[opensuse-security] SuSEfirewall2 + transparent proxy
Hello, I am currently a Google Summer of Code student working on the YaST Education module. One of the elements I'm adding to the module is the ability to filter web connections at a per-group level using Dansguardian and Squid. It needs to be configured as a transparent proxy so that kids can't get around the filtering. I have Dansguardian and Squid configured and working properly. I also have a few custom iptables rules that work just fine when SuSEfirewall2 is not enabled: iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080 So, I redirect requests on port 80 to 8080 (Dansguardian's port, which then redirects to Squid on port 3128), and allow all requests made by Squid. The rules have to be in the OUTPUT chain since all requests are originating from the firewall itself (since most parents/teachers will not have an extra system lying around to use as a dedicated firewall). These rules works great when SuSEfirewall2 is disabled. I tried adding these custom rules to the fw_custom_before_denyall() hook in /etc/sysconfig/scripts/SuSEfirewall2-custom and added the following line to /etc/sysconfig/SuSEfirewall2: FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" When I enable the firewall, the rules do get loaded (I can see them by running iptables -t nat -nvL), but pages just load forever after turning on the firewall. Is there anyone that might be able to assist with this problem? I have been stuck on it for days and well, it's a Google Summer of Code project, so you'd be helping me help the community. :) Other relevant details such as my entire ruleset output by iptables-save are located at [1]. Thanks in advance. Regards, Jeff Shantz [1] http://forums.opensuse.org/network-internet/417523-transparent-proxy-using-s... -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I cheated .. I added /usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 to my DansGuardian script .. and then I make sure that Dans never starts before Squid is fully operational .. Gary B Jeff Shantz wrote:
Hello,
I am currently a Google Summer of Code student working on the YaST Education module. One of the elements I'm adding to the module is the ability to filter web connections at a per-group level using Dansguardian and Squid. It needs to be configured as a transparent proxy so that kids can't get around the filtering.
I have Dansguardian and Squid configured and working properly. I also have a few custom iptables rules that work just fine when SuSEfirewall2 is not enabled:
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
So, I redirect requests on port 80 to 8080 (Dansguardian's port, which then redirects to Squid on port 3128), and allow all requests made by Squid. The rules have to be in the OUTPUT chain since all requests are originating from the firewall itself (since most parents/teachers will not have an extra system lying around to use as a dedicated firewall). These rules works great when SuSEfirewall2 is disabled.
I tried adding these custom rules to the fw_custom_before_denyall() hook in /etc/sysconfig/scripts/SuSEfirewall2-custom and added the following line to /etc/sysconfig/SuSEfirewall2:
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
When I enable the firewall, the rules do get loaded (I can see them by running iptables -t nat -nvL), but pages just load forever after turning on the firewall.
Is there anyone that might be able to assist with this problem? I have been stuck on it for days and well, it's a Google Summer of Code project, so you'd be helping me help the community. :)
Other relevant details such as my entire ruleset output by iptables-save are located at [1].
Thanks in advance.
Regards, Jeff Shantz
[1] http://forums.opensuse.org/network-internet/417523-transparent-proxy-using-s... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkpSELIACgkQ5BLKxPqBKDXKMgCfUfllLb3hYi0ENHLHp5cSSC+1 +VoAn29T18Mik/X4rdcjG+WRH4kaqlIp =qUV2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On 07/06/2009 09:19 AM, Jeff Shantz wrote:
Hello,
I am currently a Google Summer of Code student working on the YaST Education module. One of the elements I'm adding to the module is the ability to filter web connections at a per-group level using Dansguardian and Squid. It needs to be configured as a transparent proxy so that kids can't get around the filtering.
I have Dansguardian and Squid configured and working properly. I also have a few custom iptables rules that work just fine when SuSEfirewall2 is not enabled:
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
So, I redirect requests on port 80 to 8080 (Dansguardian's port, which then redirects to Squid on port 3128), and allow all requests made by Squid. The rules have to be in the OUTPUT chain since all requests are originating from the firewall itself (since most parents/teachers will not have an extra system lying around to use as a dedicated firewall). These rules works great when SuSEfirewall2 is disabled.
I tried adding these custom rules to the fw_custom_before_denyall() hook in /etc/sysconfig/scripts/SuSEfirewall2-custom and added the following line to /etc/sysconfig/SuSEfirewall2:
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
When I enable the firewall, the rules do get loaded (I can see them by running iptables -t nat -nvL), but pages just load forever after turning on the firewall.
Is there anyone that might be able to assist with this problem? I have been stuck on it for days and well, it's a Google Summer of Code project, so you'd be helping me help the community. :)
Other relevant details such as my entire ruleset output by iptables-save are located at [1].
Thanks in advance.
Regards, Jeff Shantz
[1] http://forums.opensuse.org/network-internet/417523-transparent-proxy-using-s...
If you are writing a yast module, wouldn't it be better to do it the way it is designed. I believe all you need to do is add the correct info to FW_REDIRECT (in /etc/sysconfig/SuSEfirewall2), i.e. <internal_net>,0/0,80,8080. For example, if the internal net is 192.168.1.x, it would be 192.168.1.0/24,0/0,80,8080. If you are also wanting the module to configure DG (internal ip via filterip="", defaults for others will work) and squid (there is already a squid yast module), it will work. I have been running this since 2000. Perhaps you should just include a note to make sure squid is configured as a transparent proxy via the squid module. HTH -- Joe Morris Registered Linux user 231871 running openSUSE 11.1 x86_64 -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi Joe, On Mon, 2009-07-06 at 11:57 -0500, Joe Morris wrote:
If you are writing a yast module, wouldn't it be better to do it the way it is designed. I believe all you need to do is add the correct info to FW_REDIRECT (in /etc/sysconfig/SuSEfirewall2), i.e. <internal_net>,0/0,80,8080. For example, if the internal net is
Unfortunately FW_REDIRECT does not work since the packets are originating from the firewall itself (since most parents/teachers will not have a separate, dedicated firewall machine configured).
defaults for others will work) and squid (there is already a squid yast module), it will work. I have been running this since 2000. Perhaps you should just include a note to make sure squid is configured as a
All setup for Squid and Dansguardian needs to be done by the Education module. Yes, it duplicates some functionality, but a parent with little technical knowledge cannot be expected to run the Education module and then run the Squid module and figure out how to set it up. Everything is done in one place. Thanks for your response and to all who responded -- incidentally I did solve the problem after speaking with Ludwig Nussel. He suggested that the NOTRACK rules added in the raw table might be getting in the way of things. Sure enough, they were. I removed the NOTRACK rules and everything works as expected. Thanks again. Regards, Jeff Shantz -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (3)
-
Gary Baribault -
Jeff Shantz -
Joe Morris