Koozali.org: home of the SME Server

Automatic detect setting will bybass Dansguardian

newbie23

Automatic detect setting will bybass Dansguardian
« on: September 19, 2006, 02:27:07 PM »
I can use dansguardian filtering when I use the port 8080, but when I replaced it with 3128 or when I check the automatic detect setting it will bypass dansguardian and it seems to be awkward.

Can anyone help me with this problem?

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
Automatic detect setting will bybass Dansguardian
« Reply #1 on: September 19, 2006, 03:47:48 PM »
Yes, by default now you have squid on 3128 and Dans on 8080, on the tutorial where Ray explains how-to install Dansguardian there's information on how you can block access to squid.

newbie23

Automatic detect setting will bybass Dansguardian
« Reply #2 on: September 20, 2006, 06:03:14 AM »
stuntshell

I already coded my server as what Ray Mitchell explains:

db configuration setprop squid TransparentPort 8080

signal-event post-upgrade

signal-event reboot

Ray Mitchell added(haven't apply this code):

Additionally you may wish to prevent users configuring their browser to use port 3128 in order to circumvent Dansguardian, and thus allow unimpeded access to the Internet.

To block access to port 80 and 3128 and force users to use 8080

add the following and remove the transproxy lines from masq

The following applies to sme v5.6, 6.x & 7.0 which use iptables.

Earlier sme versions require a different fix as they use ipchains.

 "are this code could solve not to bypass dansguardian?"

$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";

$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";

$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";

$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";

$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";

$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";

Expand the template when changes have been made.

Offline raem

  • *
  • 3,972
  • +4/-0
Re: Automatic detect setting will bybass Dansguardian
« Reply #3 on: September 20, 2006, 09:47:29 AM »
newbie23

> I can use dansguardian filtering when I use the port 8080, but when I
> replaced it with 3128 or when I check the automatic detect setting it will > bypass dansguardian and it seems to be awkward.
> db configuration setprop squid TransparentPort 8080

This command sets the sme proxy port to 8080, and if your browser is configured for Auto detect proxy port, then it wil find and use port 8080, and therfore be subject to Dansguardian filtering.

Port 3128 is still accessible so users can easily change the browser configuration to specifically use port 3128 and therefore bypass Dansguardian filtering.

You can configure local policies (gpedit.msc) on your Windows PC to prevent users changing the browser setting (& leave it set to Auto detect which will then use the Transparent port 8080).
There has been a method posted in the forums recently for locking in this setting in Firefox.

Alternatively you can configure custom templates to block access via ports 3128 & 80 (yes 80) & only use port 8080, there were some recent posts about Dansguardian that referred/answered all of this and had links to the custom template proposed by funkusmunkus.
Search on Dansguardian and I'm sure you will find the references, it was only in the last few weeks.

The Howto has not been updated as I couldn't get access to the ftp upload area.
...

Offline raem

  • *
  • 3,972
  • +4/-0
Automatic detect setting will bybass Dansguardian
« Reply #4 on: September 20, 2006, 09:55:20 AM »
...

newbie23

Automatic detect setting will bybass Dansguardian
« Reply #5 on: September 21, 2006, 01:26:16 PM »
RayMitchell

I've tried this code, but there's an error restarting masq...

>Got it all working, here's what I did
>created /etc/e-smith/templates->custom/etc/rc.d/init.d/masq/35transproxy
>and put the following in there

This we're the only code I wrote in /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/35transproxy files. I already expand masq and it seems to be successful, but error occur during masq restart... What do you mean by 35transproxy fragment? will i need it?

>Code:
/sbin/iptables --table nat --new-chain TransProxy
    /sbin/iptables --table nat --append PREROUTING\
            -p tcp --dport 80 -j TransProxy
#Rerouting ports 80 443 to port 8080
    /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
    /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
#Blocking port 3128
    /sbin/iptables -A INPUT -p tcp --destination-port 3128 -i eth0 -j DROP
    /sbin/iptables -A INPUT -p udp --destination-port 3128 -i eth0 -j DROP
    /sbin/iptables --table nat --append TransProxy \
        --destination 127.0.0.1 --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy \
        --destination 192.168.0.1 --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy \
        --destination $OUTERNET --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy\
        -p TCP -j DNAT --to 192.168.0.1:8080  

Regards
-newbie23[/b]

Offline cheezeweeze

  • 18
  • +0/-0
Automatic detect setting will bybass Dansguardian
« Reply #6 on: September 21, 2006, 04:46:07 PM »
Remove the local net to deny access to full squid proxy:

Create custom squid.conf template "20ACL10localhost":
mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf/
cp -pR /etc/e-smith/templates/etc/squid/squid.conf/20ACL10localhost /etc/e-smith/templates-custom/etc/squid/squid.conf/20ACL10localhost

Edit the custom "20ACL10localhost" replaceing the code w/:
acl localsrc src 127.0.0.1
acl localdst dst 127.0.0.1

Expand SQUID template:
/sbin/e-smith/expand-template /etc/squid/squid.conf

Restart SQUID:
service squid stop
service squid start

Offline raem

  • *
  • 3,972
  • +4/-0
Automatic detect setting will bybass Dansguardian
« Reply #7 on: September 22, 2006, 02:27:17 AM »
cheezeweeze

>Edit the custom "20ACL10localhost" replaceing the code w/:
> acl localsrc src 127.0.0.1
> acl localdst dst 127.0.0.1

I tried that on my home network and it does appear to work OK.
Not extensively tested but you certainly cannot get web proxy access via port 3128 anymore, only via the TransparentPort 8080.

Thanks
...

newbie23

Automatic detect setting will bybass Dansguardian
« Reply #8 on: September 22, 2006, 11:29:34 AM »
cheezeweeze! thanks a lot, and also to Ray Mitchell... I can now block port 3128...

To all who have the same problem as I have, Here's how I did it....


> mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf/
>cp -pR /etc/e->smith/templates/etc/squid/squid.conf/20ACL10localhost /etc/e->smith/templates-custom/etc/squid/squid.conf/20ACL10localhost

>Edit the custom "20ACL10localhost" replaceing the code w/:
>acl localsrc src 127.0.0.1
>acl localdst dst 127.0.0.1

>Expand SQUID template:
>/sbin/e-smith/expand-template /etc/squid/squid.conf

>Restart SQUID:
>service squid stop
>service squid start

by the way, this just what cheezeweeze adviced me... :D

newbie23

Automatic detect setting will bybass Dansguardian
« Reply #9 on: September 22, 2006, 12:33:33 PM »
Another Problem....

I would like to authenticate user when using internet. Everytime the user connect to the internet it will display username and password... How will I do this? Hope anyone could help me with this problem... Im using sme 7.0 and I already installed dansguardian...

Offline stephen noble

  • *
  • 607
  • +1/-0
    • Dungog
Automatic detect setting will bybass Dansguardian
« Reply #10 on: September 24, 2006, 11:19:51 AM »
this is built into smeserver-dansguardian
it's a db setting
you can use pam ncsa or ident

someone may like to add it to the dans howto
the is a squid howto which explains how it works

jsk

Automatic detect setting will bybass Dansguardian
« Reply #11 on: September 24, 2006, 06:37:35 PM »
newbie23

>Edit the custom "20ACL10localhost" replaceing the code w/:
>acl localsrc src 127.0.0.1
>acl localdst dst 127.0.0.1

Is it correct to replace this
Code: [Select]
{
    use esmith::NetworksDB;

    my $ndb = esmith::NetworksDB->open_ro();

    $localAccess = $ndb->local_access_spec();

    $OUT .= "acl localsrc src $localAccess\n";
    $OUT .= "acl localdst dst $localAccess";
}

for that?
Code: [Select]
{
    use esmith::NetworksDB;

    my $ndb = esmith::NetworksDB->open_ro();

    $localAccess = $ndb->local_access_spec();

    $OUT .= "acl localsrc src 127.0.0.1\n";
    $OUT .= "acl localdst dst 127.0.0.1";
}


Regards
John

newbie23

Automatic detect setting will bybass Dansguardian
« Reply #12 on: September 25, 2006, 11:31:45 AM »
jsk

yes, the code you replace is correct...
after you change the code, expand template and restart squid...
just follow what cheezeweeze posted...

newbie23

Automatic detect setting will bybass Dansguardian
« Reply #13 on: September 27, 2006, 11:45:40 AM »
Hello

I already have proxy authentication, but the problem is when i unchecked everything in INTERNET OPTIONS->CONNECTIONS->LAN SETTINGS it will not authenticate the proxy but still filter websiter through a dansguardian. Can anyone know how to solve this problem?

Please help...

God bless

Offline raem

  • *
  • 3,972
  • +4/-0
Automatic detect setting will bybass Dansguardian
« Reply #14 on: September 28, 2006, 10:46:19 AM »
stephen

> this is built into smeserver-dansguardian
> it's a db setting, you can use pam ncsa or ident
> someone may like to add it to the dans howto
> the is a squid howto which explains how it works

Are you able to point me to the howto you are referring to & any other useful info. I'll investigate it and update the dansguardian howto, once I work it out.

Thanks
Ray
...