Author Topic: Dansguardian port forwarding 80 to 8081  (Read 36981 times)

anupindi007

  • Regular Poster
  • **
  • Posts: 30
    • View Profile
Dansguardian port forwarding 80 to 8081
« on: August 15, 2009, 04:56:17 pm »
Hi,
I am trying to avoid setting proxy server on every machine on my network.  I am hoping that directing the 80 traffic through DG (8081) on mce server will help me do this.  MCE server is the DHCP server for all my nodes on the netwrok and sits between the DSL router and my internal network.

I Installed Dansguardian (http://wiki.linuxmce.org/index.php/Installing_Dansguardian) and Configured Firewall to forward port 80 to port 8081 on server(192.168.80.1).  

I thought this should work without setting proxy at the browser.  However, the content filtering is happening only when I set the proxy to to 192.168.80.1:8081 at the browser.  

Already set:LinuxMCE Admin Website Advanced > Network > Firewall Rules and added a new rule tcp 80 to 0 8081 192.168.80.1 port_forward.

"# iptables -L" shows the following (do not see the 80 to 8081 fwding I set through mce admin):

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            MARK match 0x1
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     all  --  192.168.80.0/24      anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpt:iax
ACCEPT     udp  --  anywhere             anywhere            udp dpt:sip
ACCEPT     udp  --  anywhere             anywhere            udp dpt:2000

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


What am I missing?  

Thanks
Srinivas

merkur2k

  • Addicted
  • *
  • Posts: 513
    • View Profile
Re: Dansguardian port forwarding 80 to 8081
« Reply #1 on: August 15, 2009, 10:32:21 pm »
the firewall page in the web admin is not flexible enough to add the rule you need, unfortunately. it is just set up for adding external to internal port forwards.

anupindi007

  • Regular Poster
  • **
  • Posts: 30
    • View Profile
Re: Dansguardian port forwarding 80 to 8081
« Reply #2 on: August 16, 2009, 05:43:47 am »
Thanks for your mesg merkur2k and is there any way to fix(forward port 80 to 8081)?

merkur2k

  • Addicted
  • *
  • Posts: 513
    • View Profile
Re: Dansguardian port forwarding 80 to 8081
« Reply #3 on: August 16, 2009, 08:39:32 am »
not currently, no. I am doing some research on how best to add support for this to lmce, but it will probably be awhile.

colinjones

  • Alumni
  • LinuxMCE God
  • *
  • Posts: 3003
    • View Profile
Re: Dansguardian port forwarding 80 to 8081
« Reply #4 on: August 16, 2009, 11:51:00 pm »
you would need to add an outbound NAT/PAT to translate any outbound traffic on port 80 to port 8081 on a fixed local IP address. The firewall rules page is only for creating inbound rules, so you cannot create the rule you need, as merkur2k says. You will likely also have other issues doing this as well, unless Dansguardian supports a full "transparent" proxy mode (which is different from a normal explicit proxy).

I think you will find it much easier just to set the proxy on your machines! Are you aware that if they are all Windows machines, it is very easy to create a Local Group Policy Object once on each machine, that will automatically set/reset/fix the proxy settings for every user that logs on? So even if a new user comes along and logs on to one of those machines for the first time, they will automatically get the correct proxy (and any other settings you want as well)

anupindi007

  • Regular Poster
  • **
  • Posts: 30
    • View Profile
Re: Dansguardian port forwarding 80 to 8081
« Reply #5 on: August 18, 2009, 01:15:37 am »
Thanks colinjones for your mesg, I apologise for delay in reply and in fact I was away from the system hence I couldn't verify.  I will get back you soon on the same.

anupindi007

  • Regular Poster
  • **
  • Posts: 30
    • View Profile
Re: Dansguardian port forwarding 80 to 8081
« Reply #6 on: August 18, 2009, 02:07:57 am »
Before updating iptables with the following commands, i would like to cross check with you whether I am understood right on the same or not:
-->
#iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp --dport 8081 -j ACCEPT
#iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8081
#iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp --dport 8081 -j ACCEPT
#iptables -t nat -A OUTPUT -p tcp  --dport 80 -j REDIRECT --to-ports 8081
<--


system shows: #iptables-save > /root/working.iptables.rules
--->
# Generated by iptables-save v1.4.0 on Mon Aug 17 08:26:13 2009
*mangle
:PREROUTING ACCEPT [89978:48077510]
:INPUT ACCEPT [89883:48048067]
:FORWARD ACCEPT [93:27669]
:OUTPUT ACCEPT [66181:5988383]
:POSTROUTING ACCEPT [66459:6048043]
-A PREROUTING -j TTL --ttl-set 255
COMMIT
# Completed on Mon Aug 17 08:26:13 2009
# Generated by iptables-save v1.4.0 on Mon Aug 17 08:26:13 2009
*nat
:PREROUTING ACCEPT [28:3703]
:POSTROUTING ACCEPT [4592:343381]
:OUTPUT ACCEPT [4592:343381]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.80.1:8081
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3877 -j DNAT --to-destination 192.168.80.1:3877
-A POSTROUTING -s 192.168.80.0/24 -d ! 192.168.80.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Aug 17 08:26:13 2009
# Generated by iptables-save v1.4.0 on Mon Aug 17 08:26:13 2009
*filter
:INPUT DROP [86:11364]
:FORWARD ACCEPT [93:27669]
:OUTPUT ACCEPT [66181:5988383]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m mark --mark 0x1 -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -s 192.168.80.0/24 -j ACCEPT
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -p udp -m udp --dport 2000 -j ACCEPT
-A FORWARD -o ppp+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
<---
Thanks in advance.
« Last Edit: August 18, 2009, 05:57:16 am by anupindi007 »

anupindi007

  • Regular Poster
  • **
  • Posts: 30
    • View Profile
Re: Dansguardian port forwarding 80 to 8081
« Reply #7 on: August 21, 2009, 02:17:06 am »
I have figured out another way to resolve the issue i.e. using shorewall (http://taksuyama.com/?page_id=23).  Now dansgaurdian is working for me.

:)

gadget

  • Veteran
  • ***
  • Posts: 136
    • View Profile
Re: Dansguardian port forwarding 80 to 8081
« Reply #8 on: August 21, 2009, 05:18:42 am »
Can you please post your shorewall config files as they should work for any LMCE system and I would like to implement it.

colinjones

  • Alumni
  • LinuxMCE God
  • *
  • Posts: 3003
    • View Profile
Re: Dansguardian port forwarding 80 to 8081
« Reply #9 on: August 21, 2009, 10:12:58 am »
seriously guys! for the sake of setting a _single_ IP address _once_ on each PC (less than a 2 min task) and walking away and never thinking about it again.... you are building a "sledgehammer solution"!! More working parts, code and resources consumed on your core for absolutely no purpose whatsoever.

wierdbeard65

  • Guru
  • ****
  • Posts: 449
    • View Profile
    • My Quest
Re: Dansguardian port forwarding 80 to 8081
« Reply #10 on: August 21, 2009, 10:30:53 am »
seriously guys! for the sake of setting a _single_ IP address _once_ on each PC (less than a 2 min task) and walking away and never thinking about it again.... you are building a "sledgehammer solution"!! More working parts, code and resources consumed on your core for absolutely no purpose whatsoever.

Colin, I respect your experience, but there are times when you most definately want transparent proxy. My rig will be one of those times.

In my case, 2 reasons:-

1) I have portable devices which are used at home and elsewhere (work etc.) I don't want users (even me, because I'm lazy) to have to turn the proxy on and off according to location.
2) I have teenagers. They want to push the boundaries. They are becoming more computer literate by the day. I take parenting responsible and want to protect them from the worst of the web (and protect it from them!). IF it's a local setting, they will attempt to bypass it.

A solution to 1 is to allow the mobile machines to bypass the proxy, but without a lot of complicated filters etc, this negates 2. A solution to 2 is to block all direct web access to the outside world, but that makes 1 a problem.

In my case, the preferred solution is transparent proxying.

It's isn't all about initial workload!
Paul
If you have the time to help, please see where I have got to at: http://wiki.linuxmce.org/index.php/User:Wierdbeard65

tschak909

  • LinuxMCE God
  • ****
  • Posts: 5549
  • DOES work for LinuxMCE.
    • View Profile
Re: Dansguardian port forwarding 80 to 8081
« Reply #11 on: August 21, 2009, 11:01:02 am »
*bites-his-tongue*

oh screw it.

Personal opinion,

I think it's rather silly that you're trying to "protect" your kids in this manner.

Speaking as a former kid, albeit raised a child genius, if I wanted to do something, I did it, and found a way to do it.

So really, isn't this like Sisyphus, forever pushing the boulder up the hill?

-Thom

wierdbeard65

  • Guru
  • ****
  • Posts: 449
    • View Profile
    • My Quest
Re: Dansguardian port forwarding 80 to 8081
« Reply #12 on: August 21, 2009, 11:26:27 am »
Thom,

You are, of course, correct. But you are also wrong.

I also speak as an former kid with an apparent IQ of 147, which puts me above average....

I am not trying to shirk my responsibilites as a parent and get the technology to do it for me. Just get it to help me. There are several types of "protection" I am talking about here...

1) My eldest (15) has been caught (and appropriately delt with) sharing inappropriate material with his younger siblings (in this case 12 and 10). They wouldn't go looking for it, but if "big bro" shows them....
2) I have found lists of (very worrying) websites in the kids notes brought back from school (not, I hasten to add from teachers, but other, older, kids).
3) I have visited perfectly innocent websites, or followed links from normal sites like the msn homepage and within a few clicks been confronted with hardcore porn, violence etc. I don't want the same for my kids. It isn't always about deliberate abuse!

My approach is many and varied..

a) Education. We talk to the kids about the 'net and how there are bad people out there. We discuss the dangers of revealing personal information and so on.
b) Supervison. We keep an eye on what they do. We cannot, however, watch them every second. If vwe have logs we can access, we do look at them, just to be certain. (The kids know this, it isn't a case of spying on them.)
c) Securing. This is where the whole proxy stuff comes in. Part of a larger home policy.

The simple fact is, we live in a world now where it is common to have multiple computers in the home. Kids at Primary school (=Elementary school) are using the 'net as part of their daily schoolwork. We can either embrace it and make it as safe for them as possible, or we can be Luddites, bury our heads and refuse access, or only allow it under very close supervision. I believe in taking controlled risks, but the key word here is controlled.

Kids today already suffer from a lack of the freedom we enjoyed. How many parents would be happy for their 9 year old to leave the house at 9:00am with no knowledge of where they were going and no way of contacting them or knowing when they would be back? The expectation being that around 8:00pm is fine? Yet that's exactly what happened when I was a kid, and it was normal! Already, we insist they take their mobiles, we insist we know exactly where they are, etc etc. This is quite right as we live in a dangerous society, but it's sad that we need to wrap them in cotton wool this way.

Yes, the 15-year old will try to work out how to get around it, he may succeed. But hopefully, not for a while and hopefully he will be caught before he shares the information with his younger siblings. Certainly, I don't expect my 4-year old to be happily playing on the cBBC website and then suddenly asking why that lady isn't wearing any clothes ;)

I'm not asking for anyone to agree with me. You may see me as a terrible parent for allowing my kids access to the 'net, or a terrible parent for trying to contol it. Frankly, I don't care. The key thing is, however, please respect my right to parent as I see fit. And that means security on my network, using something like Dan's Guardian and transparent proxying!
Paul
If you have the time to help, please see where I have got to at: http://wiki.linuxmce.org/index.php/User:Wierdbeard65

colinjones

  • Alumni
  • LinuxMCE God
  • *
  • Posts: 3003
    • View Profile
Re: Dansguardian port forwarding 80 to 8081
« Reply #13 on: August 21, 2009, 04:33:47 pm »
weirdbeard

I draw your attention to the topic of this thread, and specifically the reasoning that OP had for doing this. This is who I am responding to. Your comments came later, and are for a purpose other than the the original discussion.

My comments, on this topic, still stand. Anybody could produce a set of circumstances that validate an approach, but if they do not relate to the topic at hand, then they are something of a red herring!

That being said, Thom has dealt with your point 2 - irrespective of local of remote, both are circumventable and securable. Point 1 is not really valid - proxies can easily be set as failover, and in the case of GPOs the LGPO is always applied first... for that very purpose. So if you set this in your LGPO, a corporate office GPO would override and LGPO... the point being that when a device is at home, it will automatically get your home settings, and when in an office environment these will be overridden by the corporate settings... transparent... so no issue there.

wierdbeard65

  • Guru
  • ****
  • Posts: 449
    • View Profile
    • My Quest
Re: Dansguardian port forwarding 80 to 8081
« Reply #14 on: August 21, 2009, 05:15:26 pm »
Colin,

I respect your comments and apologise from straying from the original topic.

The thread was already drifting from "How do I perform transparent proxying" to a lot of people (yourself in particular) saying you don't want to. I was responding in that vein. My last post was specifically in response to Thom's. He is known to have stong views on some things and is, more often than not, correct. In this case I don't believe he is.

You are correct, if GPOs are an option. At my work, they don't use them on the domain. Nor at my wife's. Even if they did, I also use my laptop from hotel rooms when I'm off the corporate 'net but don't want a proxy.

Whilst you may not agree with my justification, the overriding principle that transparent proxying is a valid requirement stands. I started monitoring (then becoming involved in) this thread as I'm hoping it will lead to a working solution for me and anyone else who similarly wants to do it. For others to drone on about it not being required is, at best, patronizing and rude. I see no reason for a lot of the features of MCE, particularly for me, but I don't criticize others for wanting them. I don't think it would be productive for me to continue justifying why I want to do this - I believe that I (and anyone else in my postion) should be able to do it without enduring unneccessary criticism.

Sometimes people are asking for something which is just plain wrong and asking for trouble. (I want my MCE box to be a workstation and not a router etc.) but in this case, I believe there is a valid reason for those of us who want it to pursue a solution.

I'd like to echo gadget in asking anupindi007 to post his config / put a howto on the wiki.
Paul
If you have the time to help, please see where I have got to at: http://wiki.linuxmce.org/index.php/User:Wierdbeard65