These custom template fragments were sent to me. I think they came from from the dungog product and may give useful information. I have not had time to try them as yet.
You do know that dungog sells a Dansguardian server manager panel version that works out of the box, I think it's fairly cheap.
/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
**********************************************
FRAGMENT
35transproxy
**********************************************
{
use esmith::config;
use esmith::db;
my %dungog;
tie %dungog, 'esmith::config', '/home/e-smith/dungog';
my $proxyaccess = db_get_prop(\%dungog, 'dansguardian', 'proxyaccess') || '';
#identify sme version <=5.5 uses mysql-delete-dumps
if (-e "/etc/e-smith/events/mysql-delete-dumps")
{
my $proxyport = $squid{TransparentPort} || "3128";
#proxyaccess usage, redirect to $proxyport
if (($proxyaccess eq 'default') || ($proxyaccess eq 'transproxy') || ($proxyaccess eq 'disable'))
{
my ($network, $broadcast) =
esmith::util::computeNetworkAndBroadcast ($LocalIP, $LocalNetmask);
$OUT = '';
$OUT .= " #dansguardian, proxy redirect to $proxyport\n";
# Accept any accesses to the localIP directly
$OUT .= " /sbin/ipchains --append input -j ACCEPT -p tcp ";
$OUT .= "--source $network/$LocalNetmask --destination $LocalIP 80\n";
# Accept localhost apache access directly
$OUT .= " /sbin/ipchains --append input -j ACCEPT -p tcp ";
$OUT .= "--destination 127.0.0.1 80\n";
if (defined $ExternalIP)
{
# Accept any accesses to the ExternalIP directly
$OUT .= " /sbin/ipchains --append input -p tcp " .
"--destination \$OUTERNET 80 -j ACCEPT\n";
}
# divert port 80 traffic through our proxy & dansguardian
$OUT .= " /sbin/ipchains --append input -j REDIRECT $proxyport -p tcp ";
$OUT .= "--source $network/$LocalNetmask --destination 0.0.0.0/0 80\n";
$OUT .= "\n";
local %networks;
tie %networks, 'esmith::config', '/home/e-smith/networks';
foreach my $network (keys %networks)
{
my ($type, %properties) = db_get(\%networks, $network);
if ($type eq 'network')
{
$OUT .= " #local networks, proxy redirect to $proxyport\n";
$OUT .= " /sbin/ipchains --append input -j ACCEPT -p tcp ";
$OUT .= "--source $network/$properties{'Mask'} ";
$OUT .= "--destination $LocalIP 80\n";
$OUT .= " /sbin/ipchains --append input -j ACCEPT -p tcp ";
$OUT .= "--destination 127.0.0.1 80\n";
$OUT .= " /sbin/ipchains --append input -j REDIRECT $proxyport ";
$OUT .= "-p tcp --source $network/$properties{'Mask'} ";
$OUT .= "--destination 0.0.0.0/0 80\n";
$OUT .= "\n";
}
}
}
}
else
# 5.6+ template
{
#proxyaccess usage, no transparent proxy for pam_auth or ident
my $proxyaccess = db_get_prop(\%dungog, 'dansguardian', 'proxyaccess') || '';
if (($proxyaccess eq 'default') || ($proxyaccess eq 'transproxy') || ($proxyaccess eq 'disable'))
{
# Create new chain to manage TransProxy stuff
# Note: We send all traffic destined to port 80, regardless of
# where it's from, since the filter table will worry about source.
$OUT .= " /sbin/iptables --table nat --new-chain TransProxy\n";
$OUT .= " /sbin/iptables --table nat --append PREROUTING\\\n";
$OUT .= "\t-p tcp --dport 80 -j TransProxy\n";
# Accept any accesses to the local IPs directly
$OUT .= " /sbin/iptables --table nat --append TransProxy \\\n";
$OUT .= "\t--destination 127.0.0.1 --jump ACCEPT\n";
$OUT .= " /sbin/iptables --table nat --append TransProxy \\\n";
$OUT .= "\t--destination $LocalIP --jump ACCEPT\n";
if (defined $ExternalIP) {
# Accept any accesses to the ExternalIP directly
$OUT .= " /sbin/iptables --table nat --append TransProxy \\\n";
$OUT .= "\t--destination \$OUTERNET --jump ACCEPT\n";
}
my $transproxy = $squid{Transparent} || "yes";
my $status = $squid{status} || "disabled";
if ($transproxy eq "yes" && $status eq "enabled") {
my $proxyport = $squid{TransparentPort} || "3128";
# Otherwise, divert port 80 traffic through our proxy
$OUT .= " /sbin/iptables --table nat --append TransProxy\\\n";
$OUT .= "\t-p TCP -j DNAT --to $LocalIP:$proxyport\n";
} else {
# Or just let it go unhindered
$OUT .= " /sbin/iptables --table nat --append TransProxy\\\n";
$OUT .= "\t--jump ACCEPT\n";
}
}
}
}
****************************************
FRAGMENT
90adjustAllowLocal
****************************************
{
#identify sme version <=5.5 uses mysql-delete-dumps
#above SME 5.5
unless (-e "/etc/e-smith/events/mysql-delete-dumps")
{
my $proxyport = $squid{TransparentPort} || "3128";
use esmith::config;
use esmith::db;
my %dungog;
tie %dungog, 'esmith::config', '/home/e-smith/dungog';
my $proxyaccess = db_get_prop(\%dungog, 'dansguardian', "proxyaccess") || '';
#5.6
unless ( -e '/home/e-smith/db/navigation' )
{
my $masqTimed = db_get(\%dungog, "masqTimed") || '';
my @timed = '';
if ($masqTimed ne '')
{
@timed = split (/ /, $masqTimed);
}
my $masqBlocked = db_get(\%dungog, "masqBlocked") || '';
my @blocked = '';
if ($masqBlocked ne '')
{
@blocked = split (/ /, $masqBlocked);
}
my $AllowLocals = "AllowLocals_\$\$";
$OUT .= "FAL=\$(/sbin/iptables --list ForwardAllowLocals | sed -n '3s/ .*//p')\n";
$OUT .= "IAL=\$(/sbin/iptables --list InputAllowLocals | sed -n '3s/ .*//p')\n";
$OUT .= " /sbin/iptables --new-chain Input$AllowLocals\n";
$OUT .= " /sbin/iptables --new-chain Forward$AllowLocals\n";
foreach my $local (@locals)
{
if (($proxyaccess eq 'pam_auth') || ($proxyaccess eq 'ident'))
{
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
}
elsif ($proxyaccess eq "transproxy")
{
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
}
#port blocking
$OUT .= " #dungog-masq time based blocking on @blocked active\n";
foreach my $block (@blocked)
{
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port $block -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port $block -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port $block -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --source-port $block -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --source-port $block -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --source-port $block -j DROP\n";
}
my $portsBlocked = db_get_prop(\%dungog, 'masq', "portsBlocked") || '';
if ($portsBlocked eq 'yes')
{
$OUT .= " #dungog-masq time based blocking on @timed active\n";
foreach (@timed)
{
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port $_ -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port $_ -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port $_ -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --source-port $_ -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --source-port $_ -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --source-port $_ -j DROP\n";
}
}
#default access
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -j ACCEPT\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -j ACCEPT\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -j ACCEPT\n";
}
$OUT .= " /sbin/iptables --replace InputAllowLocals 1 --jump Input$AllowLocals\n";
$OUT .= " /sbin/iptables --flush \$IAL\n";
$OUT .= " /sbin/iptables --delete-chain \$IAL\n";
$OUT .= " /sbin/iptables --replace ForwardAllowLocals 1 --jump Forward$AllowLocals\n";
$OUT .= " /sbin/iptables --flush \$FAL\n";
$OUT .= " /sbin/iptables --delete-chain \$FAL\n";
}
}
#6.0
#nothing, see template-custom 90local_chk50networks
$OUT .= " ";
}
************************************************
FRAGMENT
90adjustTransProxy
************************************************
{
#identify sme version <=5.5 uses mysql-delete-dumps
unless (-e "/etc/e-smith/events/mysql-delete-dumps")
{
use esmith::config;
use esmith::db;
my %dungog;
tie %dungog, 'esmith::config', '/home/e-smith/dungog';
my $proxyaccess = db_get_prop(\%dungog, 'dansguardian', 'proxyaccess') || '';
#proxyaccess usage, no transparent proxy for pam_auth
if (($proxyaccess eq 'default') || ($proxyaccess eq 'transproxy') || ($proxyaccess eq 'disable'))
{
# Update any rules which may have changed, meaning
# - $ExternalIP
# - enabled/disabled
# - Transproxy port (unlikely)
my $rule = 3;
if (defined $ExternalIP)
{
# Accept any accesses to the ExternalIP directly
$OUT .= " /sbin/iptables --table nat \\\n";
$OUT .= "\t--replace TransProxy $rule\\\n";
$OUT .= "\t--destination \$OUTERNET --jump ACCEPT\n";
$rule++;
}
my $transproxy = $squid{Transparent} || "yes";
my $status = $squid{status} || "disabled";
if ($transproxy eq "yes" && $status eq "enabled")
{
my $proxyport = $squid{TransparentPort} || "3128";
# Otherwise, divert port 80 traffic through our proxy
$OUT .= " /sbin/iptables --table nat --replace TransProxy $rule\\\n";
$OUT .= "\t-p TCP -j DNAT --to $LocalIP:$proxyport\n";
}
else
#turn of transparent proxy for pam_auth and ident
{
# Or just let it go unhindered
$OUT .= " /sbin/iptables --table nat --replace TransProxy $rule\\\n";
$OUT .= "\t--jump ACCEPT\n";
}
}
}
}
*********************************************
FRAGMENT
90local_chk50networks
*********************************************
{
if ( -e '/home/e-smith/db/navigation' )
#sme6
{
$OUT = "";
my $locals = "@locals";
if (@locals)
{
# Make a new local_chk chain and add any networks found in
# /home/e-smith/networks.
use esmith::config;
use esmith::db;
my %dungog;
tie %dungog, 'esmith::config', '/home/e-smith/dungog';
my $proxyaccess = db_get_prop(\%dungog, 'dansguardian', "proxyaccess") || '';
if (($proxyaccess eq 'pam_auth') || ($proxyaccess eq 'ident'))
{
$OUT .=<<"EOF";
for network in $locals
do
/sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 3128 -j DROP
/sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port 3128 -j DROP
#/sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 80 -j DROP
#/sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port 80 -j DROP
done
EOF
}
elsif ($proxyaccess eq "transproxy")
{
$OUT .=<<"EOF";
for network in $locals
do
/sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 3128 -j DROP
/sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port 3128 -j DROP
done
EOF
}
{
my $masqTimed = db_get(\%dungog, "masqTimed") || '';
my @timed = '';
if ($masqTimed ne '')
{
@timed = split (/ /, $masqTimed);
}
my $masqBlocked = db_get(\%dungog, "masqBlocked") || '';
my @blocked = '';
if ($masqBlocked ne '')
{
@blocked = split (/ /, $masqBlocked);
}
#port blocking
$OUT .= " for network in $locals\n";
$OUT .= " do\n";
foreach my $block (@blocked)
{
$OUT .= " /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port $block -j DROP\n";
$OUT .= " /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port $block -j DROP\n";
$OUT .= " /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --source-port $block -j DROP\n";
$OUT .= " /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --source-port $block -j DROP\n";
}
my $portsBlocked = db_get_prop(\%dungog, 'masq', "portsBlocked") || '';
if ($portsBlocked eq 'yes')
{
foreach (@timed)
{
$OUT .= " /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port $_ -j DROP\n";
$OUT .= " /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port $_ -j DROP\n";
$OUT .= " /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --source-port $_ -j DROP\n";
$OUT .= " /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --source-port $_ -j DROP\n";
}
}
$OUT .= " /sbin/iptables -A \$NEW_local_chk -s \$network -j ACCEPT\n";
$OUT .= " done\n";
}
}
}
}
***********************************************