Koozali.org: home of the SME Server

masq changes to force port 8080 access via Dansguardian

Offline raem

  • *
  • 3,972
  • +4/-0
masq changes to force port 8080 access via Dansguardian
« on: February 27, 2004, 11:23:34 AM »
I want to force web browser users to access via port 8080 rather than the default 3128 so that requests will be filtered via Dansguardian. Some users just change the setting in the browser from 8080 to Auto detect and then bypass Dansguardian.

I found the post below, but need a more experienced user to elaborate & guide me exactly where and how to make these changes. Which file to edit, what custom template to make and expand, or whatever.

I will be putting the information in a HOWTO and this is the last piece I need in order to complete it.

See my contrib area for the draft copy
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/dansguardian%20instal%20&%20configure%20HOWTO%20for%20sme%20server%20DRAFT2.htm

Thanks
Ray

http://www.e-smith.org/bboard/read.php?v=t&f=3&i=34861&t=34175

Re: Blocking or Redirecting Internal Traffic on Certain Ports
Author: stephen noble (stephen_AT_dungog.net)
Date:   08-10-03 01:59

walter,
the pam_auth is unrelated to squidguard or dansguardian
it's a setting in squid.conf
to block access to port 80 and 3128 and force users to use 8080
i add the following and remove the transproxy lines from masq
5.5 uses ipchains so is different
dungog-dansguardian has been updated

stephen noble
dungog.net/sme

$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
...

Offline byte

  • *
  • 2,183
  • +2/-0
masq changes to force port 8080 access via Dansguardian
« Reply #1 on: February 27, 2004, 11:42:53 AM »
How about this?

$OUT .=" /sbin/iptables --append input -s $local -d 0/0 -p tcp --dport 3128 -j REDIRECT 8080\n";
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline raem

  • *
  • 3,972
  • +4/-0
masq changes to force port 8080 access via Dansguardian
« Reply #2 on: February 27, 2004, 11:48:23 AM »
Thanks Byte

But where exactly do I make that change, that's the part that I am not familiar with. I am still learning & I follow instructions well.

Thanks
Ray
...

Offline byte

  • *
  • 2,183
  • +2/-0
masq changes to force port 8080 access via Dansguardian
« Reply #3 on: February 27, 2004, 11:58:59 AM »
Ok I use squid so might differ...

First I created (if not already there)...

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

then copy from orignal to our newly created dir the file 40AllowLocal

then edit that file in your fav editer...

$OUT .= " /sbin/iptables --append forward -s $local -d $local -j ACCEPT\n";
$OUT .=" /sbin/iptables --append input -s $local -d 0/0 -p tcp --dport 3128 -j REDIRECT 8080\n";
$OUT .= " /sbin/iptables --append input -s $local -d 0/0 -j ACCEPT\n";
$OUT .= " /sbin/iptables --append output -d $local -s 0/0 -j ACCEPT\n";
}

The notice my added iptable in bold others are there for reason.

After Saving and exiting run these commands:

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

/sbin/e-smith/signal-event console-save

You might need to run /etc/rc.d/init.d/masq restart

HTH
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline raem

  • *
  • 3,972
  • +4/-0
masq changes to force port 8080 access via Dansguardian
« Reply #4 on: February 27, 2004, 12:03:12 PM »
Ah, that's the sort of input I was after.
I'll try that out & let you know how it went

Thanks
Ray
...

S

masq changes to force port 8080 access via Dansguardian
« Reply #5 on: March 09, 2004, 02:25:46 PM »
I was trying to add this as byte suggested but my 40AllowLocal looks like this and does not have the values that byte suggested? Or do we need to add all of them and not just the one in bold.

I'm trying to achieve something similar to what Ray is so users have no choice but to go through dansguardian.

Quote

    # Create a new chain to handle local traffic
    /sbin/iptables --new-chain local_chk
    /sbin/iptables --new-chain local_chk_1

    # Accept any traffic initiated on "local" interfaces
    /sbin/iptables --append local_chk_1 \
        --in-interface ! $OUTERIF -j ACCEPT
    /sbin/iptables --append local_chk -j local_chk_1

    # We filter all input and forwarded traffic this way
    /sbin/iptables --append INPUT -j local_chk
    /sbin/iptables --append FORWARD -j local_chk




Also secondly eventhough i have the following in my /home/e-smith/configuration
dansguardian=service|InitscriptOrder|92|status|enabled


and I used the following commands from the Howto Posted above


You will also need to add a link in /etc/rc7.d

To add this do

ln -s /etc/rc.d/init.d/e-smith-service S92dansguardian



Dansguardian still does not start on bootup, and I have to manually start it. On doing a ls -la in /etc/rc7.d it does not appear in the list

Quote

[root@sme masq]# ls -la /etc/rc7.d/
total 8
drwxr-xr-x    2 root     root         4096 Mar  5 01:55 .
drwxr-sr-x   11 root     root         4096 Feb 20 22:40 ..
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S05syslog -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           25 Feb 20 22:41 S15nut -> ../init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S20random -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S25keytable -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S35bootstrap-console -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S35oidentd -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S36masq -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S37network -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S40crond -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S50dhcpcd -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S50xinetd -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S55dnscache -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S55imap -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S55ippp -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S55popd -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S55tinydns -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S57diald -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           25 Feb 20 22:41 S57pppoe -> ../init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S60lpd -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S65dhcpd -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S80ldap -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S80ntpd -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:40 S80qmail -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S85httpd-e-smith -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           25 Feb 20 22:41 S85smtpfront-qmail -> ../init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 21 00:19 S85spamassassin -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S85sshd -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S86httpd-admin -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           23 Feb 20 22:41 S90mysqld -> /etc/rc.d/init.d/mysqld
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S90squid -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S91atalk -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S91smb -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           22 Feb 21 01:41 S95snmpd -> /etc/rc.d/init.d/snmpd
lrwxrwxrwx    1 root     root           23 Mar  5 01:55 S95snortd -> /etc/rc.d/init.d/snortd
lrwxrwxrwx    1 root     root           32 Feb 21 00:35 S97clamd -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           32 Feb 20 22:41 S99local -> /etc/rc.d/init.d/e-smith-service
lrwxrwxrwx    1 root     root           27 Feb 20 22:41 S99mysql.init -> /etc/rc.d/init.d/mysql.init


Any help appreciated
thnks
./S

Notnamed

Configuring SME Server to use Proxy port 8080
« Reply #6 on: June 21, 2004, 01:19:44 PM »
Dear Ray,
I was trying to follow your howto. All is simply to this place
Quote
add the following and remove the transproxy lines from masq
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
Expand the template when changes have been made.
I was trying to do like this:
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cp /etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowLocal  /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

...then edit that file in your favourite editor.
I put these lines in 40AllowLocal:
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
and then
cp /etc/e-smith/templates/etc/rc.d/init.d/masq/35Transproxy /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
...then delete all lines in that file

and expand the template

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/sbin/e-smith/signal-event console-save
/etc/rc.d/init.d/masq restart

Would you be so kind and help me?
Best regards
--------------
Nemo