Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: newbie23 on September 19, 2006, 02:27:07 PM
-
I can use dansguardian filtering when I use the port 8080, but when I replaced it with 3128 or when I check the automatic detect setting it will bypass dansguardian and it seems to be awkward.
Can anyone help me with this problem?
-
Yes, by default now you have squid on 3128 and Dans on 8080, on the tutorial where Ray explains how-to install Dansguardian there's information on how you can block access to squid.
-
stuntshell
I already coded my server as what Ray Mitchell explains:
db configuration setprop squid TransparentPort 8080
signal-event post-upgrade
signal-event reboot
Ray Mitchell added(haven't apply this code):
Additionally you may wish to prevent users configuring their browser to use port 3128 in order to circumvent Dansguardian, and thus allow unimpeded access to the Internet.
To block access to port 80 and 3128 and force users to use 8080
add the following and remove the transproxy lines from masq
The following applies to sme v5.6, 6.x & 7.0 which use iptables.
Earlier sme versions require a different fix as they use ipchains.
"are this code could solve not to bypass dansguardian?"
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
$OUT .= " /sbin/iptables --append Input$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
Expand the template when changes have been made.
-
newbie23
> I can use dansguardian filtering when I use the port 8080, but when I
> replaced it with 3128 or when I check the automatic detect setting it will > bypass dansguardian and it seems to be awkward.
> db configuration setprop squid TransparentPort 8080
This command sets the sme proxy port to 8080, and if your browser is configured for Auto detect proxy port, then it wil find and use port 8080, and therfore be subject to Dansguardian filtering.
Port 3128 is still accessible so users can easily change the browser configuration to specifically use port 3128 and therefore bypass Dansguardian filtering.
You can configure local policies (gpedit.msc) on your Windows PC to prevent users changing the browser setting (& leave it set to Auto detect which will then use the Transparent port 8080).
There has been a method posted in the forums recently for locking in this setting in Firefox.
Alternatively you can configure custom templates to block access via ports 3128 & 80 (yes 80) & only use port 8080, there were some recent posts about Dansguardian that referred/answered all of this and had links to the custom template proposed by funkusmunkus.
Search on Dansguardian and I'm sure you will find the references, it was only in the last few weeks.
The Howto has not been updated as I couldn't get access to the ftp upload area.
-
newbie23
I searched for you.
http://forums.contribs.org/index.php?topic=33636.0
-
RayMitchell
I've tried this code, but there's an error restarting masq...
>Got it all working, here's what I did
>created /etc/e-smith/templates->custom/etc/rc.d/init.d/masq/35transproxy
>and put the following in there
This we're the only code I wrote in /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/35transproxy files. I already expand masq and it seems to be successful, but error occur during masq restart... What do you mean by 35transproxy fragment? will i need it?
>Code:
/sbin/iptables --table nat --new-chain TransProxy
/sbin/iptables --table nat --append PREROUTING\
-p tcp --dport 80 -j TransProxy
#Rerouting ports 80 443 to port 8080
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
#Blocking port 3128
/sbin/iptables -A INPUT -p tcp --destination-port 3128 -i eth0 -j DROP
/sbin/iptables -A INPUT -p udp --destination-port 3128 -i eth0 -j DROP
/sbin/iptables --table nat --append TransProxy \
--destination 127.0.0.1 --jump ACCEPT
/sbin/iptables --table nat --append TransProxy \
--destination 192.168.0.1 --jump ACCEPT
/sbin/iptables --table nat --append TransProxy \
--destination $OUTERNET --jump ACCEPT
/sbin/iptables --table nat --append TransProxy\
-p TCP -j DNAT --to 192.168.0.1:8080
Regards
-newbie23[/b]
-
Remove the local net to deny access to full squid proxy:
Create custom squid.conf template "20ACL10localhost":
mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf/
cp -pR /etc/e-smith/templates/etc/squid/squid.conf/20ACL10localhost /etc/e-smith/templates-custom/etc/squid/squid.conf/20ACL10localhost
Edit the custom "20ACL10localhost" replaceing the code w/:
acl localsrc src 127.0.0.1
acl localdst dst 127.0.0.1
Expand SQUID template:
/sbin/e-smith/expand-template /etc/squid/squid.conf
Restart SQUID:
service squid stop
service squid start
-
cheezeweeze
>Edit the custom "20ACL10localhost" replaceing the code w/:
> acl localsrc src 127.0.0.1
> acl localdst dst 127.0.0.1
I tried that on my home network and it does appear to work OK.
Not extensively tested but you certainly cannot get web proxy access via port 3128 anymore, only via the TransparentPort 8080.
Thanks
-
cheezeweeze! thanks a lot, and also to Ray Mitchell... I can now block port 3128...
To all who have the same problem as I have, Here's how I did it....
> mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf/
>cp -pR /etc/e->smith/templates/etc/squid/squid.conf/20ACL10localhost /etc/e->smith/templates-custom/etc/squid/squid.conf/20ACL10localhost
>Edit the custom "20ACL10localhost" replaceing the code w/:
>acl localsrc src 127.0.0.1
>acl localdst dst 127.0.0.1
>Expand SQUID template:
>/sbin/e-smith/expand-template /etc/squid/squid.conf
>Restart SQUID:
>service squid stop
>service squid start
by the way, this just what cheezeweeze adviced me... :D
-
Another Problem....
I would like to authenticate user when using internet. Everytime the user connect to the internet it will display username and password... How will I do this? Hope anyone could help me with this problem... Im using sme 7.0 and I already installed dansguardian...
-
this is built into smeserver-dansguardian
it's a db setting
you can use pam ncsa or ident
someone may like to add it to the dans howto
the is a squid howto which explains how it works
-
newbie23
>Edit the custom "20ACL10localhost" replaceing the code w/:
>acl localsrc src 127.0.0.1
>acl localdst dst 127.0.0.1
Is it correct to replace this
{
use esmith::NetworksDB;
my $ndb = esmith::NetworksDB->open_ro();
$localAccess = $ndb->local_access_spec();
$OUT .= "acl localsrc src $localAccess\n";
$OUT .= "acl localdst dst $localAccess";
}
for that?
{
use esmith::NetworksDB;
my $ndb = esmith::NetworksDB->open_ro();
$localAccess = $ndb->local_access_spec();
$OUT .= "acl localsrc src 127.0.0.1\n";
$OUT .= "acl localdst dst 127.0.0.1";
}
Regards
John
-
jsk
yes, the code you replace is correct...
after you change the code, expand template and restart squid...
just follow what cheezeweeze posted...
-
Hello
I already have proxy authentication, but the problem is when i unchecked everything in INTERNET OPTIONS->CONNECTIONS->LAN SETTINGS it will not authenticate the proxy but still filter websiter through a dansguardian. Can anyone know how to solve this problem?
Please help...
God bless
-
stephen
> this is built into smeserver-dansguardian
> it's a db setting, you can use pam ncsa or ident
> someone may like to add it to the dans howto
> the is a squid howto which explains how it works
Are you able to point me to the howto you are referring to & any other useful info. I'll investigate it and update the dansguardian howto, once I work it out.
Thanks
Ray