Author Topic: Adding stuff - howto change IPTABLES?  (Read 4685 times)

wierdbeard65

  • Guru
  • ****
  • Posts: 449
    • View Profile
    • My Quest
Adding stuff - howto change IPTABLES?
« on: August 11, 2009, 11:55:55 pm »
Hi,

First up, as always, apologies if it's in the wrong place. Also, apologies if the info is already there, but I can't find it!

Ok, I'm starting my install but an emergency on the home network has neccessitated a slight detour  :o

We have found that the kids have been trying to access various sites we would rather they didn't, we have also had a couple of web-based virus attacks at home. What I want to do is to install Squid, Dan's Guardian, HavP and ClamAV on my core. BUT:-

1) I find that some of these require additional users etc. and I don't want to break anything by adding them.
2) I need to change the MOUNT settings for the partition with /var on it. Can I do this via fstab or will this mess up the automounter?
3) I want to set it all up to work in transparent mode, if possible. Anyone done this? Can you offer advice?

(I saw the wiki on Dan's Guardian and Squid, but nothing on transparent or making them work together. Virus filtering isn't there either!)

As always, thanks in advance! :D
« Last Edit: August 12, 2009, 11:03:38 am by wierdbeard65 »
Paul
If you have the time to help, please see where I have got to at: http://wiki.linuxmce.org/index.php/User:Wierdbeard65

wierdbeard65

  • Guru
  • ****
  • Posts: 449
    • View Profile
    • My Quest
Re: Adding stuff - howto change IPTABLES?
« Reply #1 on: August 12, 2009, 10:35:24 am »
Ok,

I have Squid, HavP, ClamAV and Dan's Guardian set up and working. As long as the client browser has the proxy settings, the request goes to Dan's Guardian, which in turn passes it to HavP which passes it to Squid. The response is cached by Squid and passed to HavP, which uses ClamAV to scan for viruses. If all is ok, the response is passed to Dan's Guardian which checks for "appropriateness" of the content before passing it back to the client. If either of the checks fail, an error screen is passed back to the client.

So far so good.

BUT, I want it to transparently proxy. Googling this suggests I need to modify IPTABLES to do this. Where are the IPTABLES rules stored in MCE? Can I access them? Is there a way of setting up the built-in firewall to do this? (The latter is my preferred solution, but the method shown on the Dan's Guardian part of the Wiki says it doesn't work with 7.10. It doesn't seem to work with 8.10 either :(

What I need to do (if you are not sure what transparent proxying is) is to set the system up so any outbound TCP packet with a destination port of 80 is re-routed to the core (local machine) on port 8082. Packets directed to the server itself should (must!) not be affected.

Once I have this all working, I'll add my expreiences to the Wiki :)
Paul
If you have the time to help, please see where I have got to at: http://wiki.linuxmce.org/index.php/User:Wierdbeard65

gadget

  • Veteran
  • ***
  • Posts: 136
    • View Profile
Re: Adding stuff - howto change IPTABLES?
« Reply #2 on: August 12, 2009, 01:56:07 pm »
Hi Wierdbeard,

In the admin site under advanced - > Network is the Firewall rules page. These rules are will generate IPTABLES rules.

gadget

merkur2k

  • Addicted
  • *
  • Posts: 513
    • View Profile
Re: Adding stuff - howto change IPTABLES?
« Reply #3 on: August 12, 2009, 04:47:34 pm »
I do not think the firewall page in the web admin has the right options for adding the rule you need. maybe its time to work on adding support for custom rules...

wierdbeard65

  • Guru
  • ****
  • Posts: 449
    • View Profile
    • My Quest
Re: Adding stuff - howto change IPTABLES?
« Reply #4 on: August 12, 2009, 06:29:28 pm »
Thanks, guys!

Gadget, I followed the instructions on the Wiki for using that page, but it doesn't work :( I'm not sure, but it may require a kernel re-compile with some options (at least, some of the how-to's I've seen imply that!). Certainly the page itself says it doesn't work with 710+

Merkur2k, That would explain why it doesn't work. It seems to me that what I'm trying to do is likely to become fairly standard in a lot of family homes as more parents want to allow their kids to "safely" surf the 'net. Some may want to lose the HavP/ClamAV support, but the Dan's Guardian / Squid part is very nice. Transparent proxying is much better (IMHO) for a number of reasons. Firstly, it is much harder for the little so-and-sos to bypass. Secondly, it requires much less setting up on the client machines (this is compounded by the range of clients, XP, iPod, Wii, PSP etc). Finally, and possibly most importantly, we have a couple of laptops etc. which get used here and elsewhere - I don't want to have to keep turning the proxy on and off, it's a real pain configuring a PSP! Therefore, your suggestion of custom rules is a good one. Would it be hard to impliment?
Paul
If you have the time to help, please see where I have got to at: http://wiki.linuxmce.org/index.php/User:Wierdbeard65

merkur2k

  • Addicted
  • *
  • Posts: 513
    • View Profile
Re: Adding stuff - howto change IPTABLES?
« Reply #5 on: August 12, 2009, 08:49:55 pm »
just to put fuel on the fire, technology should not be used as a replacement for parenting ;)
i havent even taken a look to see what would be involved with adding support for custom rules yet.
you could certainly put it in a shell script and run it after every boot for now though.

wierdbeard65

  • Guru
  • ****
  • Posts: 449
    • View Profile
    • My Quest
Re: Adding stuff - howto change IPTABLES?
« Reply #6 on: August 12, 2009, 11:28:15 pm »
Oh, I agree. But after the 10th "disinfection" this month from spyware etc, it starts to get a bit tedious (I used HavP before and had none of this!)

IMHO, it's about a multi-pronged attack.

1) Teach them to use the 'net responsibly
2) Observe what they do and react accordingly.
3) If you miss something (because you have 5 to look after!) and they try it on, stop them anyway ;)

Besides, it's too easy for various devices to access the 'net now and too hard to police properly without some technological help. How do you tell a 15 year old he can't use his PSP to access it when all his friends do? What happens when you find out he's been downloading videos that you are not happy with and then sharing them with his younger siblings? The horse has well and truly bolted then!

I'm not trying to hand over responsibility to the core - just use it to help me do my job as a parent :D
Paul
If you have the time to help, please see where I have got to at: http://wiki.linuxmce.org/index.php/User:Wierdbeard65