PDA

Visualizza la versione completa : squid e dansguardian: filtering trasparente


GreyFox86
25-11-2007, 14:11
Sto cercando di impostare debian affinchè esegua un redirect automatico di tutte le connessioni tcp sulla porta 80 uscenti verso il proxy locale (squid+dansguardian).

Per farlo preso spunto da queste guide:
http://gentoo-wiki.com/HOWTO_setup_a_home-server#Squid
http://gentoo-wiki.com/Dansguardian

Impostando il proxy nelle preferenze del browser funziona tutto perfettamente, solo che rimuovendolo posso navigare in piena libertà, come se i pacchetti non venissero automaticamente inoltrati sulla 8080 locale da questa regola:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


Qualcuno riesce a capire cosa sto sbagliando? Thx.

edit: dimenticavo le configurazioni di squid e di dansguardian:

Squid
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
icp_port 0
hosts_file /etc/hosts
coredump_dir /var/spool/squid

Dansguardian:
reportinglevel = 3
languagedir = '/etc/dansguardian/languages'
language = 'italian'
loglevel = 3
logexceptionhits = on
logfileformat = 1
filterip =
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
nonstandarddelimiter = on
usecustombannedimage = 1
custombannedimagefile = '/etc/dansguardian/transparent1x1.gif'
filtergroups = 1
filtergroupslist = '/etc/dansguardian/filtergroupslist'
bannediplist = '/etc/dansguardian/bannediplist'
exceptioniplist = '/etc/dansguardian/exceptioniplist'
banneduserlist = '/etc/dansguardian/banneduserlist'
exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 3000
urlcacheage = 900
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = 0
forcequicksearch = 0
reverseaddresslookups = off
reverseclientiplookups = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
usernameidmethodproxyauth = on
usernameidmethodntlm = off # **NOT IMPLEMENTED**
usernameidmethodident = off
preemptivebanning = on
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
nodaemon = off
nologger = off
softrestart = off
virusscan = on
virusengine = 'clamav'
tricklelength = 32768
forkscanlength = 32768
firsttrickledelay = 10
followingtrickledelay = 10
maxcontentscansize = 41904304
virusscanexceptions = on
urlcachecleanonly = on
virusscannertimeout = 60
notify = 0
emaildomain = 'your.domain.com'
postmaster = 'postmaster@your.domain.com'
emailserver = '127.0.0.1:25'
downloaddir = '/tmp/dgvirus'
clmaxfiles = 1500
clmaxreclevel = 3
clmaxfilesize = 10485760
clblockencryptedarchives = off
cldetectbroken = off
clamdsocket = '/tmp/clamd'
avesocket = '/var/run/aveserver'
trophiesocket = '/var/run/trophie'
sophiesocket = '/var/run/sophie'
icapsocket = 'localhost:1344'
icapservice = 'icap://localhost/avscan'

pilovis
26-11-2007, 09:21
iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 8080

GreyFox86
26-11-2007, 19:27
Grazie per la risposta ma anche così non sembra funzionare :(
Senza impostare manualmente il proxy e lasciando "connessione diretta ad internet", continuo a non essere filtrato.

GreyFox86
28-11-2007, 20:09
up :(

Loading