You are not logged in.
Hi,
I configured squid (I tried before tinyproxy and polipo but didn't like the performance) and dansguardian and after testing everything works fine, (in non-transparent mode) , I see che traffic going between dansguardian (8080) => squid (8888) and than comming back. The sites are filtered correctly and also the whitelist works, so everything looks fine at configuration of both parts.
Dansguardian <====> Squid workflow for those interested http://dansguardian.org/?page=dgflow
The Issue:
I configured this on a Mint (family isn't geeky) which has only 1 interface (eth0 - static IP).
Whenever I try to redirect the traffic through squid (only) with iptables and force the transparent mode, everything works, but I loose the dansguardian part as squid doesn't connect to dansguardian, instead is dansguardian which connects to squid ...
now when I use iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080 [note: it's OUTPUT as I'm testing from the same machine when squid/dansguardian is installed ] , the request get's to dansguardian and than to squid but squid than it's put in to a loop and the page never opens...
(from cache.log)
2013/08/17 20:07:18| WARNING: Forwarding loop detected for:
GET /downloads/DGandTransparent.txt HTTP/1.1
Host: dansguardian.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Accept-Encoding: identity,gzip,deflate
If-Modified-Since: Tue, 15 Apr 2003 00:56:54 GMT
If-None-Match: "4249-999-3bb4de8476180"
Via: 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20)
X-Forwarded-For: 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1
Cache-Control: max-age=0
Connection: keep-alive
I know the solution should be an easy one but right know my brain is in stall mode
Any idea?
Last edited by r0b0t (2013-08-23 16:52:08)
Offline
You have to tell iptables not to redirect (again) any traffic originating from squid. The magic is in having something like "-A OUTPUT -m owner --uid-owner proxy -j ACCEPT" before the DNAT rule. ("proxy" is the user squid daemon uses in Arch by default. A numeric UID would work, too.) Here's a link for reference that helped me get this working: http://stuvel.eu/transproxy
Offline
Thanks for the heads-up, I will try it and I think will work (than mark the thread as solved),
thanks again.
Offline
Not yet I think,
with this setup:
# iptables -nvL OUTPUT -t nat
Chain OUTPUT (policy ACCEPT 154 packets, 9489 bytes)
pkts bytes target prot opt in out source destination
97 5820 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 117
26 1557 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 13
68 4080 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:127.0.0.1:8080
29 1740 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:127.0.0.1:8080
# cat firewall.sh
#!/bin/sh
/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner 117 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner 13 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to 127.0.0.1:8080
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080
exit 0
Note the --uid-owner 117 which is dansguardian in this case and you need that as well to make this work.
I'm beeing able to get only HTTP traffic to work, but no https traffic through the proxy (should remove 443 rule) , and I guess that I have to either configure ssl-bump and act as man-in-the-middle or either force the HTTPS to be configured as "non-transparent" proxy.
Last edited by r0b0t (2013-08-23 16:52:44)
Offline