their gateway, and silver internally > routes everything from 0.5 to 0.4, which in turn uses 0.1 as its > gateway. > > c) Set up DansGuardian or somesuch in conjunction with squid or > whatever is the best for DG to allow for content filtering of all web > and IM traffic. > Never needed to filter IM traffic before, I should play with that. > > I've got a house full of kids that are getting old enough that the > sesame street and PBS sites are not keeping up with them anymore, but > I don't want to have to make huge whitelists of sites they can visit > on every computer in the house. I'd rather centralize the whole > affair as above, but I've never done the whole DansGuardian thing > before. Tips? Pointers? Someone want to do this for me? > I don't have access to the configs right now but I can get them for you later tonight. Good luck. --Dallin Jones m...@dallinjones.com > Oh, one last thought: > Silver runs a bunch of other services for me that I *really* don't > want to interrupt with the firewall config on it: > Websites (http://www.kimballlarsen.com, http:// > www.hugegrocersavings.com, http://www.coinforge.com, etc, etc) > Email for all the above sites > DNS for all my domains > Etc. > All this traffic goes through 0.4 already, as I just installed the 0.5 > interface this evening. > > Thanks! > > -- Kimball > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
