Koozali.org: home of the SME Server

dansguardian and Ray's howto (need help)

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #15 on: March 15, 2005, 07:05:59 AM »
funkusmunkus

>.....so it's back to studying your last post

You can try the templates from here.
I have not tested them though.

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/contribs/dansguardian/templates/masq/
...

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #16 on: March 16, 2005, 03:33:04 AM »
I really feel out of my depth here
I found a masq-manager for SME 6.0
from here http://no.longer.valid/phpwiki/index.php/e-smith-masq-manager

and it added the same code in /etc/rc.d/init.d/masq
Code: [Select]

# Add DenyPort
                /sbin/iptables --new-chain ForwardDenyLocals
                /sbin/iptables -A FORWARD -i $INTERNALIF -o $OUTERIF -j ForwardDenyLocals
                /sbin/iptables -A ForwardDenyLocals -s 192.168.0.1/24 -p TCP --dport 3128 -j DROP

I would have guessed that would do the trick but it doesn't

it said at the top of deny port
Quote

If you want to deny a port for a specific ip or ip range, enter a value like X.X.X.X (192.168.0.1)
for an ip, and X.X.X.X/X (192.168.0.1/24) for a range.
No value, will deny this port for all your lan.


when i left the field blank it still didn't work, but the code in masq was a little different
Code: [Select]

# Add DenyPort
                /sbin/iptables --new-chain ForwardDenyLocals
                /sbin/iptables -A FORWARD -i $INTERNALIF -o $OUTERIF -j ForwardDenyLocals
                /sbin/iptables -A ForwardDenyLocals -s 192.168.0.0/255.255.255.0 -p TCP --dport 3128 -j DROP
                /sbin/iptables -A ForwardDenyLocals -s 192.168.0.1/24 -p TCP --dport 3128 -j DROP


looking at the rules it seems that it will block that port, but no joy       :idea:
.........

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #17 on: March 16, 2005, 04:22:35 AM »
funkusmunkus

Why not download those fragments I posted and try them as is, they supposedly should work, I just never got around to trying them out for various reasons.
...

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #18 on: March 16, 2005, 04:49:22 AM »
Sorry I should have mentioned that this was the resault when I restarted masq
Code: [Select]

: command not foundading: /etc/rc.d/init.d/masq:
: command not foundsq:
iptables v1.2.5: invalid TCP port/service -j' specified
Try iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: invalid TCP port/service -j' specified
Try iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: invalid TCP port/service -j' specified
Try iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: invalid TCP port/service -j' specified
Try iptables -h' or 'iptables --help' for more information.
: command not foundsq:
done
.........

Rog

dansguardian and Ray's howto (need help)
« Reply #19 on: March 18, 2005, 04:20:58 AM »
Quote from: "RayMitchell"
Read the HOWTO carefully and completely:

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/dansguardian%20instal%20&%20configure%20HOWTO%20for%20sme%20server.htm


Got it working, I'd # out some of the content filtering locations in the .conf file. Basically only wanted to block downloads, etc, so thought I'd blitz the rest but it didn't like it.

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #20 on: March 21, 2005, 04:29:53 AM »
Got it all working, here's what I did
created /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/35transproxy
and put the following in there

Code: [Select]
/sbin/iptables --table nat --new-chain TransProxy
    /sbin/iptables --table nat --append PREROUTING\
            -p tcp --dport 80 -j TransProxy
#Rerouting ports 80 443 to port 8080
    /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
    /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
#Blocking port 3128
    /sbin/iptables -A INPUT -p tcp --destination-port 3128 -i eth0 -j DROP
    /sbin/iptables -A INPUT -p udp --destination-port 3128 -i eth0 -j DROP
    /sbin/iptables --table nat --append TransProxy \
        --destination 127.0.0.1 --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy \
        --destination 192.168.0.1 --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy \
        --destination $OUTERNET --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy\
        -p TCP -j DNAT --to 192.168.0.1:8080


expanded and restarted masq, I was hoping someone could go through it and tell me if I did something really bad, but it seems to work.

cheers
.........

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #21 on: September 20, 2006, 12:42:31 PM »
funkusmunkus

I'm finally looking at this to update the Howto.
You wrote:

> here's what I did
> created /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/35transproxy
> and put the following in there

Did you copy the 35transproxy fragment from the /etc/e-smith/templates folder and add your code to it ?
or
Was the code you mentioned the ONLY code that you put in the custom 35transproxy fragment ?

Thanks
Ray
...

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #22 on: September 22, 2006, 02:39:14 AM »
Hi Ray,

The content of 35transproxy file is:
Code: [Select]

/sbin/iptables --table nat --new-chain TransProxy
    /sbin/iptables --table nat --append PREROUTING\
                -p tcp --dport 80 -j TransProxy
#Rerouting ports 80 443 to port 8080
    /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
    /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
#Blocking port 3128
    /sbin/iptables -A INPUT -p tcp --destination-port 3128 -i eth0 -j DROP
    /sbin/iptables -A INPUT -p udp --destination-port 3128 -i eth0 -j DROP
    /sbin/iptables --table nat --append TransProxy \
        --destination 127.0.0.1 --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy \
        --destination 192.168.0.1 --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy \
        --destination $OUTERNET --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy\
        -p TCP -j DNAT --to 192.168.0.1:8080


and nothing else, but it only works on SME 6.0.1 and earlier SME servers that use iptables.
I recently tried it on SME 7, with no luck, I'll spend the weekend working out why it didn't and get back to you with updated code for 7.

But in the mean time, on SME 6.0.1 it will block all access to ports 80, 443 and 3128, so people will be forced to use port 8080.
You should also know that the rerouting doesn't seem to work that well, if someone is trying to access a https websites, or microsoft updates, they won't be able to unless they are using port 8080 as the proxy server.
cheers
.........

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #23 on: September 28, 2006, 04:42:18 AM »
sorry Ray, I was going to work on it last weekend, but with the start of ramadan, I had to start fasting on the weekend, and that complicated things ;-)
I'll sort it out next weekend
cheers
.........

Offline cjensen

  • *
  • 133
  • +0/-0
    • http://acenet-tech.org
dansguardian and Ray's howto (need help)
« Reply #24 on: December 11, 2006, 07:47:37 PM »
Quote from: "funkusmunkus"
sorry Ray, I was going to work on it last weekend, but with the start of ramadan, I had to start fasting on the weekend, and that complicated things ;-)
I'll sort it out next weekend
cheers


I have followed with interest this thread as I am interested in 'forcing' useage of port 8080 to all network users who connect through the SME 7 box with Dansguardian installed.  Users at these locations bring their own laptops and cannot be trusted to use proxy settings as instructed so forcing the filtering port to all browsers at the server is the best solution.

If you find a solution to this please post as I know you were also learning about iptables and their fragments.

Craig Jensen

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #25 on: December 11, 2006, 09:03:57 PM »
cjensen

Various suggestions have been given in these forums, search on dansguardian to find them

Here are two you could try

http://forums.contribs.org/index.php?topic=23517.0

http://forums.contribs.org/index.php?topic=33775.msg144673#msg144673
re:
Remove the local net to deny access to full squid proxy:
Create custom squid.conf template "20ACL10localhost":
...

Offline cjensen

  • *
  • 133
  • +0/-0
    • http://acenet-tech.org
dansguardian and Ray's howto (need help)
« Reply #26 on: December 12, 2006, 02:59:39 AM »
Thanks Ray.

 I have seen these as well.  However what I am trying to accomplish is a 'real' solution... i.e. similar to the panel dungog has implemented in their dansguardian which allows this 'force' on the lan to be turned off or on.  So I am learning about the necessary code fragments and such to do this.

Craig

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #27 on: December 12, 2006, 03:12:47 AM »
cjensen

>...what I am trying to accomplish is a 'real' solution...
> i.e. similar to the panel dungog has implemented...

What is not real about those methods ?
They are easy to enable or disable via command line, ie remove a custom template, expand & restart. That's exactly what a fancy panel would do anyway.
Perhaps by "real" you mean a server manager panel.
If that's the case then buy the dungog product.
I doubt very much that anyone will create a free server manager dansguardian contrib. It hasn't happened yet so it's not likely to happen.
...

Offline cjensen

  • *
  • 133
  • +0/-0
    • http://acenet-tech.org
dansguardian and Ray's howto (need help)
« Reply #28 on: December 12, 2006, 03:29:11 AM »
Quote from: "RayMitchell"

I doubt very much that anyone will create a free server manager dansguardian contrib. It hasn't happened yet so it's not likely to happen.


Perhaps you misunderstood me.  I am not asking anyone to create one but would like to myself (and then share it, of course).  I like to do things myself and I do not ask for others to 'do it for me'.  Maybe you should find another thread to follow because your remarks were out of line.

BTW, condescension on lists like this is one thing that drives people away...

Craig

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #29 on: December 12, 2006, 04:09:34 AM »
cjensen

You didn't clearly say in your post that you intended to create a server manager panel. Good on you if you do.

Your other comments are sillyness & uncalled for.
...