Topic: Disable Nat

[tropicalview]

Dear all,

How can i disable NAT translation in order to forse users to use the dansguardian proxy?

Kind regards

[raem]

tropicalview

http://wiki.contribs.org/Dansguardian

[tropicalview]

As far as i can see this only blocks out the internal proxy of SME.

I did that already but the NAT translation (without any proxy settings needed) does still work.
How can i stop that?

[raem]

tropicalview

Is this what you are after
config setprop squid Transparent no
expand-template /etc/squid/squid.conf
sv t /service/squid

You will need to set your browser to use port 8080 then, see the section on Config files & Group filters

[tropicalview]

Hi,

I tried this before and it worked,
i could not connect to the internet without a proxy setting.

today i walked in and saw people on MSN.

i checked out why and the nat was enabled again.

i did these instructions again:

Code: [Select]

config setprop squid Transparent no
expand-template /etc/squid/squid.conf
sv t /service/squid

but still,
restarted the machine ...


still able to connect without proxy setting.

reconfigured to be sture... still able to connect.

what now, how can i manage that people will not be able to connect to the internet without proxy setting??

[mmccarn]

Here's an open bug on developing code to block outbound traffic: http://bugs.contribs.org/show_bug.cgi?id=2977

[tropicalview]

So there is no way to force the internet users to use the dansguardian????


I would realy like to be sure that it's not possible to connect to the internet without passing trough the dansguardian.

Services as MSN just work on the computers, and that's not allowed...

[raem]

tropicalview

> Services as MSN just work on the computers, and that's not allowed...

The Dansguardian Howto covers the setup requirements thoroughly, if it doesn't work for you then please accurately advise what's missing and the Howto can be updated.
You have not given any details of what you expect to be happening and what is not happening, nor have you said what db config changes you made to your system.

Have you followed all the steps carefully eg did you run the portblocking db command ?

You just mentioned that MSN was still working. I assume you mean other web site access is being blocked/controlled (by dansguardian) but programs like MSN Messenger (& other IMs) are working. Well they will work as they search for and connect on any available port and do not effectively get blocked by Dansguardian.
Dansguardain blocks web access eg http: www type requests
You need a different tool to block IM, that recognises the packet content etc and then implements the required iptables rules automatically. As most IM programs search for and find alternative available ports, simple port blocking will not work.

[stephen noble]

> simple port blocking will not work

It quite possibly will if you check michaels work
http://bugs.contribs.org/show_bug.cgi?id=2977

[tropicalview]

That's a lot of information, and it's not easy to understand for someone like me with only a little knowledge in this field.

Does anybody has a easy way to do??

[stephen noble]

Michal made it as simple as it can get
in his last post under

Installation requires:
==========================

With long bug threads there is no need to read from the start
if you need more help consider paying for support, or asking on the bug, not here

[mmccarn]

Here you go - these commands will block ALL outbound traffic except what is proxied by the SME:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
wget -O 91adjustPortBlocks http://bugs.contribs.org/attachment.cgi?id=1395
wget -O 42SetupPortBlocks http://bugs.contribs.org/attachment.cgi?id=1389

config setprop masq TCPBlocks 0.0.0.0/0:1-65535
config setprop masq UDPBlocks 0.0.0.0/0:1-65535

signal-event remoteaccess-update
/etc/rc.d/init.d/masq restart

[tropicalview]

Hi everyone.

one or other way i blocked traffic from internal divices to go out widthout proxy settings.

I think i did that with the instructions above.

But now i have installed a second SME server in that network and only that machine should be able to have internet access by nat.

the ip address of the firewall server is 192.168.1.4 and the new machine (that should have nat access) is 192.168.1.2

How can i make it possible that that machine can access the net but the other machines not?

Kind regards,

[tropicalview]

that was simple.

 config setprop masq UDPAllow 192.168.1.2/0:1-65535
 config setprop masq TCPAllow 192.168.1.2/0:1-65535
signal-event remoteaccess-update
/etc/rc.d/init.d/masq restart