transparent proxy with squid3 dansguardian iptables and one nic

Question

I am attempting to filter my home internet connection through transparent proxy (squid3) and dansguardian . I have the following setup: http://i.stack.imgur.com/5Z3DP.png

My Ubuntu Server is connected to VDSL directly, just like any other computer in the network.

My consumer grade VDSL (192.168.2.1) is ZTE all-in-one device (DHCP server, router, wireless access point, switch, etc.) and running Linux BusyBox v1.01 and iptables v1.4.0. I have cli access to it. I do not want to put the server (Ubuntu 14.04/192.168.2.2) between VDSL and the home network because want to avoid installing second nic on the server and a seperate wireless access point.

Therefore I want to route all port 80 traffic coming to VDSL through server. I installed squid3 proxy+ dansguardian filter on the server.

I have added/changed the following to /etc/squid3/squid.conf file:

acl localhost src 127.0.0.1/32
http_access allow localhost
http_access deny all
http_port 3129
http_port 3128 intercept
dns_nameservers 208.67.222.123, 208.67.220.123

I have added/changed the following to /etc/dansguardian/dansguardian.conf file:

"UNCONFIGURED - Please remove this line after configuration" **removed**
filterport = 8888
proxyport = 3128

On the VDSL I issued the iptables command (br0 is bridge interface on 192.168.2.1 modem/gateway, 192.168.2.2 is server):

iptables -t nat -A PREROUTING -i br0 -s ! 192.168.2.2 -d ! 192.168.2.2 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.2:3128

(also tried port 8888 just in case I misunderstood the syntax)

My squid log file looks OK:

2014/09/29 23:42:13| Starting Squid Cache version 3.3.8 for x86_64-pc-linux-gnu...
2014/09/29 23:42:13| Process ID 3648
2014/09/29 23:42:13| Process Roles: master worker
2014/09/29 23:42:13| With 65536 file descriptors available
2014/09/29 23:42:13| Initializing IP Cache...
2014/09/29 23:42:13| DNS Socket created at [::], FD 5
2014/09/29 23:42:13| DNS Socket created at 0.0.0.0, FD 6
2014/09/29 23:42:13| Adding nameserver 208.67.222.123 from squid.conf
2014/09/29 23:42:13| Adding nameserver 208.67.220.123 from squid.conf
2014/09/29 23:42:13| Logfile: opening log daemon:/var/log/squid3/access.log
2014/09/29 23:42:13| Logfile Daemon: opening log /var/log/squid3/access.log
2014/09/29 23:42:13| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2014/09/29 23:42:13| Store logging disabled
2014/09/29 23:42:13| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2014/09/29 23:42:13| Target number of buckets: 1008
2014/09/29 23:42:13| Using 8192 Store buckets
2014/09/29 23:42:13| Max Mem  size: 262144 KB
2014/09/29 23:42:13| Max Swap size: 0 KB
2014/09/29 23:42:13| Using Least Load store dir selection
2014/09/29 23:42:13| Set Current Directory to /var/spool/squid3
2014/09/29 23:42:13| Loaded Icons.
2014/09/29 23:42:13| HTCP Disabled.
2014/09/29 23:42:13| Pinger socket opened on FD 12
2014/09/29 23:42:13| Squid plugin modules loaded: 0
2014/09/29 23:42:13| Adaptation support is off.
2014/09/29 23:42:13| Accepting HTTP Socket connections at local=[::]:3129 remote=[::] FD 9 flags=9
2014/09/29 23:42:13| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 10 flags=41
2014/09/29 23:42:13| pinger: Initialising ICMP pinger ...
2014/09/29 23:42:13| pinger: ICMP socket opened.
2014/09/29 23:42:13| pinger: ICMPv6 socket opened
2014/09/29 23:42:13| Pinger exiting.
2014/09/29 23:42:14| storeLateRelease: released 0 objects
2014/09/29 23:44:13| Preparing for shutdown after 0 requests
2014/09/29 23:44:13| Waiting 30 seconds for active connections to finish
2014/09/29 23:44:13| Closing HTTP port [::]:3129
2014/09/29 23:44:13| Closing HTTP port 0.0.0.0:3128
2014/09/29 23:44:13| Closing Pinger socket on FD 12
2014/09/29 23:44:13| Shutdown: NTLM authentication.
2014/09/29 23:44:13| Shutdown: Negotiate authentication.
2014/09/29 23:44:13| Shutdown: Digest authentication.
2014/09/29 23:44:13| Shutdown: Basic authentication.
2014/09/29 23:44:18| Starting Squid Cache version 3.3.8 for x86_64-pc-linux-gnu...
2014/09/29 23:44:18| Process ID 3940
2014/09/29 23:44:18| Process Roles: master worker
2014/09/29 23:44:18| With 65536 file descriptors available
2014/09/29 23:44:18| Initializing IP Cache...
2014/09/29 23:44:18| DNS Socket created at [::], FD 5
2014/09/29 23:44:18| DNS Socket created at 0.0.0.0, FD 6
2014/09/29 23:44:18| Adding nameserver 208.67.222.123 from squid.conf
2014/09/29 23:44:18| Adding nameserver 208.67.220.123 from squid.conf
2014/09/29 23:44:18| Logfile: opening log daemon:/var/log/squid3/access.log
2014/09/29 23:44:18| Logfile Daemon: opening log /var/log/squid3/access.log
2014/09/29 23:44:18| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2014/09/29 23:44:18| Store logging disabled
2014/09/29 23:44:18| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2014/09/29 23:44:18| Target number of buckets: 1008
2014/09/29 23:44:18| Using 8192 Store buckets
2014/09/29 23:44:18| Max Mem  size: 262144 KB
2014/09/29 23:44:18| Max Swap size: 0 KB
2014/09/29 23:44:18| Using Least Load store dir selection
2014/09/29 23:44:18| Set Current Directory to /var/spool/squid3
2014/09/29 23:44:18| Loaded Icons.
2014/09/29 23:44:18| HTCP Disabled.
2014/09/29 23:44:18| Pinger socket opened on FD 12
2014/09/29 23:44:18| Squid plugin modules loaded: 0
2014/09/29 23:44:18| Adaptation support is off.
2014/09/29 23:44:18| Accepting HTTP Socket connections at local=[::]:3129 remote=[::] FD 9 flags=9
2014/09/29 23:44:18| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 10 flags=41
2014/09/29 23:44:18| pinger: Initialising ICMP pinger ...
2014/09/29 23:44:18| pinger: ICMP socket opened.
2014/09/29 23:44:18| pinger: ICMPv6 socket opened
2014/09/29 23:44:18| Pinger exiting.
2014/09/29 23:44:19| storeLateRelease: released 0 objects

However, dansguardian log file is empty.

When I check iptables of modem with: iptables -t nat --line-numbers -L it returns the following:

It Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  anywhere             200.200.200.200     tcp dpt:www to:192.168.2.1:8000
2    srvcntrl   all  --  anywhere             anywhere
3    fwports    all  --  anywhere             anywhere
4    portmapp   all  --  anywhere             anywhere
5    upnp       all  --  anywhere             anywhere
6    dmzmapp    all  --  anywhere             anywhere
7    DNAT       tcp  -- !192.168.2.2         !192.168.2.2         tcp dpt:www to:192.168.2.2:3128

I am missing something because it is not working. Although I have been using computers since mid 80s and used to using cli; network topology is still alien to me. Any help is appreciated.

What happens if you insert the iptables rule instead of appending it (`-I PREROUTING` instead of `-A`) ? — , Oct 01 '14 at 18:16
Doesn't change anything. I believe I need one more iptables command on the server to bridge dansguqrdian and squid3. I may need to remove nat table entry #1 on VDSL but I am not sure. — Starcrescent, Oct 02 '14 at 20:29

transparent proxy with squid3 dansguardian iptables and one nic

0 Answers0