Koozali.org: home of the SME Server

dansguardian and Ray's howto (need help)

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« on: March 09, 2005, 01:12:49 AM »
Hi all,

I have installed and been playing around with dansguardian for the last week, and today was the day to force the change, however after following the instructions on Ray's how to I got to the “Configuring your sme server to use Proxy port 8080 “ using the commands:
Code: [Select]

/sbin/e-smith/db configuration setprop squid TransparentPort 8080
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot  


posted the upgrade, rebooted and now unless the clients are using port 3128 they can't get anywhere.

Looking at the logs I didn't notice anything that stood out as being wrong, but hey I'm still new to these things.
Did anyone come across this before ? If so how did they solve it?
I thought I'd solve it by changing the commands mentioned above to use port 3128 again, but port 8080 still isn't working at all. ( and I don't know what damage that may have caused by doing that)


So all help would be more than welcome, I need to get this sorted out fast.

cheers

PS I'm running SME 6.0.1 with all the updates from the latest update script.
.........

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #1 on: March 09, 2005, 01:49:34 AM »
well again I over looked something, I didn't include the start on boot up in the howto.

cheers
.........

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #2 on: March 09, 2005, 03:25:40 AM »
Ok I have another question regarding creating the iptables rules to block ports 3128 and 80.
I'm not sure how to create the custom template.

I know I have to add the rules somewhere in  /etc/e-smith/templates-custom/
but where do i add in in template-custom/ ? And do I just add the
Code: [Select]

$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";

in one template ??

cheers
.........

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #3 on: March 09, 2005, 09:40:51 AM »
funkusmunkus

For some clues have a look at
http://forums.contribs.org/index.php?topic=21017.msg82981#msg82981

I don't know if the following will work as I have not yet mastered iptables, but there's only one way to find out. I think there may be more to it than just this.

create a fragment called
90adjusttransproxy
in
/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/

and add the details previously mentioned

expand the template
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
and restart masq
/etc/init.d/masq restart

If you get errors, then remove the fragment created above, expand the template, resart masq and your system should be back to the way it was originally.
...

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #4 on: March 09, 2005, 09:52:09 PM »
Thanx for that Ray,

that was the type of thing I was after ;-)
Well I'm not going to say i haven't mastered iptables, I'll say I still haven't understod iptables.

so one of the main things I was trying to find out was, where under template-custom/ do I go, becuase I didn't know where the iptables rules are, but now i do, so I'll have to kill a few SME's playing around there :hammer:

I'll give it a go on friday (unless I end up going to the sage symposiom) then monday it will be.

I'll let you know how I go.

thanx alot again

cheers
.........

Rog

Re: dansguardian and Ray's howto (need help)
« Reply #5 on: March 10, 2005, 10:22:07 PM »
Quote from: "funkusmunkus"
Hi all,

I have installed and been playing around with dansguardian for the last week, and today was the day to force the change, however after following the instructions on Ray's how to I got to the “Configuring your sme server to use Proxy port 8080 “ using the commands:
Code: [Select]

/sbin/e-smith/db configuration setprop squid TransparentPort 8080
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot  


posted the upgrade, rebooted and now unless the clients are using port 3128 they can't get anywhere.



I've got the same problem. Dansguardian is set to start on boot. After entering the above and rebooting, I did notice some text on the screen appear briefly, not sure if it was some kind of error message or not though. Where abouts would I find the error log? I'd love to get this working :)

Offline raem

  • *
  • 3,972
  • +4/-0
Re: dansguardian and Ray's howto (need help)
« Reply #6 on: March 12, 2005, 05:40:54 AM »
Rog

>....unless the clients are using port 3128 they can't get anywhere.

Probably Dansguardian is not running.
Try
/etc/init.d/dansguardian status
which if it is running shows something like:
Parent DansGuardian pid:18252

If DG has not started after a reboot then the startup db entry and link is missing or incorrect.

To get it running do:
/etc/init.d/dansguardian start
Starting dansguardian:                        [ OK ]

Enabling the Dansguardian service at startup
/sbin/e-smith/config set dansguardian service Initscriptorder 92 status enabled
(all on one line)
 
ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S92dansguardian
(all on one line)
 
Make sure this link has permissions like:
lrwxrwxrwx  1 root root S92dansguardian -> /etc/rc.d/init.d/e-smith-service

Enabling logrotation
cd /etc/cron.weekly
touch dansguardian

Add the following lines
# logrotation script for dansguardian
exec /etc/dansguardian/logrotation

Check that the above file has has permissions like:
-rwxr-xr-x   1 root root       dansguardian
 
Make sure that you review the DG config files as some of these can affect your Internet access.

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/dansguardian%20instal%20&%20configure%20HOWTO%20for%20sme%20server.htm
...

Rog

dansguardian and Ray's howto (need help)
« Reply #7 on: March 13, 2005, 11:47:16 PM »
Thanks for the info, I'll be working on the server in a few hours. In its current state pop3 access (to external mail server) is dead too, so hopefully I can get everything going. I'll post back what happens  :-)

Rog

dansguardian and Ray's howto (need help)
« Reply #8 on: March 14, 2005, 04:38:34 AM »
I'm on-site now, and all is not well  :cry:

 
Quote
/etc/init.d/dansguardian status

no Dansguardian process found


Quote
/etc/init.d/dansguardian start


Starting dansguardian: [ FAILED ]

All of the files are in /etc/dansguardian
Re-installing DansGuardian-2.6.1-3.RH72.i386.rpm
Code: [Select]
rpm -Uvh DansGuardian-2.6.1-3.RH72.i386.rpm
says it's already installed.

Any other suggestions greatly appreciated  :-)[/code]


Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #10 on: March 15, 2005, 03:25:58 AM »
Well After creating the custome template, and copying the lines
Code: [Select]

$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";

$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";

$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";

$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";

$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";

$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";


every time I restart the masq service I get the following error
Code: [Select]

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: /etc/init.d/masq: .=: command not found
/etc/init.d/masq: .=: command not found
/etc/init.d/masq: .=: command not found
/etc/init.d/masq: .=: command not found
/etc/init.d/masq: .=: command not found
/etc/init.d/masq: .=: command not found
done


Do I remove the .= from the lines ?? I'm looking for some good online reading material for iptables, if i work it out I'll let you know.

cheers
.........

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #11 on: March 15, 2005, 03:59:02 AM »
funkusmunkus

Just delete the custom templates and expand and restart masq and should be back to the way it was.

The rules are not correct or fornatted incorrectly, that's why the HOWTO is still DRAFT information

See
http://www.linuxguruz.com/iptables/howto/

...and do let ne know if you solve it.
...

Offline raem

  • *
  • 3,972
  • +4/-0
dansguardian and Ray's howto (need help)
« Reply #12 on: March 15, 2005, 04:16:04 AM »
These custom template fragments were sent to me. I think they came from from the dungog product and may give useful information. I have not had time to try them as yet.

You do know that dungog sells a Dansguardian server manager panel version that works out of the box, I think it's fairly cheap.


/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/


**********************************************
FRAGMENT
35transproxy
**********************************************

{
  use esmith::config;
  use esmith::db;

  my %dungog;
  tie %dungog, 'esmith::config', '/home/e-smith/dungog';

  my $proxyaccess = db_get_prop(\%dungog, 'dansguardian', 'proxyaccess') || '';

  #identify sme version <=5.5 uses mysql-delete-dumps
  if (-e "/etc/e-smith/events/mysql-delete-dumps")
  {
    my $proxyport = $squid{TransparentPort} || "3128";

    #proxyaccess usage, redirect to $proxyport
    if (($proxyaccess eq 'default') || ($proxyaccess eq 'transproxy') || ($proxyaccess eq 'disable'))
    {
        my ($network, $broadcast) =
            esmith::util::computeNetworkAndBroadcast ($LocalIP, $LocalNetmask);

        $OUT = '';
        $OUT .= "    #dansguardian, proxy redirect to $proxyport\n";

        # Accept any accesses to the localIP directly
        $OUT .= "    /sbin/ipchains --append input -j ACCEPT -p tcp ";
        $OUT .= "--source $network/$LocalNetmask --destination $LocalIP 80\n";

        # Accept localhost apache access directly
        $OUT .= "    /sbin/ipchains --append input -j ACCEPT -p tcp ";
        $OUT .= "--destination 127.0.0.1 80\n";

        if (defined $ExternalIP)
        {
           # Accept any accesses to the ExternalIP directly
            $OUT .= "    /sbin/ipchains --append input -p tcp " .
                   "--destination \$OUTERNET 80 -j ACCEPT\n";
        }

         # divert port 80 traffic through our proxy & dansguardian
        $OUT .= "    /sbin/ipchains --append input -j REDIRECT $proxyport -p tcp ";
        $OUT .= "--source $network/$LocalNetmask --destination 0.0.0.0/0 80\n";
        $OUT .= "\n";

        local %networks;
        tie %networks, 'esmith::config', '/home/e-smith/networks';

        foreach my $network (keys %networks)
        {
            my ($type, %properties) = db_get(\%networks, $network);
            if ($type eq 'network')
            {
                $OUT .= "    #local networks, proxy redirect to $proxyport\n";
                $OUT .= "    /sbin/ipchains --append input -j ACCEPT -p tcp ";
                $OUT .= "--source $network/$properties{'Mask'} ";
                $OUT .= "--destination $LocalIP 80\n";
                $OUT .= "    /sbin/ipchains --append input -j ACCEPT -p tcp ";
                $OUT .= "--destination 127.0.0.1 80\n";
                $OUT .= "    /sbin/ipchains --append input -j REDIRECT $proxyport ";
                $OUT .= "-p tcp --source $network/$properties{'Mask'} ";
                $OUT .= "--destination 0.0.0.0/0 80\n";
                $OUT .= "\n";
            }
        }
    }
  }
  else
  # 5.6+ template
  {
    #proxyaccess usage, no transparent proxy for pam_auth or ident
    my $proxyaccess = db_get_prop(\%dungog, 'dansguardian', 'proxyaccess') || '';
    if (($proxyaccess eq 'default') || ($proxyaccess eq 'transproxy') || ($proxyaccess eq 'disable'))
    {
      # Create new chain to manage TransProxy stuff
      # Note: We send all traffic destined to port 80, regardless of
      # where it's from, since the filter table will worry about source.
      $OUT .= "    /sbin/iptables --table nat --new-chain TransProxy\n";
      $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
      $OUT .= "\t-p tcp --dport 80 -j TransProxy\n";

      # Accept any accesses to the local IPs directly

      $OUT .= "    /sbin/iptables --table nat --append TransProxy \\\n";
      $OUT .= "\t--destination 127.0.0.1 --jump ACCEPT\n";
      $OUT .= "    /sbin/iptables --table nat --append TransProxy \\\n";
      $OUT .= "\t--destination $LocalIP --jump ACCEPT\n";

      if (defined $ExternalIP) {
          # Accept any accesses to the ExternalIP directly
          $OUT .= "    /sbin/iptables --table nat --append TransProxy \\\n";
          $OUT .= "\t--destination \$OUTERNET --jump ACCEPT\n";
      }

      my $transproxy = $squid{Transparent} || "yes";
      my $status = $squid{status} || "disabled";
      if ($transproxy eq "yes" && $status eq "enabled") {
          my $proxyport = $squid{TransparentPort} || "3128";

          # Otherwise, divert port 80 traffic through our proxy
          $OUT .= "    /sbin/iptables --table nat --append TransProxy\\\n";
          $OUT .= "\t-p TCP -j DNAT --to $LocalIP:$proxyport\n";
      } else {
          # Or just let it go unhindered
          $OUT .= "    /sbin/iptables --table nat --append TransProxy\\\n";
          $OUT .= "\t--jump ACCEPT\n";
      }
    }
  }
}


****************************************
FRAGMENT
90adjustAllowLocal
****************************************

{
  #identify sme version <=5.5 uses mysql-delete-dumps
  #above SME 5.5
  unless (-e "/etc/e-smith/events/mysql-delete-dumps")
  {
    my $proxyport = $squid{TransparentPort} || "3128";

    use esmith::config;
    use esmith::db;

    my %dungog;
    tie %dungog, 'esmith::config', '/home/e-smith/dungog';

    my $proxyaccess  = db_get_prop(\%dungog, 'dansguardian', "proxyaccess") || '';

    #5.6
    unless ( -e '/home/e-smith/db/navigation' )
    {
      my $masqTimed   = db_get(\%dungog, "masqTimed")  || '';
      my @timed = '';
      if ($masqTimed ne '')
      {
        @timed = split (/ /, $masqTimed);
      }

      my $masqBlocked = db_get(\%dungog, "masqBlocked") || '';
      my @blocked = '';
      if ($masqBlocked ne '')
      {
        @blocked = split (/ /, $masqBlocked);
      }

      my $AllowLocals = "AllowLocals_\$\$";
      $OUT .= "FAL=\$(/sbin/iptables --list ForwardAllowLocals | sed -n '3s/ .*//p')\n";
      $OUT .= "IAL=\$(/sbin/iptables --list InputAllowLocals | sed -n '3s/ .*//p')\n";
      $OUT .= "    /sbin/iptables --new-chain Input$AllowLocals\n";
      $OUT .= "    /sbin/iptables --new-chain Forward$AllowLocals\n";
      foreach my $local (@locals)
      {
        if (($proxyaccess eq 'pam_auth') || ($proxyaccess eq 'ident'))
        {
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --destination-port 80 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --destination-port 3128 -j DROP\n";
        }
        elsif ($proxyaccess eq "transproxy")
        {
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
           $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --destination-port 3128 -j DROP\n";
        }

        #port blocking
        $OUT .= "    #dungog-masq time based blocking on @blocked active\n";
        foreach my $block (@blocked)
        {
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port $block -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port $block -j DROP\n";
           $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --destination-port $block -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --source-port $block -j DROP\n";
           $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --source-port $block -j DROP\n";
           $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --source-port $block -j DROP\n";
        }

        my $portsBlocked   = db_get_prop(\%dungog, 'masq', "portsBlocked")  || '';
        if ($portsBlocked eq 'yes')
        {
           $OUT .= "    #dungog-masq time based blocking on @timed active\n";
           foreach  (@timed)
           {
               $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port $_ -j DROP\n";
               $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port $_ -j DROP\n";
               $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --destination-port $_ -j DROP\n";
               $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --source-port $_ -j DROP\n";
               $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --source-port $_ -j DROP\n";
               $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --source-port $_ -j DROP\n";
           }
        }

        #default access
        $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -j ACCEPT\n";
        $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -j ACCEPT\n";
        $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -j ACCEPT\n";
      }
      $OUT .= "    /sbin/iptables --replace InputAllowLocals 1 --jump Input$AllowLocals\n";
      $OUT .= "    /sbin/iptables --flush \$IAL\n";
      $OUT .= "    /sbin/iptables --delete-chain \$IAL\n";
      $OUT .= "    /sbin/iptables --replace ForwardAllowLocals 1 --jump Forward$AllowLocals\n";
      $OUT .= "    /sbin/iptables --flush \$FAL\n";
      $OUT .= "    /sbin/iptables --delete-chain \$FAL\n";
    }
  }
  #6.0
  #nothing, see template-custom  90local_chk50networks
  $OUT .= " ";
}


************************************************
FRAGMENT
90adjustTransProxy
************************************************

{
  #identify sme version <=5.5 uses mysql-delete-dumps
  unless (-e "/etc/e-smith/events/mysql-delete-dumps")
  {
    use esmith::config;
    use esmith::db;

    my %dungog;
    tie %dungog, 'esmith::config', '/home/e-smith/dungog';

    my $proxyaccess = db_get_prop(\%dungog, 'dansguardian', 'proxyaccess') || '';

    #proxyaccess usage, no transparent proxy for pam_auth
    if (($proxyaccess eq 'default') || ($proxyaccess eq 'transproxy') || ($proxyaccess eq 'disable'))
    {
      # Update any rules which may have changed, meaning
      # - $ExternalIP
      # - enabled/disabled
      # - Transproxy port (unlikely)
      my $rule = 3;
      if (defined $ExternalIP)
      {
     # Accept any accesses to the ExternalIP directly
     $OUT .= "    /sbin/iptables --table nat \\\n";
     $OUT .= "\t--replace TransProxy $rule\\\n";
     $OUT .= "\t--destination \$OUTERNET --jump ACCEPT\n";
     $rule++;
      }
      my $transproxy = $squid{Transparent} || "yes";
      my $status = $squid{status} || "disabled";
      if ($transproxy eq "yes" && $status eq "enabled")
      {
     my $proxyport = $squid{TransparentPort} || "3128";

     # Otherwise, divert port 80 traffic through our proxy
     $OUT .= "    /sbin/iptables --table nat --replace TransProxy $rule\\\n";
     $OUT .= "\t-p TCP -j DNAT --to $LocalIP:$proxyport\n";
      }
      else
      #turn of transparent proxy for pam_auth and ident
      {
     # Or just let it go unhindered
     $OUT .= "    /sbin/iptables --table nat --replace TransProxy $rule\\\n";
     $OUT .= "\t--jump ACCEPT\n";
      }
    }
  }
}



*********************************************
FRAGMENT
90local_chk50networks
*********************************************

{
  if ( -e '/home/e-smith/db/navigation' )

  #sme6
  {
    $OUT = "";
    my $locals = "@locals";
    if (@locals)
    {
      # Make a new local_chk chain and add any networks found in
      # /home/e-smith/networks.

      use esmith::config;
      use esmith::db;

      my %dungog;
      tie %dungog, 'esmith::config', '/home/e-smith/dungog';

      my $proxyaccess  = db_get_prop(\%dungog, 'dansguardian', "proxyaccess") || '';

      if (($proxyaccess eq 'pam_auth') || ($proxyaccess eq 'ident'))
        {
   $OUT .=<<"EOF";
    for network in $locals
    do
        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 3128 -j DROP
        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port 3128 -j DROP
        #/sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 80 -j DROP
        #/sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port 80 -j DROP
    done
EOF
        }
        elsif ($proxyaccess eq "transproxy")
        {
   $OUT .=<<"EOF";
    for network in $locals
    do
        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port 3128 -j DROP
        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port 3128 -j DROP
    done
EOF
        }


        {
          my $masqTimed   = db_get(\%dungog, "masqTimed")  || '';
          my @timed = '';
          if ($masqTimed ne '')
          {
            @timed = split (/ /, $masqTimed);
          }

          my $masqBlocked = db_get(\%dungog, "masqBlocked") || '';
          my @blocked = '';
          if ($masqBlocked ne '')
          {
            @blocked = split (/ /, $masqBlocked);
          }

          #port blocking
          $OUT .= "    for network in $locals\n";
          $OUT .= "    do\n";

         foreach my $block (@blocked)
         {
           $OUT .= "        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port $block -j DROP\n";
           $OUT .= "        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port $block -j DROP\n";
           $OUT .= "        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --source-port $block -j DROP\n";
           $OUT .= "        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --source-port $block -j DROP\n";
         }

         my $portsBlocked   = db_get_prop(\%dungog, 'masq', "portsBlocked")  || '';
         if ($portsBlocked eq 'yes')
         {
            foreach (@timed)
            {
              $OUT .= "        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --destination-port $_ -j DROP\n";
              $OUT .= "        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --destination-port $_ -j DROP\n";
              $OUT .= "        /sbin/iptables -A \$NEW_local_chk -s \$network -p tcp --source-port $_ -j DROP\n";
              $OUT .= "        /sbin/iptables -A \$NEW_local_chk -d \$network -p tcp --source-port $_ -j DROP\n";
            }
         }

          $OUT .= "        /sbin/iptables -A \$NEW_local_chk -s \$network -j ACCEPT\n";
          $OUT .= "    done\n";

        }
    }
  }
}


***********************************************
...

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #13 on: March 15, 2005, 04:24:55 AM »
Hi Ray,

Thanx for putting up with my endless questions, I did remove the template, and re-expanded.

I'm just going to spend some time, playing around with it till I get it working and get back to you when i do

cheers

Edit just saw your second post, I'll have a good look through cheers agian
.........

Offline funkusmunkus

  • *
  • 220
  • +0/-0
dansguardian and Ray's howto (need help)
« Reply #14 on: March 15, 2005, 06:25:04 AM »
well I thought I'd be smart and use the masq-manager for SME 5.6, created a rule to block port 3128 for 192.168.0.1/24 and this was the outcome I found in /etc/init.d/masq
Code: [Select]

/sbin/iptables --new-chain ForwardDenyLocals
/sbin/iptables -A FORWARD -i $INTERNALIF -o $OUTERIF -j ForwardDenyLocals
/sbin/iptables -A ForwardDenyLocals -s 192.168.0.1/24 -p TCP --dport 3128 -j DROP


but the rules didn't work anyway, so it's back to studying your last post Ray  :hammer:
and i'll see what other hack job I can do to get this working

cheers
.........