LinuxMCE Forums

General => Installation issues => Topic started by: anupindi007 on August 15, 2009, 04:56:17 pm

Title: Dansguardian port forwarding 80 to 8081
Post by: anupindi007 on August 15, 2009, 04:56:17 pm
Hi,
I am trying to avoid setting proxy server on every machine on my network.  I am hoping that directing the 80 traffic through DG (8081) on mce server will help me do this.  MCE server is the DHCP server for all my nodes on the netwrok and sits between the DSL router and my internal network.

I Installed Dansguardian (http://wiki.linuxmce.org/index.php/Installing_Dansguardian) and Configured Firewall to forward port 80 to port 8081 on server(192.168.80.1).  

I thought this should work without setting proxy at the browser.  However, the content filtering is happening only when I set the proxy to to 192.168.80.1:8081 at the browser.  

Already set:LinuxMCE Admin Website Advanced > Network > Firewall Rules and added a new rule tcp 80 to 0 8081 192.168.80.1 port_forward.

"# iptables -L" shows the following (do not see the 80 to 8081 fwding I set through mce admin):

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            MARK match 0x1
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     all  --  192.168.80.0/24      anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpt:iax
ACCEPT     udp  --  anywhere             anywhere            udp dpt:sip
ACCEPT     udp  --  anywhere             anywhere            udp dpt:2000

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


What am I missing?  

Thanks
Srinivas
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: merkur2k on August 15, 2009, 10:32:21 pm
the firewall page in the web admin is not flexible enough to add the rule you need, unfortunately. it is just set up for adding external to internal port forwards.
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: anupindi007 on August 16, 2009, 05:43:47 am
Thanks for your mesg merkur2k and is there any way to fix(forward port 80 to 8081)?
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: merkur2k on August 16, 2009, 08:39:32 am
not currently, no. I am doing some research on how best to add support for this to lmce, but it will probably be awhile.
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: colinjones on August 16, 2009, 11:51:00 pm
you would need to add an outbound NAT/PAT to translate any outbound traffic on port 80 to port 8081 on a fixed local IP address. The firewall rules page is only for creating inbound rules, so you cannot create the rule you need, as merkur2k says. You will likely also have other issues doing this as well, unless Dansguardian supports a full "transparent" proxy mode (which is different from a normal explicit proxy).

I think you will find it much easier just to set the proxy on your machines! Are you aware that if they are all Windows machines, it is very easy to create a Local Group Policy Object once on each machine, that will automatically set/reset/fix the proxy settings for every user that logs on? So even if a new user comes along and logs on to one of those machines for the first time, they will automatically get the correct proxy (and any other settings you want as well)
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: anupindi007 on August 18, 2009, 01:15:37 am
Thanks colinjones for your mesg, I apologise for delay in reply and in fact I was away from the system hence I couldn't verify.  I will get back you soon on the same.
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: anupindi007 on August 18, 2009, 02:07:57 am
Before updating iptables with the following commands, i would like to cross check with you whether I am understood right on the same or not:
-->
#iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp --dport 8081 -j ACCEPT
#iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8081
#iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp --dport 8081 -j ACCEPT
#iptables -t nat -A OUTPUT -p tcp  --dport 80 -j REDIRECT --to-ports 8081
<--


system shows: #iptables-save > /root/working.iptables.rules
--->
# Generated by iptables-save v1.4.0 on Mon Aug 17 08:26:13 2009
*mangle
:PREROUTING ACCEPT [89978:48077510]
:INPUT ACCEPT [89883:48048067]
:FORWARD ACCEPT [93:27669]
:OUTPUT ACCEPT [66181:5988383]
:POSTROUTING ACCEPT [66459:6048043]
-A PREROUTING -j TTL --ttl-set 255
COMMIT
# Completed on Mon Aug 17 08:26:13 2009
# Generated by iptables-save v1.4.0 on Mon Aug 17 08:26:13 2009
*nat
:PREROUTING ACCEPT [28:3703]
:POSTROUTING ACCEPT [4592:343381]
:OUTPUT ACCEPT [4592:343381]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.80.1:8081
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3877 -j DNAT --to-destination 192.168.80.1:3877
-A POSTROUTING -s 192.168.80.0/24 -d ! 192.168.80.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Aug 17 08:26:13 2009
# Generated by iptables-save v1.4.0 on Mon Aug 17 08:26:13 2009
*filter
:INPUT DROP [86:11364]
:FORWARD ACCEPT [93:27669]
:OUTPUT ACCEPT [66181:5988383]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m mark --mark 0x1 -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -s 192.168.80.0/24 -j ACCEPT
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -p udp -m udp --dport 2000 -j ACCEPT
-A FORWARD -o ppp+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
<---
Thanks in advance.
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: anupindi007 on August 21, 2009, 02:17:06 am
I have figured out another way to resolve the issue i.e. using shorewall (http://taksuyama.com/?page_id=23).  Now dansgaurdian is working for me.

:)
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: gadget on August 21, 2009, 05:18:42 am
Can you please post your shorewall config files as they should work for any LMCE system and I would like to implement it.
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: colinjones on August 21, 2009, 10:12:58 am
seriously guys! for the sake of setting a _single_ IP address _once_ on each PC (less than a 2 min task) and walking away and never thinking about it again.... you are building a "sledgehammer solution"!! More working parts, code and resources consumed on your core for absolutely no purpose whatsoever.
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: wierdbeard65 on August 21, 2009, 10:30:53 am
seriously guys! for the sake of setting a _single_ IP address _once_ on each PC (less than a 2 min task) and walking away and never thinking about it again.... you are building a "sledgehammer solution"!! More working parts, code and resources consumed on your core for absolutely no purpose whatsoever.

Colin, I respect your experience, but there are times when you most definately want transparent proxy. My rig will be one of those times.

In my case, 2 reasons:-

1) I have portable devices which are used at home and elsewhere (work etc.) I don't want users (even me, because I'm lazy) to have to turn the proxy on and off according to location.
2) I have teenagers. They want to push the boundaries. They are becoming more computer literate by the day. I take parenting responsible and want to protect them from the worst of the web (and protect it from them!). IF it's a local setting, they will attempt to bypass it.

A solution to 1 is to allow the mobile machines to bypass the proxy, but without a lot of complicated filters etc, this negates 2. A solution to 2 is to block all direct web access to the outside world, but that makes 1 a problem.

In my case, the preferred solution is transparent proxying.

It's isn't all about initial workload!
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: tschak909 on August 21, 2009, 11:01:02 am
*bites-his-tongue*

oh screw it.

Personal opinion,

I think it's rather silly that you're trying to "protect" your kids in this manner.

Speaking as a former kid, albeit raised a child genius, if I wanted to do something, I did it, and found a way to do it.

So really, isn't this like Sisyphus, forever pushing the boulder up the hill?

-Thom
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: wierdbeard65 on August 21, 2009, 11:26:27 am
Thom,

You are, of course, correct. But you are also wrong.

I also speak as an former kid with an apparent IQ of 147, which puts me above average....

I am not trying to shirk my responsibilites as a parent and get the technology to do it for me. Just get it to help me. There are several types of "protection" I am talking about here...

1) My eldest (15) has been caught (and appropriately delt with) sharing inappropriate material with his younger siblings (in this case 12 and 10). They wouldn't go looking for it, but if "big bro" shows them....
2) I have found lists of (very worrying) websites in the kids notes brought back from school (not, I hasten to add from teachers, but other, older, kids).
3) I have visited perfectly innocent websites, or followed links from normal sites like the msn homepage and within a few clicks been confronted with hardcore porn, violence etc. I don't want the same for my kids. It isn't always about deliberate abuse!

My approach is many and varied..

a) Education. We talk to the kids about the 'net and how there are bad people out there. We discuss the dangers of revealing personal information and so on.
b) Supervison. We keep an eye on what they do. We cannot, however, watch them every second. If vwe have logs we can access, we do look at them, just to be certain. (The kids know this, it isn't a case of spying on them.)
c) Securing. This is where the whole proxy stuff comes in. Part of a larger home policy.

The simple fact is, we live in a world now where it is common to have multiple computers in the home. Kids at Primary school (=Elementary school) are using the 'net as part of their daily schoolwork. We can either embrace it and make it as safe for them as possible, or we can be Luddites, bury our heads and refuse access, or only allow it under very close supervision. I believe in taking controlled risks, but the key word here is controlled.

Kids today already suffer from a lack of the freedom we enjoyed. How many parents would be happy for their 9 year old to leave the house at 9:00am with no knowledge of where they were going and no way of contacting them or knowing when they would be back? The expectation being that around 8:00pm is fine? Yet that's exactly what happened when I was a kid, and it was normal! Already, we insist they take their mobiles, we insist we know exactly where they are, etc etc. This is quite right as we live in a dangerous society, but it's sad that we need to wrap them in cotton wool this way.

Yes, the 15-year old will try to work out how to get around it, he may succeed. But hopefully, not for a while and hopefully he will be caught before he shares the information with his younger siblings. Certainly, I don't expect my 4-year old to be happily playing on the cBBC website and then suddenly asking why that lady isn't wearing any clothes ;)

I'm not asking for anyone to agree with me. You may see me as a terrible parent for allowing my kids access to the 'net, or a terrible parent for trying to contol it. Frankly, I don't care. The key thing is, however, please respect my right to parent as I see fit. And that means security on my network, using something like Dan's Guardian and transparent proxying!
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: colinjones on August 21, 2009, 04:33:47 pm
weirdbeard

I draw your attention to the topic of this thread, and specifically the reasoning that OP had for doing this. This is who I am responding to. Your comments came later, and are for a purpose other than the the original discussion.

My comments, on this topic, still stand. Anybody could produce a set of circumstances that validate an approach, but if they do not relate to the topic at hand, then they are something of a red herring!

That being said, Thom has dealt with your point 2 - irrespective of local of remote, both are circumventable and securable. Point 1 is not really valid - proxies can easily be set as failover, and in the case of GPOs the LGPO is always applied first... for that very purpose. So if you set this in your LGPO, a corporate office GPO would override and LGPO... the point being that when a device is at home, it will automatically get your home settings, and when in an office environment these will be overridden by the corporate settings... transparent... so no issue there.
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: wierdbeard65 on August 21, 2009, 05:15:26 pm
Colin,

I respect your comments and apologise from straying from the original topic.

The thread was already drifting from "How do I perform transparent proxying" to a lot of people (yourself in particular) saying you don't want to. I was responding in that vein. My last post was specifically in response to Thom's. He is known to have stong views on some things and is, more often than not, correct. In this case I don't believe he is.

You are correct, if GPOs are an option. At my work, they don't use them on the domain. Nor at my wife's. Even if they did, I also use my laptop from hotel rooms when I'm off the corporate 'net but don't want a proxy.

Whilst you may not agree with my justification, the overriding principle that transparent proxying is a valid requirement stands. I started monitoring (then becoming involved in) this thread as I'm hoping it will lead to a working solution for me and anyone else who similarly wants to do it. For others to drone on about it not being required is, at best, patronizing and rude. I see no reason for a lot of the features of MCE, particularly for me, but I don't criticize others for wanting them. I don't think it would be productive for me to continue justifying why I want to do this - I believe that I (and anyone else in my postion) should be able to do it without enduring unneccessary criticism.

Sometimes people are asking for something which is just plain wrong and asking for trouble. (I want my MCE box to be a workstation and not a router etc.) but in this case, I believe there is a valid reason for those of us who want it to pursue a solution.

I'd like to echo gadget in asking anupindi007 to post his config / put a howto on the wiki.
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: gadget on August 23, 2009, 06:30:48 am
LMCE has a requirement for it to be the "gateway" , which in my opinion is not the primary function of the home entertainment/automation server. The fact that it is requires 2 NIC's it complicates getting new people starting out with LMCE. If it is going to be the firewall then it needs to be more  configurable than it currently is. 

We don't need to be discussing what the reasoning for implementing a good firewall is, I just want something that is configurable. LMCE needs to improve it's firewall , or take a step back and remove the requirement for it to be the gateway.

gadget
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: tschak909 on August 23, 2009, 06:51:19 am
Well,

Since you HAPPEN to know what that is, perhaps you could help us implement it? :)

-Thom
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: gadget on August 23, 2009, 03:19:48 pm
Hi Thom,

I will give it a go , but won't have much time to allocate to doing it untill late september as i have some projects going on at work at the moment.
I am also assuming that by implementing  it you would like LMCE to be the gateway and not to remove the 2 NIC requirement.

gadget
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: tschak909 on August 23, 2009, 04:53:26 pm
correct, unless you happen to know how to retain all the functionality we provide entirely on one NIC.

-Thom
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: schaferj on August 24, 2009, 04:38:26 am
I'd also like for our OP to share his information and then invite comments about other ideas in this thread.

A singe nic server is possible, but it would add a lot of complexity.  LinuxMCE is currently designed to be a gateway and this is probably the simplest design for the LinuxMCE functionality.  Perhaps someone else can sketch out how to remove the gateway requirement, but it just seems like it would be a kludge.

So, since our core IS, in fact, a gateway, it seems reasonable that requirements (or at least desires) for typical gateway functionality is at least not absurd.  Several *nix distros have millions of fans and their main purpose is to be a good gateway.

merker2k's recent addition of a simple way to review dhcp leases from the web admin is a great step in the right direction, i think.  Another quick step may be a simple interface to our firewall to make it more flexible.   Further along the path towards robust gateway functionality may be IPS (snort), proxy, content filtering, AV, etc.  (I have share a solution before that adds another firewall behind the core.)

And we're all aware both that LinuxMCE is enormously complex and that developer resources and interests are limited.  As our developers continue to de-appliance-ize from our Pluto heritage, perhaps the use (and incorporation) of standard (sysadmin) packages with LinuxMCE will be more straightforward and offer less interference.

Also, I understand that non-standard changes to the core adds complexity,  breaks things, and generates confusing forum traffic.  And so it's helpful if these are documented well.  But it also seems that one change at the server is simpler than changes at every client.

My observation is simply that our Core is a gateway and to invite discussion of those inherent requirements.

thoughts?
joseph

Title: Re: Dansguardian port forwarding 80 to 8081
Post by: tschak909 on August 24, 2009, 04:46:52 am
I want to make something _VERY_ clear...

We are continuing in the direction of making this system an Appliance. This is the right direction, givn the feature scope of the project.

Sorry, no arguments, or negotiations there. If you want another direction, then roll up your sleeves and make it happen.

-Thom
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: dlewis on August 24, 2009, 04:51:52 am
Also, I understand that non-standard changes to the core adds complexity,  breaks things, and generates confusing forum traffic.  And so it's helpful if these are documented well.

niz23 has been working with doxygen to get the code base documented for new developers. We're discussing creating a site such as 'doxygen.linuxmce.org' in order to provide a place to have the code documented... We will provide an update once further discussion occurs.
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: schaferj on August 24, 2009, 05:24:08 am
dlewis, much thanks.  it is very impressive how much progress we are making on so many fronts!

Thom, we may be agreeing.  ;-)   LinuxMCE system is appliance-like, self-configuring, etc.   And the distinction I was trying to make is that it will be less intertwined with a custom distribution-appliance ala pluto-home.    pluto was deeply entangled with the underlying operating system which made it harder to maintain and expand (it had a different audience). 

http://wiki.linuxmce.org/index.php/History

My understanding, and please correct any misunderstanding, is that our target that linuxmce is a standard desktop option distributed as part of kubuntu (and other distros).   So, lmce can install on a standard distro (it does now - pluto didn't) and play nice with other standard packages and systems - including some that allow us to leverage existing sysadmin tools without breaking lmce.

I'm not trying to argue but I do want to understand.  Do I?

thanks,
joseph


Title: Re: Dansguardian port forwarding 80 to 8081
Post by: dlewis on August 24, 2009, 05:26:12 am
schaferj, we're all familiar with the pluto-home history... Some of the devs were around when pluto was still around.
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: tschak909 on August 24, 2009, 05:43:36 am
It's very difficult to decouple things from the underlying distribution... Right now, we are focusing on our kubuntu under-pinnings.

-Thom
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: schaferj on August 24, 2009, 06:41:44 am
Team,

My hat is off to all the devs - including those that brought deep and invaluable knowledge from pluto and without whom we wouldn't have the progress we enjoy today.  And to all who contribute their talents and time.  I remember pluto and acknowledge our history simply to clarify my understanding of our direction.

It's extremely hard to decouple and understand that it's not always a top priority.  And progress will allow us to focus on lmce functionality and let the distro give us a great os and complementary tools that we can leverage.

And in a nod to the original topic, I'd like to leverage dansguardian (& other complementary gw functionality).   ;-)

thanks again,
joseph
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: anupindi007 on August 24, 2009, 04:52:02 pm
sorry guys for delay in replying..  Please find shorewall.conf file details.

-->
##############################################################################
#  /etc/shorewall/shorewall.conf V4.0 - Change the following variables to
#  match your setup
#
#  This program is under GPL
#  [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
#  This file should be placed in /etc/shorewall
#
#  (c) 1999,2000,2001,2002,2003,2004,2005,
#      2006,2007 - Tom Eastep (teastep@shorewall.net)
#
#  For information about the settings in this file, type "man shorewall.conf"
#
#  Additional information is available at
#  http://www.shorewall.net/Documentation.htm#Conf
###############################################################################
#             S T A R T U P   E N A B L E D
###############################################################################

STARTUP_ENABLED=Yes

###############################################################################
#                    V E R B O S I T Y
###############################################################################

VERBOSITY=1

###############################################################################
#                              C O M P I L E R
#      (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################

SHOREWALL_COMPILER=

###############################################################################
#                L O G G I N G
###############################################################################

LOGFILE=/var/log/messages

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGRATE=

LOGBURST=

LOGALLNEW=

BLACKLIST_LOGLEVEL=

MACLIST_LOG_LEVEL=info

TCP_FLAGS_LOG_LEVEL=info

RFC1918_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

LOG_MARTIANS=No

###############################################################################
#   L O C A T I O N     O F   F I L E S   A N D   D I R E C T O R I E S
###############################################################################

IPTABLES=

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=""

MODULESDIR=

CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

RESTOREFILE=

IPSECFILE=zones

LOCKFILE=

###############################################################################
#      D E F A U L T   A C T I O N S / M A C R O S
###############################################################################

DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
NFQUEUE_DEFAULT="none"

###############################################################################
#                        R S H / R C P  C O M M A N D S
###############################################################################

RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

###############################################################################
#         F I R E W A L L     O P T I O N S
###############################################################################

##anupindi007 changed = On ##IP_FORWARDING=Keep
IP_FORWARDING=On

ADD_IP_ALIASES=Yes

ADD_SNAT_ALIASES=No

RETAIN_ALIASES=No

TC_ENABLED=Internal

TC_EXPERT=No

CLEAR_TC=Yes

MARK_IN_FORWARD_CHAIN=No

CLAMPMSS=No

ROUTE_FILTER=Yes

DETECT_DNAT_IPADDRS=No

MUTEX_TIMEOUT=60

ADMINISABSENTMINDED=Yes

BLACKLISTNEWONLY=Yes

DELAYBLACKLISTLOAD=No

MODULE_SUFFIX=

DISABLE_IPV6=Yes

BRIDGING=No

DYNAMIC_ZONES=No

PKTTYPE=Yes

RFC1918_STRICT=No

MACLIST_TABLE=filter

MACLIST_TTL=

SAVE_IPSETS=No

MAPOLDACTIONS=No

FASTACCEPT=No

IMPLICIT_CONTINUE=Yes

HIGH_ROUTE_MARKS=No

USE_ACTIONS=Yes

OPTIMIZE=0

EXPORTPARAMS=Yes

EXPAND_POLICIES=Yes

KEEP_RT_TABLES=No

DELETE_THEN_ADD=Yes

MULTICAST=No

DONT_LOAD=

###############################################################################
#         P A C K E T   D I S P O S I T I O N
###############################################################################

BLACKLIST_DISPOSITION=DROP

MACLIST_DISPOSITION=REJECT

TCP_FLAGS_DISPOSITION=DROP

#LAST LINE -- DO NOT REMOVE
<--

/etc/shorewall/interfaces file looks like:
#ZONE   INTERFACE   BROADCAST   OPTIONS
net eth0 detect dhcp,tcpflags
loc eth1 detect dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/rules file looks like:
#SECTION RELATED
SECTION NEW
ACCEPT net fw tcp 88
ACCEPT loc net tcp 80
REDIRECT loc 8081 tcp www
ACCEPT net fw tcp 22
ACCEPT loc fw tcp 22
ACCEPT net fw icmp
ACCEPT loc loc icmp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE


/etc/shorewall/masq files looks like:
#INTERFACE      SOURCE      ADDRESS      PROTO   PORT(S)   IPSEC   MARK
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE


/etc/shorewall/policy file looks like:
#SOURCE      DEST      POLICY      LOG      LIMIT:BURST
#                  LEVEL
loc all ACCEPT
net all DROP
fw all ACCEPT
all all REJECT
#LAST LINE -- DO NOT REMOVE

/etc/shorewall/zone file looks like:
#ZONE   TYPE      OPTIONS      IN         OUT
#               OPTIONS         OPTIONS
fw   firewall
net ipv4
loc ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Please let me know if you required dansgaurdian.conf and tinyproxy.conf files too.
Thanks,
anupindi007
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: wierdbeard65 on August 24, 2009, 05:26:12 pm
Thanks for posting this!

I have Dan's guardian set up (I've actually partnered it with Squid and a virus sweeper called HavP) but seeing your config files wouldn't hurt if anyone is having trouble getting all this to play nicely.

Has the shorewall installation affected the MCE install at all? (I.e. as far as you know, has anything been broken?)

Assuming I can duplicate your success, I'll put it on the Wiki (unless someone else gets there first! ;) )
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: anupindi007 on August 24, 2009, 07:03:51 pm
Hi,
I haven't tested with Squid but I have configured shorewall and shorewall is working well with MCE with out any problems.   But Yesterday I had issues with RAID(broken) I don't think shorewall is anything to do with RAID(mdadm - I have already posted details too).  I will post the rest dansguardian.conf and tinyproxy.conf files too and I appreciate if you test from your end before posting in wiki.


Please go through the draft dansgaurdian installation steps at wiki:
http://en.wikipedia.org/wiki/User:Anupindi007

Thanks,
Srinivas
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: colinjones on August 24, 2009, 10:56:43 pm
anupindi - please, for small snippets use a [ code ] block, for large ones use pastebin.com
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: wierdbeard65 on August 25, 2009, 10:44:29 am
Thanks, anupindi! I'll test as soon as I get the chance - probably next week sometime.

Good point, Colin - makes life much easier  ;)
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: anupindi007 on August 26, 2009, 02:03:34 am
On your request i have modified the post and put the contents at the following wiki and you suggestions are welcome:

Please go through the draft dansgaurdian installation steps at wiki:
http://en.wikipedia.org/wiki/User:Anupindi007
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: dlewis on August 26, 2009, 02:06:00 am
I would suggest putting this under it's own wiki page and not under your user page.
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: anupindi007 on August 26, 2009, 06:39:19 am
Sure, just for draft I did it, once it finalized we will post in respective location and I will remove from my wiki.  Is it ok?
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: schaferj on August 29, 2009, 05:13:47 am
anupindi007,

Thanks again for detailing your steps.  I'm making my way through your recipe and noticed one disconnect.

in this thread you say that:
Quote
/etc/shorewall/interfaces file looks like:
#ZONE   INTERFACE   BROADCAST   OPTIONS
net eth0 detect dhcp,tcpflags
loc eth1 detect dhcp

but in your wiki at http://en.wikipedia.org/wiki/User:Anupindi007 you say:
Quote
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
#Note assuming "eth0"- is internal ip & "eth1"- is external ip
net eth1 detect dhcp,tcpflags
loc eth0 detect dhcp


I believe that your notes in this thread are correct since in a standard lmce install, eth0 is the external.

So that's how I'm trying it and just wanted to document this as I was going.

thanks,
joseph
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: schaferj on August 29, 2009, 05:31:47 am
quick update,

the same reversal issue is in masq.   Earlier in this thread you posted

Quote
/etc/shorewall/masq files looks like:
#INTERFACE      SOURCE      ADDRESS      PROTO   PORT(S)   IPSEC   MARK
eth0 eth1

but your wiki has
Quote
eth1 eth0
which I believe is incorrect and cause issues for anyone trying to follow that recipe.

joseph
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: schaferj on August 29, 2009, 07:07:36 am
Thank you again,

I got it running!  And offer a few more nits on cleaning up the documentation:

  The lastline on /etc/shorewall/zones needs the comment (#)
   I don't thing you need to make any changes to
            /etc/dhcp3/dhcpd.conf
                  or
           /etc/network/interfaces


Also, there is a nice dg log viewer
simply
dcerouter_1001275:~# apt-get install dglog

then http://dcerouter/cgi-bin/dglog.pl

and you'll have a nice customizable web log viewer.

And maybe we can get it into the web admin.

joseph


Title: Re: Dansguardian port forwarding 80 to 8081
Post by: colinjones on August 29, 2009, 03:50:27 pm
Joseph

Rather than potentially letting inaccurate documentation languish on the wiki, can you please make all the appropriate changes? It doesn't matter if you are mistaken in some way as any wiki change can very easily be reverted with a single click. So while we are waiting for anupindi to get back to us, we should get the doco corrected ... too often a piece of doco is left inaccurate because of this situation and stays that way because the OP never comes back to us....

Col
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: schaferj on August 29, 2009, 06:02:19 pm
Colin,

I'm happy to help.  OPs wiki is in his userspace on wikipedia and stated he was going to move it from this draft location when finalized.  I was offering my observations as a proofread of his draft and let him update the actual linuxmce wiki with the improvements as he described.  And so I suspect he'll get it shortly; if not I will.

thanks,
joseph





Title: Re: Dansguardian port forwarding 80 to 8081
Post by: schaferj on August 30, 2009, 12:20:08 am
Team,

I'm continuing to work on it and will document things here while we're working out the kinks.


Srinivas' wiki, http://en.wikipedia.org/wiki/User:Anupindi007
also notes under Troubleshooting that - Still not working restart the system once.

I can confirm that dg's content filtering does not work after a reboot.

All of the services are in /etc/init.d
These are:  apache2, dnsmasq, tinyproxy, shorewall, dansguardian, and dhcpd

And #ps -ef | grep <service> showed results for all of them except dnsmasq and shorewall

So, I executed  /etc/init.d/dnsmasq restart and /etc/init.d/shorewall restart

And the filtering is working (playboy.com is blocked).

ps -ef still shows no results for dnsmasq and shorewall and I suspect that perhaps all I needed to do was restart shorewall.  Not sure why it didn't do so upon init.

Thoughts welcome.
joseph
 
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: anupindi007 on August 31, 2009, 04:44:17 am
hi,
Give me a day time I will update with with proper comments, I was stuck with some other system while configuring same thing.

You can also modify my temp wiki as per the needs so that(I will just cut & paste) once I post it on the linuxMCE site I will remove the my wiki post.

My issue was as follows and not able to figure out cause and resolution of the issue and because of this tinyproxy not listening and forwarding.
tinyproxy staring but /etc/log/tinyproxy.log says
"Accepting connections. CONNECT
 read request_request_line:Client (file description:7) closed socket before read."

Thanks :)
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: anupindi007 on September 01, 2009, 04:07:21 am
I have moved the document to http://wiki.linuxmce.org/index.php/Installing_Dansguardian_on_LinuxMCE location and is it in the right location?  I request you all to check line by line and modify as per the standards so that we can finalize the same.

Joseph: dg log view link is not pointing to right page could you update in the details in the wiki. 

Thanks
Srinivasu anupindi
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: dlewis on September 01, 2009, 04:15:00 am
There are two wiki links for Dansguardian:

http://wiki.linuxmce.org/index.php/Installing_Dansguardian
http://wiki.linuxmce.org/index.php/Installing_Dansguardian_on_LinuxMCE

Please combine them to one link. Thank you!

Title: Re: Dansguardian port forwarding 80 to 8081
Post by: schaferj on September 01, 2009, 05:41:29 am
Yes,
Many of the initial steps are the same and were taken from old wiki.

Srinivasu anupindi's innovation was to use the firewall so that configuration changes did not have to be made at each client.  So we should be able to cross level the two wiki's and prune easily.

Another (future) improvement may be to use squid instead of tinyproxy so that you get caching as well.

thanks,
joseph
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: schaferj on September 01, 2009, 06:01:17 am
Installing webmin and dansguardian webmin module.

Also, I have successful results to report from installing webmin and the dansguardian module to webmin.
webmin has many tools that allow easy (web) viewing and manipulation of many services - for instance it has an easy web-based log viewer.  [This could be dangerous if you tinker with settings you do not understand!]

The dansguardian module also allows customization of many of the dg settings.

I'll describe the install in two steps.  One - install webmin, and two - install & configure dg module for webmin.

ONE - install webmin on lmce:
older version reference: http://www.ubuntugeek.com/ubuntu-serverinstall-gui-and-webmin-in-ubuntu-810-intrepid-ibex-guide.html

Preparing your system.  First you need to install the additional packages as follows:

sudo aptitude install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl

Now download the latest webmin using the following command or from here

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.480_all.deb

Now we have webmin_1.480  _all.deb package install this package using the following command

sudo dpkg -i webmin_1.480_all.deb

This will complete the installation.

Ubuntu in particular doesn’t allow logins by the root user by default. However, the user created at system installation time can use sudo to switch to root. Webmin will allow any user who has this sudo capability to login with full root privileges.

Now you need to open your web browser and enter the following

https://192.168.80.1:10000/
 and this will show many webmin capabilities - but not the dg third party module.


TWO - Install and configure the Dansguardian Webmin module
references:   http://www.howtoforge.com/dansguardian-with-multi-group-filtering-and-squid-with-ntlm-auth-on-debian-etch-p2
     http://sourceforge.net/projects/dgwebminmodule/files/dgwebmin-devel/0.7.0beta1b/


Install the Dansguardian Webmin module
Open a web browser to https://192.168.80.1:10000 and log in with madmin (sudoer). Go to Webmin > Webmin Configuration > Webmin Modules. Select "From ftp or http URL" and paste the link below into the dialog box and click Install Module.

http://downloads.sourceforge.net/project/dgwebminmodule/dgwebmin-devel/0.7.0beta1b/dgwebmin-0.7.0beta1b.wbm?use_mirror=voxel

You should see:
The following modules have been successfully installed and added to your access control list :
DansGuardian Web Content Filter in /usr/share/webmin/dansguardian (4612 kB) under category Servers


The first time you try to run the dg module, you'll get errors such as:
Warning - DansGuardian binary file not found, maybe you need to update your module config (especially the directory paths).  (Expected location: /sbin/dansguardian)

The problem is that the we are using differnet directory locations for many of the files.

So, look at the Configurable options for DansGuardian Web Content Filter (in the upper left corner of the dg page) - and nearly every path needs to be changed.  For instance, our binary is in /usr/sbin/dansguardian instead of /sbin/dansguardian, so change that.

Confirm the locations for the rest of the files by running #find as follows (or just use these locations)
dcerouter_1001275:/usr/local/sbin# find / -name dansguardian
/usr/share/webmin/dansguardian
/usr/share/lintian/overrides/dansguardian
/usr/share/doc/dansguardian
/usr/share/dansguardian
/usr/sbin/dansguardian
/var/log/dansguardian
/etc/webmin/dansguardian
/etc/init.d/dansguardian
/etc/logrotate.d/dansguardian
/etc/dansguardian
dcerouter_1001275:/usr/local/sbin#

When you've finished replacing all of the locations, hit save on the config page and then "stop & restart DG" on the top right of the main DG page.

Then it should work!  If not, check your syslog for errors.
You should be able to check the status of DG, review logs with a good viewer, and view and edit many of the detailed configurations.

(we can add this to the wiki as well)
thoughts welcome,

joseph





Title: Re: Dansguardian port forwarding 80 to 8081
Post by: wierdbeard65 on September 01, 2009, 10:42:51 am
Another (future) improvement may be to use squid instead of tinyproxy so that you get caching as well.
I have had some success with this. I am re-building my core at the moment and then intend to follow this wiki entry. I also use HavP and ClamAV in the "chain" to virus scan the pages coming down. That has saved my clients from a few nasties too over the years!

Once I have the full thing working, I'll update the Wiki ;D (Probably end of the week at the earliest.)
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: anupindi007 on September 13, 2009, 09:00:32 pm
Joseph, I have updated the following link for webmin & dg webmin module and please verify the same.

http://wiki.linuxmce.org/index.php/Installing_Dansguardian_on_LinuxMCE

Thanks,
Srinivasu Anupindi
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: schaferj on September 18, 2009, 04:54:47 am
Srinivasu,

Looks very good.  Thank you.

Also, I confirmed that dg filtering does not work on reboot.  All of the services start except for shorewall.   So once you start shorewall it works.  (also shorewall - shoreline firewall is not a daemon, so ps -ef |grep won't help.)

What I did was use webmin
under Networking / Shoreline Firewall you can just hit the start shorewall button and it will begin (if you prefer not to work with the cli).  Then you can confirm that it is working.

To make it persistent, you can also use webmin.
Go to the System / Bootup and Shutdown menu and check shorewall and click the 'start at boot' button.

All done!

joseph

Title: Re: Dansguardian port forwarding 80 to 8081
Post by: schaferj on February 15, 2010, 07:20:19 pm
Paul,
Did you get dansguardian working with squid? 
thanks,
joseph
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: pw44 on February 17, 2010, 03:08:09 pm
Just my opinion: i have two kids (17 and 14) and discovered that they allways find a way to bypass the protections.
So i spoke with them and made an agreement: everything is free but with responsability. They are allowed to surf, but with limits and the limits where negotiated. If not respected, complete computer access off. I do log what is being visited, so i know what is being visited.
Nowadays, kids have friends, some with boundaries, others without, so they have all sort of information. Having them growing up with responsabilities and boundaries, i think is a mater of negotiating, and not blocking..... was easier for our parents.
The best and the worst can be found on TV, corners, schools and internet.
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: wierdbeard65 on February 18, 2010, 01:16:41 am
schaferj,

Not yet. Ran into some difficulties and simply getting my core to do what it is supposed to is my main priority. I will post back here if / when I have something to report.

pw44,

This has been discussed at length, both here and elsewhere. You are, of course, correct, however simply briefing / threatening your children is not, IMHO, sufficient to absolve you of parental responsibility. For example, one of my hobbies is woodwork. I have a lot of potentially dangerous tools. All of my children know this and know that they are not to touch / use them. I still, however, keep the sharpest high up, out of the reach of my younger children and keep my workshop locked with the key unavailable to them. Most households have dangerous chemicals and pharasuticals around. Kids should be, and are, warned of the dangers, yet we still keep them out of reach in "child proof" containers. I could go on! Yes, it is up to each of us to parent in the way we see fit. That means I respect your right to take your approach, but you must also respect other's rights to take a different one. This thread was started on a technical level and it keeps being dragged into a debate on morals. That is irrelevant. For a whole host of reasons, people want to be able to transparently proxy through, amongst other things, web filtering software. They (we) should be able to do that and have support in doing so.

Just my 10 Eurocents.
Title: Re: Dansguardian port forwarding 80 to 8081
Post by: pw44 on February 18, 2010, 01:52:48 am
Paul, i was not trying to disrespect your point of view. I just told that best and wrong can be found anywhere and IMHO, the best way is to clarify the kids and make them part of an agreement, with commitment.  Will not approach this subject again.
Best wishes.