Topic: Dansguardian stop the trafic www

[raem]

verti & grattman

Please give some more info to try & eliminate possible issues.

What are your server specs ? memory, cpu, traffic volume (low, high) ?
Are you also running Clamav & Spamassassin ?
Are you using RBL lists ?

With Dansguardian are you using the squidguard rules and did you configure your system to update the rules weekly as per HOWTO ?
Is the location of the blacklists you specified in /etc/cron.weekly/dansguardian still current ?

Did you change the Transparent proxy port in sme server to 8080 ?
What settings do you have in your browser(s) for proxy port, ie auto detect or something specific ?

Have you added any masq/iptables rules to control access to ports 3128, 80 ?

Have you done any additional or extensive configuration of Dansguardian with regard to blocking sites, eg using other lists etc ?

[verti]

Specs of Server:

IBM xSeries x306
Pentium IV 3Ghz
1GB RAM
80 GB Serial ATA
2 Ethernet GBit

I Running Clamav & Spamassassin
I not use RBL List

I not use rules of squidguard
I not use blacklist

I change the transparent proxy in sme to 8080 with:

Code: [Select]

/sbin/e-smith/db configuration setprop squid TransparentPort 8080
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot

I dont remenber if the rules to control to port 3128,80 is work fine, how to review this?

In the how to say this:

Code: [Select]

$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";

...I dont know

THANKS VERY MUCH!!

[verti]

Code: [Select]

Review configuration



Networking Parameters

Server Mode
servergateway

Local IP address / subnet mask
192.168.0.200/255.255.255.0

External IP address / subnet mask
192.168.1.100/255.255.255.0

Gateway
192.168.1.120

Additional local networks
192.168.0.0/255.255.255.0

DHCP server
disabled


Server names

DNS server
192.168.0.200

[verti]

but when they spend days lets work, I have noticed that whichever greater are the navigation traffic before is cut.

Thanks

[raem]

verti

Your server specs and config details look OK

How many users on your system accessing web sites at any time ?


> I dont remenber if the rules to control to port 3128,80 is work fine, how to review this?

I assume by this comment that you have NOT implemented any additional iptables rules, correct ?


> but when they spend days lets work, I have noticed that whichever greater are the navigation traffic before is cut.

Sorry, I cannot interpret what you are saying here, can anyone else help with the correct meaning ?

[raem]

You may want to install the System Monitor contrib
e-smith-sysmon-4.0-8.noarch.rpm
& associated rpms
from serts knudsen site
and also use
iptraf
to monitor latency and internet traffic to see if there is any correlation between events when hhtp access fails.
Look in /var/log/messages and other log files also, when/after the http access problem occurs

[verti]

I dont remember if I implemented a additional iptables rules. This is my iptables config:

Code: [Select]

Chain INPUT (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
InboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
InboundTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
InboundUDP udp -- anywhere anywhere
denylog udp -- anywhere anywhere
gre-in gre -- anywhere anywhere
denylog gre -- anywhere anywhere
denylog all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
ForwardedTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ForwardedUDP udp -- anywhere anywhere
denylog all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
OutboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_5847 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN

Chain ForwardedTCP_5847 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.0.150 tcp dpt:3380
ACCEPT tcp -- anywhere 192.168.0.150 tcp dpt:3389

Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_5847 all -- anywhere anywhere
denylog udp -- anywhere anywhere

Chain ForwardedUDP_5847 (1 references)
target prot opt source destination

Chain InboundICMP (1 references)
target prot opt source destination
InboundICMP_5847 all -- anywhere anywhere
denylog icmp -- anywhere anywhere

Chain InboundICMP_5847 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere

Chain InboundTCP (1 references)
target prot opt source destination
InboundTCP_5847 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN

Chain InboundTCP_5847 (1 references)
target prot opt source destination
denylog all -- anywhere !192.168.1.100
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
denylog tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
denylog tcp -- anywhere anywhere tcp dpt:imap2
denylog tcp -- anywhere anywhere tcp dpt:imaps
denylog tcp -- anywhere anywhere tcp dpt:ldap
denylog tcp -- anywhere anywhere tcp dpt:pop3
denylog tcp -- anywhere anywhere tcp dpt:pop3s
denylog tcp -- anywhere anywhere tcp dpt:1723
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
denylog tcp -- anywhere anywhere tcp dpt:ssmtp
denylog tcp -- anywhere anywhere tcp dpt:telnet

Chain InboundUDP (1 references)
target prot opt source destination
InboundUDP_5847 all -- anywhere anywhere
denylog udp -- anywhere anywhere

Chain InboundUDP_5847 (1 references)
target prot opt source destination
denylog all -- anywhere !192.168.1.100

Chain OutboundICMP (1 references)
target prot opt source destination
OutboundICMP_5847 all -- anywhere anywhere
denylog icmp -- anywhere anywhere

Chain OutboundICMP_5847 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere

Chain PPPconn (2 references)
target prot opt source destination
PPPconn_1 all -- anywhere anywhere

Chain PPPconn_1 (1 references)
target prot opt source destination

Chain denylog (28 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
LOG all -- anywhere anywhere LOG level warning prefix denylog:'
DROP all -- anywhere anywhere

Chain gre-in (1 references)
target prot opt source destination
denylog all -- anywhere !192.168.1.100
denylog all -- anywhere anywhere

Chain local_chk (2 references)
target prot opt source destination
local_chk_5847 all -- anywhere anywhere

Chain local_chk_5847 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere

Chain state_chk (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

NAT
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PortForwarding all -- anywhere anywhere
SMTPProxy tcp -- anywhere anywhere tcp dpt:smtp
TransProxy tcp -- anywhere anywhere tcp dpt:www

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
PostroutingOutbound all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain PortForwarding (1 references)
target prot opt source destination
PortForwarding_5847 all -- anywhere 192.168.1.100

Chain PortForwarding_5847 (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:3380 to:192.168.0.150:3380
DNAT tcp -- anywhere anywhere tcp dpt:3389 to:192.168.0.150:3389

Chain PostroutingOutbound (1 references)
target prot opt source destination
ACCEPT all -- 192.168.1.100 anywhere
MASQUERADE all -- anywhere anywhere

Chain SMTPProxy (1 references)
target prot opt source destination
ACCEPT all -- anywhere localhost
ACCEPT all -- anywhere www.marianoluna.com
ACCEPT all -- anywhere 192.168.1.100
DNAT tcp -- anywhere anywhere to:192.168.0.200:25

Chain TransProxy (1 references)
target prot opt source destination
ACCEPT all -- anywhere localhost
ACCEPT all -- anywhere www.marianoluna.com
ACCEPT all -- anywhere 192.168.1.100
DNAT tcp -- anywhere anywhere to:192.168.0.200:8080

MANGLE
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TOS tcp -- anywhere anywhere tcp dpt:ftp TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:ssh TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:telnet TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:smtp TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:www TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:pop3 TOS set Minimize-Delay
TOS tcp -- anywhere anywhere tcp dpt:ftp-data TOS set Maximize-Throughput

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

[verti]

10 users browse the Internet for this server.

I read all login /var/log betwen the 01.16 pm, hour of fail and nothing to do. I dont see anything. All is correct.[/img]

[verti]

> but when they spend days lets work, I have noticed that whichever greater are the navigation traffic before is cut.

Sorry, I cannot interpret what you are saying here, can anyone else help with the correct meaning ?

Sorry for my english, I say:

I have noticed, when there is greater volume of navigation by Internet before fails the http traffic

Thanks

[raem]

verti

You are quoting different configuration details. What setup are you using ?

The server have two ethernet card:
eth0 - 10.0.0.1 (LAN)
eth1 - 192.168.0.1 (ROUTER)
The router of DSL is 192.168.0.1
Parámetros de red
Modo de servidor   servergateway
Dirección IP local/máscara de subred   10.0.0.1/255.255.255.0
Dirección IP externa/máscara de subred   192.168.0.100/255.255.255.0
Puerta de enlace   192.168.0.1
Redes locales adicionales   10.0.0.0/255.255.255.0
Servidor DHCP   disabled
Nombres del servidor
Servidor DNS   10.0.0.1


....then later...

Review configuration
Networking Parameters
Server Mode
servergateway
Local IP address / subnet mask
192.168.0.200/255.255.255.0
External IP address / subnet mask
192.168.1.100/255.255.255.0
Gateway
192.168.1.120
Additional local networks
192.168.0.0/255.255.255.0
DHCP server
disabled
Server names
DNS server
192.168.0.200

[verti]

my present configuration is the second, I change when reinstall all system to fix the problem.


Review configuration
Networking Parameters
Server Mode
servergateway
Local IP address / subnet mask
192.168.0.200/255.255.255.0
External IP address / subnet mask
192.168.1.100/255.255.255.0
Gateway
192.168.1.120
Additional local networks
192.168.0.0/255.255.255.0
DHCP server
disabled
Server names
DNS server
192.168.0.200

[verti]

Do you want that I copy a few lines of logs between minutes of fail?

[raem]

verti

> servergateway
> External IP address / subnet mask
> 192.168.1.100/255.255.255.0
> Gateway
> 192.168.1.120

In that config why aren't your External & Gateway IP's public IP's (& subnet mask too) as provided by your ISP.
I assume you have a bridged modem using ADSL.

[verti]

Yes, my ISP bridged me with modem (192.168.1.120) to internet, this modem is connected directly to eth1 (192.168.1.100).

The modem have a ip static public in the Internet.