On 07/06/2009 09:19 AM, Jeff Shantz wrote:
Hello,
I am currently a Google Summer of Code student working on the YaST Education module. One of the elements I'm adding to the module is the ability to filter web connections at a per-group level using Dansguardian and Squid. It needs to be configured as a transparent proxy so that kids can't get around the filtering.
I have Dansguardian and Squid configured and working properly. I also have a few custom iptables rules that work just fine when SuSEfirewall2 is not enabled:
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
So, I redirect requests on port 80 to 8080 (Dansguardian's port, which then redirects to Squid on port 3128), and allow all requests made by Squid. The rules have to be in the OUTPUT chain since all requests are originating from the firewall itself (since most parents/teachers will not have an extra system lying around to use as a dedicated firewall). These rules works great when SuSEfirewall2 is disabled.
I tried adding these custom rules to the fw_custom_before_denyall() hook in /etc/sysconfig/scripts/SuSEfirewall2-custom and added the following line to /etc/sysconfig/SuSEfirewall2:
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
When I enable the firewall, the rules do get loaded (I can see them by running iptables -t nat -nvL), but pages just load forever after turning on the firewall.
Is there anyone that might be able to assist with this problem? I have been stuck on it for days and well, it's a Google Summer of Code project, so you'd be helping me help the community. :)
Other relevant details such as my entire ruleset output by iptables-save are located at [1].
Thanks in advance.
Regards, Jeff Shantz
[1] http://forums.opensuse.org/network-internet/417523-transparent-proxy-using-s...
If you are writing a yast module, wouldn't it be better to do it the way it is designed. I believe all you need to do is add the correct info to FW_REDIRECT (in /etc/sysconfig/SuSEfirewall2), i.e. <internal_net>,0/0,80,8080. For example, if the internal net is 192.168.1.x, it would be 192.168.1.0/24,0/0,80,8080. If you are also wanting the module to configure DG (internal ip via filterip="", defaults for others will work) and squid (there is already a squid yast module), it will work. I have been running this since 2000. Perhaps you should just include a note to make sure squid is configured as a transparent proxy via the squid module. HTH -- Joe Morris Registered Linux user 231871 running openSUSE 11.1 x86_64 -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org