+ Post New Thread
Results 1 to 7 of 7
*nix Thread, Dansguardian Routing Query in Technical; Round 2: After finally getting dansguardian to process urls and activate, ive now stumbled into another fiasco, it disabling all ...
  1. #1
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    31

    Dansguardian Routing Query

    Round 2:

    After finally getting dansguardian to process urls and activate, ive now stumbled into another fiasco, it disabling all internet when I had the iptables rule.

    PHP Code:
    dansguardian.conf

    Network Settings
    :
    filterip 127.0.0.1 # ??
    filterport 8080 #DG Port
    proxyip 127.0.0.1 #Squid Loopback
    proxyport 3128 #Squid Port 
    Now that means that it listens on 8080, accepts URL and than tells Squid to deal with the query. I thought using the following iptables command, I could force all incoming 3128 traffic onto port 8080 where DG would do its thing, and than re-route through localhost(Squid) and back out. Is there maybe an infinite loopback occuring here?

    Squid is set to allow locahost

    PHP Code:
     iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080 
    Last edited by ahuxham; 24th June 2008 at 03:45 PM.

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,715
    Thank Post
    288
    Thanked 789 Times in 616 Posts
    Rep Power
    226
    Reading your other post, are you attempting to reverse proxy Internet based requests through dansguardian and then squid and then to an internal webserver?

    Layout: INTERNET (port) > SQUID (8080>3128) > LAN

    All incoming traffic redirected to 8080 for Dans Guardian, than onto Squid and the lan, via IPtables, however dansguardian will not start, or well its starting
    Or using it as a filtering proxy for internal requests to the Internet?

    I assume, with your current settings, a client connects to server:3128, they're redirected to server:8080 and nothing happens after that?

    Your filterip is set to 127.0.0.1 and port 8080 - you're redirecting requests (if I remember my iptables) from requestedip:3128 to requestedip:8080, so your clients will never access dansguardian as dansguardian is only listening on the server loopback. I'm not sure if specifying 127.0.0.1:8080 would redirect internally and do what you want.

    Compared to my dansguardian.conf:

    Code:
    # IP clients access
    filterip = 10.X.Y.Z
    # the port that DansGuardian listens on.
    filterport = 8080
    # the ip of the squid proxy
    proxyip = 127.0.0.1
    # the port DansGuardian connects to proxy on
    proxyport = 3128
    and in /etc/squid/squid.conf

    Code:
    http_port 10.X.Y.Z:3128
    http_port 127.0.0.1:3128
    NB: We use Squid ACLs to allow direct squid access for certain boxes and some apps that don't play nicely with proxies (WSUS, for example).

  3. #3
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    31
    Hi Pete,

    Reverse proxy sure, but not into an internal server.

    Clients connect to 192.168.0.xx on port 3128 which in turn I want to redirect into Dansguardian, which in turn goes back out to the internet.

    I'm pretty competent with google, and iptables and routing etc, but this has me stumped, too many variables in the mix, iptable, dansguardian, squid conf files.

    Any help would be greatly appreciated

  4. #4


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,715
    Thank Post
    288
    Thanked 789 Times in 616 Posts
    Rep Power
    226
    Do clients need to connect to :3128 or can you set them to request :8080 instead? I ask because normally clients would connect to server:8080 and Dansguardian would redirect the request to Squid on 127.0.0.1:3128, negating the need for IPTables.

  5. #5
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    31
    I see what you did there, and I doubt theres any problem routing that way. I can point my clients to ip_addr:8080 which DG will route into squid. Now whats to stop someone missing DG and going straight into squid?

  6. #6


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,715
    Thank Post
    288
    Thanked 789 Times in 616 Posts
    Rep Power
    226
    If nothing needs to connect to squid directly - i.e all traffic should go through dansguardian, set squid to just listen on the loopback.

    in /etc/squid/squid.conf

    Code:
    http_port 127.0.0.1:3128
    If some things (patch servers etc) still need to access squid directly and don't require access to dansguardian then you'd need to use:

    Code:
    http_port 127.0.0.1:3128
    http_port 10.X.X.X:3128
    and set up squid acls or firewall rules (or a combination of the two) to allow just the direct access you need. Depending on what you need one may be better than the other, squid acls tend to be a bit more flexible.

  7. Thanks to pete from:

    ahuxham (26th June 2008)

  8. #7
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    31
    Thanks for the help Pete!



SHARE:
+ Post New Thread

Similar Threads

  1. Ubuntu Routing
    By jimothy in forum *nix
    Replies: 13
    Last Post: 10th May 2008, 04:51 PM
  2. Dansguardian
    By DMcCoy in forum *nix
    Replies: 10
    Last Post: 25th January 2008, 02:17 PM
  3. Query of existing query data in PHP
    By markwilliamson2001 in forum Web Development
    Replies: 5
    Last Post: 5th October 2007, 09:43 AM
  4. dansguardian
    By callumtuckey in forum How do you do....it?
    Replies: 3
    Last Post: 21st May 2007, 09:43 AM
  5. Replies: 5
    Last Post: 8th May 2007, 12:30 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •