[Techtalk] dansguardian, squid, smoothwall and transparent proxying

[Wim De Smet]

On Wed, 9 Mar 2005 00:13:39 +0000, conor.daly at cod.utvinternet.com
<conor.daly at cod.utvinternet.com> wrote:
> Eeek!  Now that the kids are starting to want to go surfing, I'm working
> on a dansguardian / squid setup for the HAN.  I'm running squid and
> dansguardian on the internal server and smoothwall express on the
> firewall.  I have both dans and squid working and dilligently blocking but
> I have to manually configure the browsers {which the kids will
> {eventually} manually _unconfigure_}.  To avoid this, I tried having
> smoothwall do a transparent proxy thing.  I gave it the ip:port of the
> internal dans server and told it it was transparent.  Now I get an "access
> denied" message from squid for any web access.  I suspect it's the proxy
> equivalent of a mail loop since it's only when I put the smoothwall proxy
> bit in place that this happens.
> 
> So, is there anything I can do to get smoothwall either
> 
> 1. Use my internal dans/squid proxy transparently
> 2. Block relevant ports outbound so that a manual proxy config will be
>    needed.
> 
> Smoothwall express doesn't seem to allow outbound blocking.
> 
> Conor

I'm not familiar with how either smoothwall or dansguardian work but I
guess you can add your own iptables rules? All you need to do then is
block all traffic to port 80 outgoing. With something like:
iptables -A FORWARD -p tcp --dport=80 -j DENY
(don't know if this will work, it's really of the top of my head)
Off course you'd still want to exempt the proxy from it. If the proxy
is on the same machine as the firewall it's no problem since the
package shouldn't pass through the forward chain. If it is on a
different machine you can just exempt it with something like:
iptables -I FORWARD -p tcp -s <youriphere> -j ACCEPT

This, while not a perfect solution (transparent proxys would be
better) will probably be a great stop-gap solution untill you figure
the transparent proxy thing out. :-)

greets,
Wim