Filtering wireless with Dansguardian (ruckus and dlink)

[Shorty]

Hi All,

I am looking for a solution that will allow me to filter our wireless internet connection using our dansguardian filter. I have all of our students browsers normally pointing to http://192.168.0.252:8080 which is the proxy server but at the moment anyone with a wirless enabled device that can access the wifi is pointed straight at our gateway bypassing the proxy.

I have 4 Ruckus APs controlled by Zone director 1000 with the latest firmware and 4 dlink aps unmanaged. If there is an easy solution to get the Ruckus lan working I can always move the Dlinks onto another ssid with a different pass and just use them for specific projects.Anyone any suggestions ?

Cheers


John

[CPLTD]

Hi All,

I am looking for a solution that will allow me to filter our wireless internet connection using our dansguardian filter. I have all of our students browsers normally pointing to http://192.168.0.252:8080 which is the proxy server but at the moment anyone with a wirless enabled device that can access the wifi is pointed straight at our gateway bypassing the proxy.

I have 4 Ruckus APs controlled by Zone director 1000 with the latest firmware and 4 dlink aps unmanaged. If there is an easy solution to get the Ruckus lan working I can always move the Dlinks onto another ssid with a different pass and just use them for specific projects.Anyone any suggestions ?

Cheers


John

I have passed this to our technical team John,

[Shorty]

Cheers Simon

[Cools]

take your Linux box make it the gateway

copy the following to the file /etc/rc.d/rc.local/iptables-config

And this script on Debian based systems:

/etc/rc.local/iptables-config
------------------------------------------------------------------

#!/bin/bash
iptables -F
# set the default policy for each of the pre-defined chains
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# to allow incoming SSH and Proxy
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp -m tcp -s 127.0.0.1 --dport 3128 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

# drop everything else
iptables -A INPUT -i eth+ -p udp -j DROP
iptables -A INPUT -i eth+ -p tcp -m tcp --syn -j DROP
----------------------------------------------------------------------------------
chmod +x /etc/rc.d/rc.local/iptables-config - makes the iptables-config script executable

And this script on Debian based systems:

chmod +x /etc/rc.local/iptables-config - makes the iptables-config script executable

now every thing that goes to access the internet get all cleaned up.

and thats transparent proxying.

you might want to install antivirus as well..

google DG with AV if your using ubuntu apt-get install dansguardian-av make sure you set to install all dpes.


More help http://www.thedailyadmin.com/2009/04...hine-with.html

[StuartWhite]

Hi Shorty,

You can get the wireless clients to go through your proxy by creating a Layer4 ACL on the ZoneDirector and applying that ACL to the SSID clients conect to.

Note you will need version 8 in order to complete.

Simply create an ACL allowing access to your proxy server on it is specific port.
Add other Allow / Deny Rules below it.
Then edit the WLAN and apply the Layer4 rule to it in advanced options.

Kind Regards
Stuart

[Shorty]

Cheers Guys all good stuff :-)

I will have a look at playing with both options when I get back to it

Thanks

John

[Shorty]

Hi Cools,

I am struggling to implement your suggestion I am falling at the first Hurdle the Linux version that DG is running on is CentOS Linux 4.4. I have found the file iptables in /etc/rc.d/init.d and the iptables-config file in /etc/sysconfig is it this that I need to edit ?

Cheers

John

[tom_newton]

I would venture to suggest that Stuart's solution is the better one - ideally you want your wireless users having the same or similar filtering to "regular" users - so perhaps hacking up a dg install for them might not be a great route, especially if you aren't fully comfortable with its operation.

[StuartWhite]

Simplicity in this scenario will be bliss. Make use of the ZD's Layer3-4 ACL.

[Shorty]

Hi Stuart, not having a good day struggling with the Zone Director ACL as well, was going for Cools option first as it allowed me to integrate the old APs. But when I had a look at Zone Director I couldnt see the obvious route to forward everything to http://192.168.0.251:8080. Going to have another look now ;-)

[StuartWhite]

Hi Stuart, not having a good day struggling with the Zone Director ACL as well, was going for Cools option first as it allowed me to integrate the old APs. But when I had a look at Zone Director I couldnt see the obvious route to forward everything to http://192.168.0.251:8080. Going to have another look now ;-)

What version of code are you running?

It will be under "Configure -> Access Control"

[StuartWhite]

You will need to be running V8

[Shorty]

Yeah I am running V8.

I have configured the gateway to 192.168.0.252

and in the ACL settings I have setup the following as a start.



I have then edited the advanced options of the WLAN to set the L4 ACL as Dans.


Any suggestions ?

Cheers

john

[Shorty]

mm re-looking at this I can see that what I am doing must be incorrect as I am filtering anything that goes to 8080 and denying all others, but obvioulsy this isnt the aim

[mattpant]

Hi Guys,

I'm trying to do the exact same thing with our Wireless LAN (Ruckus, running the latest Firmware) and giving students that access the Guest SSID access to our Internet VIA a Proxy server, i can't get my head around how to do it, also, would the students using there own laptops need to go in and enter a proxy server under there Internet Options to get out onto the internet or can the Ruckus Kit push this setting out so when they connect to the Guest SSID with a Guest Pass the internet will just "Work"!

Thanks,

Matt