Koozali.org: home of the SME Server

dansguardian and Ray's howto (need help)

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« on: March 09, 2005, 01:12:49 AM »
Hi all,

I have installed and been playing around with dansguardian for the last week, and today was the day to force the change, however after following the instructions on Ray's how to I got to the “Configuring your sme server to use Proxy port 8080 “ using the commands:
Code: [Select]

/sbin/e-smith/db configuration setprop squid TransparentPort 8080
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot  


posted the upgrade, rebooted and now unless the clients are using port 3128 they can't get anywhere.

Looking at the logs I didn't notice anything that stood out as being wrong, but hey I'm still new to these things.
Did anyone come across this before ? If so how did they solve it?
I thought I'd solve it by changing the commands mentioned above to use port 3128 again, but port 8080 still isn't working at all. ( and I don't know what damage that may have caused by doing that)


So all help would be more than welcome, I need to get this sorted out fast.

cheers

PS I'm running SME 6.0.1 with all the updates from the latest update script.
.........

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #1 on: March 09, 2005, 01:49:34 AM »
well again I over looked something, I didn't include the start on boot up in the howto.

cheers
.........

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #2 on: March 09, 2005, 03:25:40 AM »
Ok I have another question regarding creating the iptables rules to block ports 3128 and 80.
I'm not sure how to create the custom template.

I know I have to add the rules somewhere in  /etc/e-smith/templates-custom/
but where do i add in in template-custom/ ? And do I just add the
Code: [Select]

$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";

in one template ??

cheers
.........

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #3 on: March 09, 2005, 09:40:51 AM »
funkusmunkus

For some clues have a look at
http://forums.contribs.org/index.php?topic=21017.msg82981#msg82981

I don't know if the following will work as I have not yet mastered iptables, but there's only one way to find out. I think there may be more to it than just this.

create a fragment called
90adjusttransproxy
in
/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/

and add the details previously mentioned

expand the template
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
and restart masq
/etc/init.d/masq restart

If you get errors, then remove the fragment created above, expand the template, resart masq and your system should be back to the way it was originally.
...

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #4 on: March 09, 2005, 09:52:09 PM »
Thanx for that Ray,

that was the type of thing I was after ;-)
Well I'm not going to say i haven't mastered iptables, I'll say I still haven't understod iptables.

so one of the main things I was trying to find out was, where under template-custom/ do I go, becuase I didn't know where the iptables rules are, but now i do, so I'll have to kill a few SME's playing around there :hammer:

I'll give it a go on friday (unless I end up going to the sage symposiom) then monday it will be.

I'll let you know how I go.

thanx alot again

cheers
.........

Rog

Re: dansguardian and Ray's howto (need help)
« Reply #5 on: March 10, 2005, 10:22:07 PM »
Quote from: "funkusmunkus"
Hi all,

I have installed and been playing around with dansguardian for the last week, and today was the day to force the change, however after following the instructions on Ray's how to I got to the “Configuring your sme server to use Proxy port 8080 “ using the commands:
Code: [Select]

/sbin/e-smith/db configuration setprop squid TransparentPort 8080
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot  


posted the upgrade, rebooted and now unless the clients are using port 3128 they can't get anywhere.



I've got the same problem. Dansguardian is set to start on boot. After entering the above and rebooting, I did notice some text on the screen appear briefly, not sure if it was some kind of error message or not though. Where abouts would I find the error log? I'd love to get this working :)

Offline raem

  • *
  • 3,972
  • +4/-0
Re: dansguardian and Ray's howto (need help)
« Reply #6 on: March 12, 2005, 05:40:54 AM »
Rog

>....unless the clients are using port 3128 they can't get anywhere.

Probably Dansguardian is not running.
Try
/etc/init.d/dansguardian status
which if it is running shows something like:
Parent DansGuardian pid:18252

If DG has not started after a reboot then the startup db entry and link is missing or incorrect.

To get it running do:
/etc/init.d/dansguardian start
Starting dansguardian:                        [ OK ]

Enabling the Dansguardian service at startup
/sbin/e-smith/config set dansguardian service Initscriptorder 92 status enabled
(all on one line)
 
ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S92dansguardian
(all on one line)
 
Make sure this link has permissions like:
lrwxrwxrwx  1 root root S92dansguardian -> /etc/rc.d/init.d/e-smith-service

Enabling logrotation
cd /etc/cron.weekly
touch dansguardian

Add the following lines
# logrotation script for dansguardian
exec /etc/dansguardian/logrotation

Check that the above file has has permissions like:
-rwxr-xr-x   1 root root       dansguardian
 
Make sure that you review the DG config files as some of these can affect your Internet access.

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/dansguardian%20instal%20&%20configure%20HOWTO%20for%20sme%20server.htm
...

Rog

dansguardian and Ray's howto (need help)
« Reply #7 on: March 13, 2005, 11:47:16 PM »
Thanks for the info, I'll be working on the server in a few hours. In its current state pop3 access (to external mail server) is dead too, so hopefully I can get everything going. I'll post back what happens  :-)

Rog

dansguardian and Ray's howto (need help)
« Reply #8 on: March 14, 2005, 04:38:34 AM »
I'm on-site now, and all is not well  :cry:

 
Quote
/etc/init.d/dansguardian status

no Dansguardian process found


Quote
/etc/init.d/dansguardian start


Starting dansguardian: [ FAILED ]

All of the files are in /etc/dansguardian
Re-installing DansGuardian-2.6.1-3.RH72.i386.rpm
Code: [Select]
rpm -Uvh DansGuardian-2.6.1-3.RH72.i386.rpm
says it's already installed.

Any other suggestions greatly appreciated  :-)[/code]


Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #10 on: March 15, 2005, 03:25:58 AM »
Well After creating the custome template, and copying the lines
Code: [Select]

$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";

$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";

$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";

$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";

$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";

$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";


every time I restart the masq service I get the following error
Code: [Select]

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: /etc/init.d/masq: .=: command not found
/etc/init.d/masq: .=: command not found
/etc/init.d/masq: .=: command not found
/etc/init.d/masq: .=: command not found
/etc/init.d/masq: .=: command not found
/etc/init.d/masq: .=: command not found
done


Do I remove the .= from the lines ?? I'm looking for some good online reading material for iptables, if i work it out I'll let you know.

cheers
.........

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #11 on: March 15, 2005, 03:59:02 AM »
funkusmunkus

Just delete the custom templates and expand and restart masq and should be back to the way it was.

The rules are not correct or fornatted incorrectly, that's why the HOWTO is still DRAFT information

See
http://www.linuxguruz.com/iptables/howto/

...and do let ne know if you solve it.
...

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #12 on: March 15, 2005, 04:16:04 AM »
These custom template fragments were sent to me. I think they came from from the dungog product and may give useful information. I have not had time to try them as yet.

You do know that dungog sells a Dansguardian server manager panel version that works out of the box, I think it's fairly cheap.


/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/


**********************************************
FRAGMENT
35transproxy
**********************************************

{
  use esmith::config;
  use esmith::db;

  my %dungog;
  tie %dungog, 'esmith::config', '/home/e-smith/dungog';

  my $proxyaccess = db_get_prop(\%dungog, 'dansguardian', 'proxyaccess') || '';

  #identify sme version <=5.5 uses mysql-delete-dumps
  if (-e "/etc/e-smith/events/mysql-delete-dumps")
  {
    my $proxyport = $squid{TransparentPort} || "3128";

    #proxyaccess usage, redirect to $proxyport
    if (($proxyaccess eq 'default') || ($proxyaccess eq 'transproxy') || ($proxyaccess eq 'disable'))
    {
        my ($network, $broadcast) =
            esmith::util::computeNetworkAndBroadcast ($LocalIP, $LocalNetmask);

        $OUT = '';
        $OUT .= "    #dansguardian, proxy redirect to $proxyport\n";

        # Accept any accesses to the localIP directly
        $OUT .= "    /sbin/ipchains --append input -j ACCEPT -p tcp ";
        $OUT .= "--source $network/$LocalNetmask --destination $LocalIP 80\n";

        # Accept localhost apache access directly
        $OUT .= "    /sbin/ipchains --append input -j ACCEPT -p tcp ";
        $OUT .= "--destination 127.0.0.1 80\n";

        if (defined $ExternalIP)
        {
           # Accept any accesses to the ExternalIP directly
            $OUT .= "    /sbin/ipchains --append input -p tcp " .
                   "--destination \$OUTERNET 80 -j ACCEPT\n";
        }

         # divert port 80 traffic through our proxy & dansguardian
        $OUT .= "    /sbin/ipchains --append input -j REDIRECT $proxyport -p tcp ";
        $OUT .= "--source $network/$LocalNetmask --destination 0.0.0.0/0 80\n";
        $OUT .= "\n";

        local %networks;
        tie %networks, 'esmith::config', '/home/e-smith/networks';

        foreach my $network (keys %networks)
        {
            my ($type, %properties) = db_get(\%networks, $network);
            if ($type eq 'network')
            {
                $OUT .= "    #local networks, proxy redirect to $proxyport\n";
                $OUT .= "    /sbin/ipchains --append input -j ACCEPT -p tcp ";
                $OUT .= "--source $network/$properties{'Mask'} ";
                $OUT .= "--destination $LocalIP 80\n";
                $OUT .= "    /sbin/ipchains --append input -j ACCEPT -p tcp ";
                $OUT .= "--destination 127.0.0.1 80\n";
                $OUT .= "    /sbin/ipchains --append input -j REDIRECT $proxyport ";
                $OUT .= "-p tcp --source $network/$properties{'Mask'} ";
                $OUT .= "--destination 0.0.0.0/0 80\n";
                $OUT .= "\n";
            }
        }
    }
  }
  else
  # 5.6+ template
  {
    #proxyaccess usage, no transparent proxy for pam_auth or ident
    my $proxyaccess = db_get_prop(\%dungog, 'dansguardian', 'proxyaccess') || '';
    if (($proxyaccess eq 'default') || ($proxyaccess eq 'transproxy') || ($proxyaccess eq 'disable'))
    {
      # Create new chain to manage TransProxy stuff
      # Note: We send all traffic destined to port 80, regardless of
      # where it's from, since the filter table will worry about source.
      $OUT .= "    /sbin/iptables --table nat --new-chain TransProxy\n";
      $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
      $OUT .= "\t-p tcp --dport 80 -j TransProxy\n";

      # Accept any accesses to the local IPs directly

      $OUT .= "    /sbin/iptables --table nat --append TransProxy \\\n";
      $OUT .= "\t--destination 127.0.0.1 --jump ACCEPT\n";
      $OUT .= "    /sbin/iptables --table nat --append TransProxy \\\n";
      $OUT .= "\t--destination $LocalIP --jump ACCEPT\n";

      if (defined $ExternalIP) {
          # Accept any accesses to the ExternalIP directly
          $OUT .= "    /sbin/iptables --table nat --append TransProxy \\\n";
          $OUT .= "\t--destination \$OUTERNET --jump ACCEPT\n";
      }

      my $transproxy = $squid{Transparent} || "yes";
      my $status = $squid{status} || "disabled";
      if ($transproxy eq "yes" && $status eq "enabled") {
          my $proxyport = $squid{TransparentPort} || "3128";

          # Otherwise, divert port 80 traffic through our proxy
          $OUT .= "    /sbin/iptables --table nat --append TransProxy\\\n";
          $OUT .= "\t-p TCP -j DNAT --to $LocalIP:$proxyport\n";
      } else {
          # Or just let it go unhindered
          $OUT .= "    /sbin/iptables --table nat --append TransProxy\\\n";
          $OUT .= "\t--jump ACCEPT\n";
      }
    }
  }
}


****************************************
FRAGMENT
90adjustAllowLocal
****************************************

{
  #identify sme version <=5.5 uses mysql-delete-dumps
  #above SME 5.5
  unless (-e "/etc/e-smith/events/mysql-delete-dumps")
  {
    my $proxyport = $squid{TransparentPort} || "3128";

    use esmith::config;
    use esmith::db;

    my %dungog;
    tie %dungog, 'esmith::config', '/home/e-smith/dungog';

    my $proxyaccess  = db_get_prop(\%dungog, 'dansguardian', "proxyaccess") || '';

    #5.6
    unless ( -e '/home/e-smith/db/navigation' )
    {
      my $masqTimed   = db_get(\%dungog, "masqTimed")  || '';
      my @timed = '';
      if ($masqTimed ne '')
      {
        @timed = split (/ /, $masqTimed);
      }

      my $masqBlocked = db_get(\%dungog, "masqBlocked") || '';
      my @blocked = '';
      if ($masqBlocked ne '')
      {
        @blocked = split (/ /, $masqBlocked);
      }

      my $AllowLocals = "AllowLocals_\$\$";
      $OUT .= "FAL=\$(/sbin/iptables --list ForwardAllowLocals | sed -n '3s/ .*//p')\n";
      $OUT .= "IAL=\$(/sbin/iptables --list InputAllowLocals | sed -n '3s/ .*//p')\n";
      $OUT .= "    /sbin/iptables --new-chain Input$AllowLocals\n";
      $OUT .= "    /sbin/iptables --new-chain Forward$AllowLocals\n";
      foreach my $local (@locals)
      {
        if (($proxyaccess eq 'pam_auth') || ($proxyaccess eq 'ident'))
        {
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --destination-port 80 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --destination-port 3128 -j DROP\n";
        }
        elsif ($proxyaccess eq "transproxy")
        {
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --destination-port 3128 -j DROP\n";
        }

        #port blocking
        $OUT .= "    #dungog-masq time based blocking on @blocked active\n";
        foreach my $block (@blocked)
        {
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port $block -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port $block -j DROP\n";
           $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --destination-port $block -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --source-port $block -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --source-port $block -j DROP\n";
           $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --source-port $block -j DROP\n";
        }

        my $portsBlocked   = db_get_prop(\%dungog, 'masq', "portsBlocked")  || '';
        if ($portsBlocked eq 'yes')
        {
           $OUT .= "    #dungog-masq time based blocking on @timed active\n";
           foreach  (@timed)
           {
               $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port $_ -j DROP\n";
               $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port $_ -j DROP\n";
               $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --destination-port $_ -j DROP\n";
               $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --source-port $_ -j DROP\n";
               $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --source-port $_ -j DROP\n";
               $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --source-port $_ -j DROP\n";
           }
        }

        #default access
        $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -j ACCEPT\n";
        $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -j ACCEPT\n";
        $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -j ACCEPT\n";
      }
      $OUT .= "    /sbin/iptables --replace InputAllowLocals 1 --jump Input$AllowLocals\n";
      $OUT .= "    /sbin/iptables --flush \$IAL\n";
      $OUT .= "    /sbin/iptables --delete-chain \$IAL\n";
      $OUT .= "    /sbin/iptables --replace ForwardAllowLocals 1 --jump Forward$AllowLocals\n";
      $OUT .= "    /sbin/iptables --flush \$FAL\n";
      $OUT .= "    /sbin/iptables --delete-chain \$FAL\n";
    }
  }
  #6.0
  #nothing, see template-custom  90local_chk50networks
  $OUT .= " ";
}


************************************************
FRAGMENT
90adjustTransProxy
************************************************

{
  #identify sme version <=5.5 uses mysql-delete-dumps
  unless (-e "/etc/e-smith/events/mysql-delete-dumps")
  {
    use esmith::config;
    use esmith::db;

    my %dungog;
    tie %dungog, 'esmith::config', '/home/e-smith/dungog';

    my $proxyaccess = db_get_prop(\%dungog, 'dansguardian', 'proxyaccess') || '';

    #proxyaccess usage, no transparent proxy for pam_auth
    if (($proxyaccess eq 'default') || ($proxyaccess eq 'transproxy') || ($proxyaccess eq 'disable'))
    {
      # Update any rules which may have changed, meaning
      # - $ExternalIP
      # - enabled/disabled
      # - Transproxy port (unlikely)
      my $rule = 3;
      if (defined $ExternalIP)
      {
     # Accept any accesses to the ExternalIP directly
     $OUT .= "    /sbin/iptables --table nat \\\n";
     $OUT .= "\t--replace TransProxy $rule\\\n";
     $OUT .= "\t--destination \$OUTERNET --jump ACCEPT\n";
     $rule++;
      }
      my $transproxy = $squid{Transparent} || "yes";
      my $status = $squid{status} || "disabled";
      if ($transproxy eq "yes" && $status eq "enabled")
      {
     my $proxyport = $squid{TransparentPort} || "3128";

     # Otherwise, divert port 80 traffic through our proxy
     $OUT .= "    /sbin/iptables --table nat --replace TransProxy $rule\\\n";
     $OUT .= "\t-p TCP -j DNAT --to $LocalIP:$proxyport\n";
      }
      else
      #turn of transparent proxy for pam_auth and ident
      {
     # Or just let it go unhindered
     $OUT .= "    /sbin/iptables --table nat --replace TransProxy $rule\\\n";
     $OUT .= "\t--jump ACCEPT\n";
      }
    }
  }
}



*********************************************
FRAGMENT
90local_chk50networks
*********************************************

{
  if ( -e '/home/e-smith/db/navigation' )

  #sme6
  {
    $OUT = "";
    my $locals = "@locals";
    if (@locals)
    {
      # Make a new local_chk chain and add any networks found in
      # /home/e-smith/networks.

      use esmith::config;
      use esmith::db;

      my %dungog;
      tie %dungog, 'esmith::config', '/home/e-smith/dungog';

      my $proxyaccess  = db_get_prop(\%dungog, 'dansguardian', "proxyaccess") || '';

      if (($proxyaccess eq 'pam_auth') || ($proxyaccess eq 'ident'))
        {
   $OUT .=<<"EOF";
    for network in $locals
    do
        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 3128 -j DROP
        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port 3128 -j DROP
        #/sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 80 -j DROP
        #/sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port 80 -j DROP
    done
EOF
        }
        elsif ($proxyaccess eq "transproxy")
        {
   $OUT .=<<"EOF";
    for network in $locals
    do
        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 3128 -j DROP
        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port 3128 -j DROP
    done
EOF
        }


        {
          my $masqTimed   = db_get(\%dungog, "masqTimed")  || '';
          my @timed = '';
          if ($masqTimed ne '')
          {
            @timed = split (/ /, $masqTimed);
          }

          my $masqBlocked = db_get(\%dungog, "masqBlocked") || '';
          my @blocked = '';
          if ($masqBlocked ne '')
          {
            @blocked = split (/ /, $masqBlocked);
          }

          #port blocking
          $OUT .= "    for network in $locals\n";
          $OUT .= "    do\n";

         foreach my $block (@blocked)
         {
           $OUT .= "        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port $block -j DROP\n";
           $OUT .= "        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port $block -j DROP\n";
           $OUT .= "        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --source-port $block -j DROP\n";
           $OUT .= "        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --source-port $block -j DROP\n";
         }

         my $portsBlocked   = db_get_prop(\%dungog, 'masq', "portsBlocked")  || '';
         if ($portsBlocked eq 'yes')
         {
            foreach (@timed)
            {
              $OUT .= "        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port $_ -j DROP\n";
              $OUT .= "        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port $_ -j DROP\n";
              $OUT .= "        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --source-port $_ -j DROP\n";
              $OUT .= "        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --source-port $_ -j DROP\n";
            }
         }

          $OUT .= "        /sbin/iptables -A \$NEW_local_chk -s \$network -j ACCEPT\n";
          $OUT .= "    done\n";

        }
    }
  }
}


***********************************************
...

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #13 on: March 15, 2005, 04:24:55 AM »
Hi Ray,

Thanx for putting up with my endless questions, I did remove the template, and re-expanded.

I'm just going to spend some time, playing around with it till I get it working and get back to you when i do

cheers

Edit just saw your second post, I'll have a good look through cheers agian
.........

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #14 on: March 15, 2005, 06:25:04 AM »
well I thought I'd be smart and use the masq-manager for SME 5.6, created a rule to block port 3128 for 192.168.0.1/24 and this was the outcome I found in /etc/init.d/masq
Code: [Select]

/sbin/iptables --new-chain ForwardDenyLocals
/sbin/iptables -A FORWARD -i $INTERNALIF -o $OUTERIF -j ForwardDenyLocals
/sbin/iptables -A ForwardDenyLocals -s 192.168.0.1/24 -p TCP --dport 3128 -j DROP


but the rules didn't work anyway, so it's back to studying your last post Ray  :hammer:
and i'll see what other hack job I can do to get this working

cheers
.........

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #15 on: March 15, 2005, 07:05:59 AM »
funkusmunkus

>.....so it's back to studying your last post

You can try the templates from here.
I have not tested them though.

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/contribs/dansguardian/templates/masq/
...

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #16 on: March 16, 2005, 03:33:04 AM »
I really feel out of my depth here
I found a masq-manager for SME 6.0
from here http://no.longer.valid/phpwiki/index.php/e-smith-masq-manager

and it added the same code in /etc/rc.d/init.d/masq
Code: [Select]

# Add DenyPort
                /sbin/iptables --new-chain ForwardDenyLocals
                /sbin/iptables -A FORWARD -i $INTERNALIF -o $OUTERIF -j ForwardDenyLocals
                /sbin/iptables -A ForwardDenyLocals -s 192.168.0.1/24 -p TCP --dport 3128 -j DROP

I would have guessed that would do the trick but it doesn't

it said at the top of deny port
Quote

If you want to deny a port for a specific ip or ip range, enter a value like X.X.X.X (192.168.0.1)
for an ip, and X.X.X.X/X (192.168.0.1/24) for a range.
No value, will deny this port for all your lan.


when i left the field blank it still didn't work, but the code in masq was a little different
Code: [Select]

# Add DenyPort
                /sbin/iptables --new-chain ForwardDenyLocals
                /sbin/iptables -A FORWARD -i $INTERNALIF -o $OUTERIF -j ForwardDenyLocals
                /sbin/iptables -A ForwardDenyLocals -s 192.168.0.0/255.255.255.0 -p TCP --dport 3128 -j DROP
                /sbin/iptables -A ForwardDenyLocals -s 192.168.0.1/24 -p TCP --dport 3128 -j DROP


looking at the rules it seems that it will block that port, but no joy       :idea:
.........

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #17 on: March 16, 2005, 04:22:35 AM »
funkusmunkus

Why not download those fragments I posted and try them as is, they supposedly should work, I just never got around to trying them out for various reasons.
...

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #18 on: March 16, 2005, 04:49:22 AM »
Sorry I should have mentioned that this was the resault when I restarted masq
Code: [Select]

: command not foundading: /etc/rc.d/init.d/masq:
: command not foundsq:
iptables v1.2.5: invalid TCP port/service -j' specified
Try iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: invalid TCP port/service -j' specified
Try iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: invalid TCP port/service -j' specified
Try iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: invalid TCP port/service -j' specified
Try iptables -h' or 'iptables --help' for more information.
: command not foundsq:
done
.........

Rog

dansguardian and Ray's howto (need help)
« Reply #19 on: March 18, 2005, 04:20:58 AM »
Quote from: "RayMitchell"
Read the HOWTO carefully and completely:

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/dansguardian%20instal%20&%20configure%20HOWTO%20for%20sme%20server.htm


Got it working, I'd # out some of the content filtering locations in the .conf file. Basically only wanted to block downloads, etc, so thought I'd blitz the rest but it didn't like it.

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #20 on: March 21, 2005, 04:29:53 AM »
Got it all working, here's what I did
created /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/35transproxy
and put the following in there

Code: [Select]
/sbin/iptables --table nat --new-chain TransProxy
    /sbin/iptables --table nat --append PREROUTING\
            -p tcp --dport 80 -j TransProxy
#Rerouting ports 80 443 to port 8080
    /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
    /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
#Blocking port 3128
    /sbin/iptables -A INPUT -p tcp --destination-port 3128 -i eth0 -j DROP
    /sbin/iptables -A INPUT -p udp --destination-port 3128 -i eth0 -j DROP
    /sbin/iptables --table nat --append TransProxy \
        --destination 127.0.0.1 --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy \
        --destination 192.168.0.1 --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy \
        --destination $OUTERNET --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy\
        -p TCP -j DNAT --to 192.168.0.1:8080


expanded and restarted masq, I was hoping someone could go through it and tell me if I did something really bad, but it seems to work.

cheers
.........

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #21 on: September 20, 2006, 12:42:31 PM »
funkusmunkus

I'm finally looking at this to update the Howto.
You wrote:

> here's what I did
> created /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/35transproxy
> and put the following in there

Did you copy the 35transproxy fragment from the /etc/e-smith/templates folder and add your code to it ?
or
Was the code you mentioned the ONLY code that you put in the custom 35transproxy fragment ?

Thanks
Ray
...

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #22 on: September 22, 2006, 02:39:14 AM »
Hi Ray,

The content of 35transproxy file is:
Code: [Select]

/sbin/iptables --table nat --new-chain TransProxy
    /sbin/iptables --table nat --append PREROUTING\
                -p tcp --dport 80 -j TransProxy
#Rerouting ports 80 443 to port 8080
    /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
    /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
#Blocking port 3128
    /sbin/iptables -A INPUT -p tcp --destination-port 3128 -i eth0 -j DROP
    /sbin/iptables -A INPUT -p udp --destination-port 3128 -i eth0 -j DROP
    /sbin/iptables --table nat --append TransProxy \
        --destination 127.0.0.1 --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy \
        --destination 192.168.0.1 --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy \
        --destination $OUTERNET --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy\
        -p TCP -j DNAT --to 192.168.0.1:8080


and nothing else, but it only works on SME 6.0.1 and earlier SME servers that use iptables.
I recently tried it on SME 7, with no luck, I'll spend the weekend working out why it didn't and get back to you with updated code for 7.

But in the mean time, on SME 6.0.1 it will block all access to ports 80, 443 and 3128, so people will be forced to use port 8080.
You should also know that the rerouting doesn't seem to work that well, if someone is trying to access a https websites, or microsoft updates, they won't be able to unless they are using port 8080 as the proxy server.
cheers
.........

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #23 on: September 28, 2006, 04:42:18 AM »
sorry Ray, I was going to work on it last weekend, but with the start of ramadan, I had to start fasting on the weekend, and that complicated things ;-)
I'll sort it out next weekend
cheers
.........

Offline cjensen

  • *
  • 133
  • +0/-0
    • http://acenet-tech.org
dansguardian and Ray's howto (need help)
« Reply #24 on: December 11, 2006, 07:47:37 PM »
Quote from: "funkusmunkus"
sorry Ray, I was going to work on it last weekend, but with the start of ramadan, I had to start fasting on the weekend, and that complicated things ;-)
I'll sort it out next weekend
cheers


I have followed with interest this thread as I am interested in 'forcing' useage of port 8080 to all network users who connect through the SME 7 box with Dansguardian installed.  Users at these locations bring their own laptops and cannot be trusted to use proxy settings as instructed so forcing the filtering port to all browsers at the server is the best solution.

If you find a solution to this please post as I know you were also learning about iptables and their fragments.

Craig Jensen

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #25 on: December 11, 2006, 09:03:57 PM »
cjensen

Various suggestions have been given in these forums, search on dansguardian to find them

Here are two you could try

http://forums.contribs.org/index.php?topic=23517.0

http://forums.contribs.org/index.php?topic=33775.msg144673#msg144673
re:
Remove the local net to deny access to full squid proxy:
Create custom squid.conf template "20ACL10localhost":
...

Offline cjensen

  • *
  • 133
  • +0/-0
    • http://acenet-tech.org
dansguardian and Ray's howto (need help)
« Reply #26 on: December 12, 2006, 02:59:39 AM »
Thanks Ray.

 I have seen these as well.  However what I am trying to accomplish is a 'real' solution... i.e. similar to the panel dungog has implemented in their dansguardian which allows this 'force' on the lan to be turned off or on.  So I am learning about the necessary code fragments and such to do this.

Craig

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #27 on: December 12, 2006, 03:12:47 AM »
cjensen

>...what I am trying to accomplish is a 'real' solution...
> i.e. similar to the panel dungog has implemented...

What is not real about those methods ?
They are easy to enable or disable via command line, ie remove a custom template, expand & restart. That's exactly what a fancy panel would do anyway.
Perhaps by "real" you mean a server manager panel.
If that's the case then buy the dungog product.
I doubt very much that anyone will create a free server manager dansguardian contrib. It hasn't happened yet so it's not likely to happen.
...

Offline cjensen

  • *
  • 133
  • +0/-0
    • http://acenet-tech.org
dansguardian and Ray's howto (need help)
« Reply #28 on: December 12, 2006, 03:29:11 AM »
Quote from: "RayMitchell"

I doubt very much that anyone will create a free server manager dansguardian contrib. It hasn't happened yet so it's not likely to happen.


Perhaps you misunderstood me.  I am not asking anyone to create one but would like to myself (and then share it, of course).  I like to do things myself and I do not ask for others to 'do it for me'.  Maybe you should find another thread to follow because your remarks were out of line.

BTW, condescension on lists like this is one thing that drives people away...

Craig

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #29 on: December 12, 2006, 04:09:34 AM »
cjensen

You didn't clearly say in your post that you intended to create a server manager panel. Good on you if you do.

Your other comments are sillyness & uncalled for.
...

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #30 on: July 11, 2007, 06:01:18 PM »
The functionality discussed in this thread is built in to the current rpms released by dungog for sme7 & is configured with db commands.
See the new Howto
http://wiki.contribs.org/Dansguardian
...

Offline kevinb

  • *
  • 237
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #31 on: July 12, 2007, 07:40:00 AM »
Great Job Ray! Thanks,

I believe I found a typo:

Code: [Select]
Modifying Firewall and Proxy
[edit] Configuring your system to force Dansguardian usage & prevent bypassing
Dansguardian uses port 8080 for web proxy requests. If your browser does not use port 8080 then Dansguardian filtering will be bypassed. To force this usage & prevent users bypassing filtering you should do the following steps:

1) Configure your sme server to use Transparent Proxy port 8080 and to block direct access to the squid proxy port 3128 & redirect port 80 to port 8080

Note the functionality to create custom firewall rules using iptables is built in to the rpms provided by http://www.dungog.net

config setprop squid TransparentPort 8080
config setprop dansguardian portblocking yes
signal-event post-upgrade; signal-event-reboot
To return Transparent Proxy port to default value and to disable portblocking

config delprop squid TransparentPort 3128
config delprop dansguardian portblocking
signal-event post-upgrade; signal-event-reboot


I believe the last line should be:

Code: [Select]
signal-event post-upgrade; signal-event reboot


Note no dash before "reboot".

Also is:

Code: [Select]
To return Transparent Proxy port to default value and to disable portblocking

config delprop squid TransparentPort 3128
config delprop dansguardian portblocking
signal-event post-upgrade; signal-event-reboot


correct or should it be:

Code: [Select]
config setprop squid TransparentPort 3128



Kevin

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #32 on: July 12, 2007, 12:35:28 PM »
kevinb

> I believe I found a typo:
> Note no dash before "reboot".

It wasn't there before, but slipped in during later editing. Fixed now.
...