Mailinglist Archive: opensuse-edu (18 mails)
| < Previous | Next > |
[opensuse-edu] Education Module -- Calling all iptables / SuSEfirewall2 experts
- From: Jeff Shantz <jeff.shantz@xxxxxxxxx>
- Date: Sun, 5 Jul 2009 21:00:41 -0400
- Message-id: <6e6afd8c0907051800s4271949mb1debde563cabebe@xxxxxxxxxxxxxx>
Hi all,
I've been working on getting Dansguardian/Squid configured by the YaST
Education module lately. My Dansguardian SCR module writes the
configuration files properly, I have per-group filtering setup and
configured, but I am having problems getting Dansguardian/Squid to
play nicely with SuSEfirewall2. Below is a repost of my blog post on
it. If anyone has any ideas and can help or point me to someone who
can, I would appreciate it since I've now been stuck on this problem
for a number of days and I'm pulling my hair out. Thanks.
-----
It's been a busy few weeks. I moved to a new apartment early last
week, so my life has been full of boxes and packing materials for
quite some time now. Alas, the stress is over and life goes on.
Okay, this update is more of a cry for help. I am calling on all
SuSEfirewall2 / iptables experts out there. I am working on the
Dansguardian filtering for the YaST Education module right now and
have everything done on it. The only problem is that I can't get
SuSEfirewall2 to play nice with my custom iptables rules to enable
forwarding requests on port 80 to 8080 (Dansguardian's port).
So here's the deal. I've got Dansguardian on port 8080 and Squid on
port 3128. I need it to be a transparent proxy so that kids can't
circumvent it easily. Also, the firewall is the client itself since
most parents/teachers won't have another system lying around to be a
separate firewall system. Therefore, all requests will be originating
from the firewall system itself.
Now, I have custom iptables rules to forward requests on port 80 to
Dansguardian on 8080 (which, in turn, forwards the requests to Squid).
The rules are as follows
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner
squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
Thus, we redirect 80 to 8080 in rule 3, and we allow Squid to do its
magic in rules 1 and 2. This works PERFECTLY when I don't have
SuSEfirewall2 enabled. When I enable the firewall, however, pages
just keep loading forever.
Now, before anyone tells me that I should be using the PREROUTING
chain or tells me to use the FW_REDIRECT setting in
/etc/sysconfig/SuSEfirewall2, keep in mind that all requests originate
from the firewall itself, and these settings only work for requests
originating from other machines.
So, I have these custom rules and I've added them to
/etc/sysconfig/scripts/SuSEfirewall2-custom in the
fw_custom_before_denyall() hook. I then added the following to
/etc/sysconfig/SuSEfirewall2:
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
Perfect. I can see that the rules are being loaded by SuSEfirewall2
when I do an iptables -t nat -nvL after starting the firewall. But,
as I say, pages just load forever after turning on the firewall.
All relevant details are posted in my post in the openSUSE forums at [1].
I would appreciate anyone with knowledge in iptables / SuSEfirewall2
taking a look and posting a reply so that I can stop pulling my hair
out and keep on progressing in this project.
Thanks to all!
[1]
http://forums.opensuse.org/network-internet/417523-transparent-proxy-using-squid-dansguardian-susefirewall2.html
--
To unsubscribe, e-mail: opensuse-edu+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-edu+help@xxxxxxxxxxxx
I've been working on getting Dansguardian/Squid configured by the YaST
Education module lately. My Dansguardian SCR module writes the
configuration files properly, I have per-group filtering setup and
configured, but I am having problems getting Dansguardian/Squid to
play nicely with SuSEfirewall2. Below is a repost of my blog post on
it. If anyone has any ideas and can help or point me to someone who
can, I would appreciate it since I've now been stuck on this problem
for a number of days and I'm pulling my hair out. Thanks.
-----
It's been a busy few weeks. I moved to a new apartment early last
week, so my life has been full of boxes and packing materials for
quite some time now. Alas, the stress is over and life goes on.
Okay, this update is more of a cry for help. I am calling on all
SuSEfirewall2 / iptables experts out there. I am working on the
Dansguardian filtering for the YaST Education module right now and
have everything done on it. The only problem is that I can't get
SuSEfirewall2 to play nice with my custom iptables rules to enable
forwarding requests on port 80 to 8080 (Dansguardian's port).
So here's the deal. I've got Dansguardian on port 8080 and Squid on
port 3128. I need it to be a transparent proxy so that kids can't
circumvent it easily. Also, the firewall is the client itself since
most parents/teachers won't have another system lying around to be a
separate firewall system. Therefore, all requests will be originating
from the firewall system itself.
Now, I have custom iptables rules to forward requests on port 80 to
Dansguardian on 8080 (which, in turn, forwards the requests to Squid).
The rules are as follows
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner
squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
Thus, we redirect 80 to 8080 in rule 3, and we allow Squid to do its
magic in rules 1 and 2. This works PERFECTLY when I don't have
SuSEfirewall2 enabled. When I enable the firewall, however, pages
just keep loading forever.
Now, before anyone tells me that I should be using the PREROUTING
chain or tells me to use the FW_REDIRECT setting in
/etc/sysconfig/SuSEfirewall2, keep in mind that all requests originate
from the firewall itself, and these settings only work for requests
originating from other machines.
So, I have these custom rules and I've added them to
/etc/sysconfig/scripts/SuSEfirewall2-custom in the
fw_custom_before_denyall() hook. I then added the following to
/etc/sysconfig/SuSEfirewall2:
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
Perfect. I can see that the rules are being loaded by SuSEfirewall2
when I do an iptables -t nat -nvL after starting the firewall. But,
as I say, pages just load forever after turning on the firewall.
All relevant details are posted in my post in the openSUSE forums at [1].
I would appreciate anyone with knowledge in iptables / SuSEfirewall2
taking a look and posting a reply so that I can stop pulling my hair
out and keep on progressing in this project.
Thanks to all!
[1]
http://forums.opensuse.org/network-internet/417523-transparent-proxy-using-squid-dansguardian-susefirewall2.html
--
To unsubscribe, e-mail: opensuse-edu+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-edu+help@xxxxxxxxxxxx
| < Previous | Next > |