Re: [Server-devel] .6 release and Dansguardian
On Sat, Oct 17, 2009 at 2:15 AM, Devon Connolly dev...@gmail.com wrote: Right, I appended the aforementioned entries to iptables-xs.in so that the resulting iptables-xs file reflected the modifications, but the rules still did not take affect. And you did /etc/init.d/iptables restart to make it take effect... right? I notice I forgot to mention that key step :-) (And Jerry's suggested change is also needed.) cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] .6 release and Dansguardian
Check on both the suggestions above. I had already added the entries to that portion of the file and I restarted iptables. The result is a working dansguardian when sshing into the server and opening lynx in a term. However none of the traffic coming from computers on the LAN is being directed to Dansguardian. Today, I will try to retrace my steps more carefully and post a more detailed summary. On Sat, 17 Oct 2009 08:08:47 -, Martin Langhoff martin.langh...@gmail.com wrote: On Sat, Oct 17, 2009 at 2:15 AM, Devon Connolly dev...@gmail.com wrote: Right, I appended the aforementioned entries to iptables-xs.in so that the resulting iptables-xs file reflected the modifications, but the rules still did not take affect. And you did /etc/init.d/iptables restart to make it take effect... right? I notice I forgot to mention that key step :-) (And Jerry's suggested change is also needed.) cheers, m -- Devon Connolly ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] .6 release and Dansguardian
Ok. So I'll give you guys an overview of applicable config files to see if we can't spot the problem. I will only list applicable entries. First, the basic setup: 2 NICS, onboard and USB. USB nic is eth0 with fixed IP 192.168.1.1. eth1 is bonded to create lanbond0 on 172.168.0.1 I still don't see why all traffic passing through lanbond0 is using squid and then bypassing dansguardian. iptables-xs.in: ___ *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] @@SQUID@@ -A POSTROUTING -o @@WAN@@ -j MASQUERADE -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8887 -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8887 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT dansguardian.conf filterip = filterport = 8887 proxyip = 172.18.0.1 proxyport = 3128 daemonuser = 'squid' daemongroup = 'squid' ___ squid-xs.conf ___ cache_effective_user squid cache_effective_group squid ___ # nmap -T4 172.18.0.1 ___ Not shown: 1703 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.1 (protocol 2.0) 53/tcp open domain | zone-transfer: | notredame.sn.SOA localhost. root.notredame.sn. | notredame.sn.NS localhost. | escuela.notredame.sn.CNAME | library.notredame.sn.A172.18.0.1 | ntp.notredame.sn.A172.18.0.1 | presence.notredame.sn. A172.18.0.1 | school.notredame.sn. A172.18.0.1 | schoolserver.notredame.sn. A172.18.0.1 | conference.schoolserver.notredame.sn.A172.18.0.1 | schoolserver1.notredame.sn. A172.18.1.1 | schoolserver2.notredame.sn. A172.18.1.2 | schoolserver3.notredame.sn. A172.18.1.3 | schoolserver4.notredame.sn. A172.18.1.4 | schoolserver5.notredame.sn. A172.18.1.5 | schoolserver6.notredame.sn. A172.18.1.6 | schoolserver7.notredame.sn. A172.18.1.7 | schoolserver8.notredame.sn. A172.18.1.8 | schule.notredame.sn. CNAME | time.notredame.sn. A172.18.0.1 | www.notredame.sn.A172.18.0.1 | xs.notredame.sn. A172.18.0.1 |_ notredame.sn.SOA localhost. root.notredame.sn. 80/tcp open http-proxy DansGuardian HTTP proxy 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: NOTREDAME) 191/tcp open prospero? 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: NOTREDAME) 873/tcp open rsync(protocol version 30) 3128/tcp open http-proxy DansGuardian HTTP proxy 3306/tcp open mysql MySQL (unauthorized) 8080/tcp open httpPython SimpleXMLRPCServer (BaseHTTP 0.3; Python 2.5.1) 8887/tcp open http-proxy DansGuardian HTTP proxy _ What else is applicable? On Sat, 17 Oct 2009 08:08:47 -, Martin Langhoff martin.langh...@gmail.com wrote: On Sat, Oct 17, 2009 at 2:15 AM, Devon Connolly dev...@gmail.com wrote: Right, I appended the aforementioned entries to iptables-xs.in so that the resulting iptables-xs file reflected the modifications, but the rules still did not take affect. And you did /etc/init.d/iptables restart to make it take effect... right? I notice I forgot to mention that key step :-) (And Jerry's suggested change is also needed.) cheers, m -- Devon Connolly ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] .6 release and Dansguardian
On Sat, 2009-10-17 at 13:46 +, Devon Connolly wrote: Ok. So I'll give you guys an overview of applicable config files to see if we can't spot the problem. I will only list applicable entries. First, the basic setup: 2 NICS, onboard and USB. USB nic is eth0 with fixed IP 192.168.1.1. eth1 is bonded to create lanbond0 on 172.168.0.1 I still don't see why all traffic passing through lanbond0 is using squid and then bypassing dansguardian. Most of the installs I have seen, and that I build, use dansguardian on top squid. The traffic flow is redirect www to dansguardian first, then forwards to squid, then the output redirect rules are unneeded. Looks like you have it squid - dansquardian, based on the stock REDIRECT rule in gen-iptables which is '-A PREROUTING -i %s -p tcp --dport 80 -j REDIRECT --to-ports 3128 for the bond interfaces, not saying that is wrong, just different from what I do. Any advantage to running this layout? iptables-xs.in: ___ *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] @@SQUID@@ -A POSTROUTING -o @@WAN@@ -j MASQUERADE -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8887 -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8887 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT dansguardian.conf filterip = filterport = 8887 proxyip = 172.18.0.1 proxyport = 3128 daemonuser = 'squid' daemongroup = 'squid' ___ What is the output of iptables -t nat -L -v Jerry ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] .6 release and Dansguardian
What is the output of iptables -t nat -L -v I can't cite any explicit benefits as this is my first XS install and my first time using Dansguardian. I'm still getting used to iptables and the wonderful science of redirecting packets. Google led me to believe this is the best way to do it so folks have no chance of circumventing DG. # sudo iptables -t nat -L -v Chain PREROUTING (policy ACCEPT 1643 packets, 150K bytes) pkts bytes target prot opt in out source destination 2562 138K REDIRECT tcp -- lanbond0 any anywhere anywheretcp dpt:http redir ports 3128 0 0 REDIRECT tcp -- mshbond0 any anywhere anywheretcp dpt:http redir ports 3128 0 0 REDIRECT tcp -- mshbond1 any anywhere anywheretcp dpt:http redir ports 3128 0 0 REDIRECT tcp -- mshbond2 any anywhere anywheretcp dpt:http redir ports 3128 Chain POSTROUTING (policy ACCEPT 10613 packets, 544K bytes) pkts bytes target prot opt in out source destination 4233 282K MASQUERADE all -- anyeth0anywhere anywhere Chain OUTPUT (policy ACCEPT 12189 packets, 670K bytes) pkts bytes target prot opt in out source destination 2037 122K ACCEPT tcp -- anyany anywhere anywheretcp dpt:http owner UID match squid 119 7140 ACCEPT tcp -- anyany anywhere anywheretcp dpt:squid owner UID match squid 96 5688 REDIRECT tcp -- anyany anywhere anywheretcp dpt:http redir ports 8887 17 940 REDIRECT tcp -- anyany anywhere anywheretcp dpt:squid redir ports 8887 === As you can see, everything 'should' be being redirected from squid to dansguardian. Before the upgrade, this worked flawlessly, so something got mixed up with the new configs. It seems to be ignoring the last rule in the OUTPUT chain. Again, squid access.log reports normal activity, but dansguardian access.log isn't touched. This is why I love gentoo cause you know everything that goes into your build, so troubleshooting is a snap. These highly customized builds that run off an array of scripts can be tough to navigate unless you are very familiar how everything works. ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] .6 release and Dansguardian
On Sat, 2009-10-17 at 17:48 +, Devon Connolly wrote: What is the output of iptables -t nat -L -v I can't cite any explicit benefits as this is my first XS install and my first time using Dansguardian. I'm still getting used to iptables and the wonderful science of redirecting packets. Google led me to believe this is the best way to do it so folks have no chance of circumventing DG. Best is to have squid listen on 127.0.0.1 only, can't access squid though the bond interfaces, then have DG use proxyip = 127.0.0.1 The gen-iptables file would need to be edited to match the port for DG However, squid is configured to listen on all the msh/lanbond ip addresses by default and I can see the need for not playing around too much with the config files, but this would be just to edit the http_port # sudo iptables -t nat -L -v Chain PREROUTING (policy ACCEPT 1643 packets, 150K bytes) pkts bytes target prot opt in out source destination 2562 138K REDIRECT tcp -- lanbond0 any anywhere anywheretcp dpt:http redir ports 3128 0 0 REDIRECT tcp -- mshbond0 any anywhere anywheretcp dpt:http redir ports 3128 0 0 REDIRECT tcp -- mshbond1 any anywhere anywheretcp dpt:http redir ports 3128 0 0 REDIRECT tcp -- mshbond2 any anywhere anywheretcp dpt:http redir ports 3128 Chain POSTROUTING (policy ACCEPT 10613 packets, 544K bytes) pkts bytes target prot opt in out source destination 4233 282K MASQUERADE all -- anyeth0anywhere anywhere Chain OUTPUT (policy ACCEPT 12189 packets, 670K bytes) pkts bytes target prot opt in out source destination 2037 122K ACCEPT tcp -- anyany anywhere anywheretcp dpt:http owner UID match squid 119 7140 ACCEPT tcp -- anyany anywhere anywheretcp dpt:squid owner UID match squid 96 5688 REDIRECT tcp -- anyany anywhere anywheretcp dpt:http redir ports 8887 17 940 REDIRECT tcp -- anyany anywhere anywheretcp dpt:squid redir ports 8887 === As you can see, everything 'should' be being redirected from squid to dansguardian. Before the upgrade, this worked flawlessly, so something got mixed up with the new configs. It seems to be ignoring the last rule in the OUTPUT chain. Again, squid access.log reports normal activity, but dansguardian access.log isn't touched. That strange, kernel issue maybe, can't recall, the counter is clearly hit... This is why I love gentoo cause you know everything that goes into your build, so troubleshooting is a snap. These highly customized builds that run off an array of scripts can be tough to navigate unless you are very familiar how everything works. You could disable service iptables and run your own firewall script to help in the debugging. Jerry ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] .6 release and Dansguardian
On Fri, Oct 16, 2009 at 4:08 PM, Devon Connolly dev...@gmail.com wrote: I'm not sure what I am overlooking but was anything changed in .6 that could be breaking my Dansguardian install? My iptables are set up as before adding the following entries: Hi! Yes, there has been a change in iptables, to better support use of other devices as the WAN port (wlan0, ppp0, etc). You now want to look at /etc/sysconfig/olpc-scripts/iptables-xs.in -- note the trailing '.in' -- this gets processed by /etc/syscofnig/olpc-scripts/gen-iptables to generate /etc/sysconfig/olpc-scripts/iptables-xs hth, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] .6 release and Dansguardian
Right, I appended the aforementioned entries to iptables-xs.in so that the resulting iptables-xs file reflected the modifications, but the rules still did not take affect. Dansguardian only seems to be working locally (on the server) but not on any computers in the LAN. If said entries are not appended to iptables-xs.in, Dansguardian does not work on the server or lan. I am yet to figure out why the port forwarding rules are not working LAN-side. So why are requests passing through port 3128 not being redirected to port 8887? Something else seems to be amiss as the rules have been applied to iptables. On Fri, 16 Oct 2009 18:01:25 -, Martin Langhoff martin.langh...@gmail.com wrote: On Fri, Oct 16, 2009 at 4:08 PM, Devon Connolly dev...@gmail.com wrote: I'm not sure what I am overlooking but was anything changed in .6 that could be breaking my Dansguardian install? My iptables are set up as before adding the following entries: Hi! Yes, there has been a change in iptables, to better support use of other devices as the WAN port (wlan0, ppp0, etc). You now want to look at /etc/sysconfig/olpc-scripts/iptables-xs.in -- note the trailing '.in' -- this gets processed by /etc/syscofnig/olpc-scripts/gen-iptables to generate /etc/sysconfig/olpc-scripts/iptables-xs hth, m -- Devon Connolly ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel