[Techtalk] dansguardian, squid, smoothwall and transparent proxying

Devdas Bhagat devdas at dvb.homelinux.org
Sun Mar 13 20:41:56 EST 2005 

On 09/03/05 00:13 +0000, conor.daly at cod.utvinternet.com wrote:
> Eeek!  Now that the kids are starting to want to go surfing, I'm working
> on a dansguardian / squid setup for the HAN.  I'm running squid and
> dansguardian on the internal server and smoothwall express on the
> firewall.  I have both dans and squid working and dilligently blocking but
> I have to manually configure the browsers {which the kids will
> {eventually} manually _unconfigure_}.  To avoid this, I tried having
> smoothwall do a transparent proxy thing.  I gave it the ip:port of the
> internal dans server and told it it was transparent.  Now I get an "access
> denied" message from squid for any web access.  I suspect it's the proxy
> equivalent of a mail loop since it's only when I put the smoothwall proxy
> bit in place that this happens.  
> 
> So, is there anything I can do to get smoothwall either 
> 
> 1. Use my internal dans/squid proxy transparently
> 2. Block relevant ports outbound so that a manual proxy config will be
>    needed.  
> 
> Smoothwall express doesn't seem to allow outbound blocking. 

http://www.lartc.org/lartc.html#LARTC.NETFILTER is your friend.
Also see:
http://www.lartc.org/lartc.html#LARTC.COOKBOOK.SQUID

This is a variant of the squid cookbook setup, where the default gateway
is the same physical system for the LAN and for the squid host.

You have a setup like this:    0/0
				|
			----------------- eth0
			|     GATEWAY	|
			-----------------  eth1
		---------	|
		| Squid	|--------
		---------	|
				|
			       LAN

You need to transparently redirect all the traffic coming from the LAN
going to port 80 to any host on the Internet to the squid box which sends
it back via the same route.

This needs a bit of source routing to be done.

I will assume that your internal network is 192.168.1,0/24.
Create a separate /30 interface on the gateway system on the internal
network interface, say 10.1.1.0/30. This need not be a physical
interface, an alias will do fine [1]. Assign 10.1.1.1 to the gateway
interface, and 10.1.1.2 to Squid.

Create a routing table for squid.
#echo 80 webcache >> /etc/iproute2/rt_tables

You can use any number from 2 to 253 (inclusive).

Next, we need to tell the network stack what traffic to send to
this table.
#ip rule add fwmark 2 table webcache

This rule sends all traffic marked 2 to the routing table named
webcache.
Next, we tell the webcache table what to do with the packets sent to it.

#ip route add default via 10.1.1.2 dev eth1 table webcache

Now, packets marked with 2 will go out via the 10.1.1.2 host, instead of 
going out via eth0 (the main default route).

We use iptables to mark the packets.
#iptables -t mangle -A PREROUTING -i eth1 -p tcp -s 192.168.1.0/24 \
--dport 80 -j MARK --set-mark 2

This sets up your gateway. On the proxy, 
#iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 80 \
-j REDIRECT --to-port 3128

This is a regular transparent proxy setup (and very well documented).

It is possible to do this with the Squid box in the same subnet as well,
but then you need to be a little bit more careful with your rules and
routes (you need to make sure that the traffic from Squid does not loop).

Devdas Bhagat

More information about the Techtalk mailing list