Topic: SMEServer proxy, firewall etc

[staxer]

Hi there

Ive got SMESERVER 7.1  running with 2 network cards, setup as a proxy/firewall for a business network.

Now, ive been playing with this for nearly 2 weeks and have come to the conclusion im not all that happy about SMESERVER and its layout of using templates and database, anyway life goes on,

The server is mostly doing its job, but i really need to force users through port 8080.  Now i have searched these forums and found some answers, none of them work, i dont want to install or purchase a panel to do it because its a fairly simple iptables command.

I'm getting fairly frustrated here so any real answers would be greatful, btw, im not interested in people saying "read the documentation", it seems to be very vague on scripting templates to insert lines into conf files.. which in all seriousness, in a normal fashion would take 3 seconds to put into a conf, but with the templates and expanding and not knowing scripting fully its quite painful.  So if you dont have anything constructive to add please dont press "reply"

I have eth0 as the internal and eth1 as external.
 iptables -A INPUT -p tcp --dport 80 -i eth0 -j DROP
^^ shouldnt that command at the command line do it ? i know it does on other distros....

Thanks for any help guys

[raem]

staxer

>... im not all that happy about SMESERVER and its layout of using templates and database....

If you persist with sme you will discover that the templating system is one of the features that makes sme easy to configure & easy to fix in the event of a stuff up on your part.
Read more about it in the developers guide before being too critical of it.


There are many "db commands" available to tweak sme, but you will need to read documentation & forums & the manual & the dev guide & howtos to learn about them.
If you are able to read & understand the base code you will also discover a lot about the inner workings of sme.

From
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/dansguardian%20instal%20&%20configure%20HOWTO%20for%20sme%20server.htm

db configuration setprop squid TransparentPort 8080
signal-event post-upgrade
signal-event reboot

[staxer]

Thanks ray

I have read that document before, it immediatly gets vague here:

To block access to port 80 and 3128 and force users to use 8080
add the following and remove the transproxy lines from masq
The following applies to sme v5.6, 6.x & 7.0 which use iptables.
Earlier sme versions require a different fix as they use ipchains.

Ok, so i am assuming here, that i create a custom template (/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/filename)

put in the script shown on the howto, then expand masq??

Then how do i "remove transproxy lines" (i notice there is a transproxy template)

Thanks for the help  

[raem]

staxer

Well your original question was

>... i really need to force users through port 8080.

This db command will do that.
db configuration setprop squid TransparentPort 8080
signal-event post-upgrade
signal-event reboot

Are you now asking for advice related to using dansguardian and how to configure your browser to stop users being able to change the outgoing port ?
Search the forums (on dansguardian) (and go back approx a year or more) as this has been answered a number of times with different alternative answers.

[staxer]

all i want to do is block port 80, so people cannot untick the proxy and keep browsing, i am using proxy auth so i cannot use transparent proxying.

I do not! need advice regarding dansguardian or the local users browser.

I need advice on using the script layed out in the howto and how to implement it properly (note lack of file name or even how to properly insert a line into a conf at any given point, not even the development documentation goes in depth about this),

i need advice on blocking port 80 using iptables, and in fact there is more ports i want to block. (you didnt answer the question about the iptables command)

Ive spent over 2 weeks, reading here, reading the wiki, reading the dev documentation, none of it has been clear enough to do what i want to do.

And you know what, i knew someone was gonna post "read the documentation", you know why? cause nearly every thread i have read related to this ends with that,  please people, stop assuming people DONT read it.  

As i stated in the first post, there has been answers, but none of them work, there is one thread about using specificblocking template with a 00definitions script, but the definitions script written in the thread has something wrong with it producing a error on expanding.

[raem]

staxer

> ...i need advice on blocking port 80 using iptables, and in fact there is more ports i want to block.

http://styx.uwa.edu.au/doc/iptables/html/packet-filtering-HOWTO-7.html

There is a lot that can be done using the db command (& server manager panels) including the blocking of various ports (which ultimately implement iptables rules anyway), without needing to resort to iptables commands directly.  
You have not stated what other ports you wish to block so the db command etc may or may not meet your needs.

If you block port 80 you may prevent access to server manager, so there are probably better ways to achieve what you want.
Search on dansguardian as suggested & you will find a number of references that may provide the answers you want.

[staxer]

http://forums.contribs.org/index.php?topic=36855.0

That is probably the most informative post on the subject.

When trying to expand, i get an error -

ERROR in /etc/e-smith/templates-custom//etc/rc.d/init.d/masq/00definitions2: Program fragment delivered error <<Can't find string terminator "
HERE" anywhere before EOF at /etc/e-smith/templates-custom//etc/rc.d/init.d/masq/00definitions2 line 2.>> at template line 1
ERROR: Template processing failed for //etc/rc.d/init.d/masq: 1 fragment generated errors
 at /sbin/e-smith/expand-template line 45

Now, i gues because that doesnt work, there is no localip variable set..
so the the 35Specificblocking files doesnt work. I attempted to just use the specificblocking file, now when restarting the masq service i get error:

Enabling IP masquerading: Bad argument `80'

Dansguardian website has iptables command that doesnt seem to work, and does not even fit in with the SME Server DB&templates scheme.

Links to addons that have been discussed in other threads relate to version 5.x and older, plus the links dont even work anymore.

So at the moment, im stuck with a brilliant OS that i cant do a simple port block on.

 

[raem]

staxer

see the method proposed by cheezeweeze at
http://forums.contribs.org/index.php?topic=33775.msg144542#msg144542

[raem]

staxer

Also see the suggestions from funkusmunkus at

http://forums.contribs.org/index.php?topic=26445.0