[SOLVED]Loop between dansguardian and squid

r0b0t · 2013-08-17 17:33:10

Hi,

I configured squid (I tried before tinyproxy and polipo but didn't like the performance) and dansguardian and after testing everything works fine, (in non-transparent mode) , I see che traffic going between dansguardian (8080) => squid (8888) and than comming back. The sites are filtered correctly and also the whitelist works, so everything looks fine at configuration of both parts.

Dansguardian <====> Squid workflow for those interested http://dansguardian.org/?page=dgflow

The Issue:

I configured this on a Mint (family isn't geeky) which has only 1 interface (eth0 - static IP).
Whenever I try to redirect the traffic through squid (only) with iptables and force the transparent mode, everything works, but I loose the dansguardian part as squid doesn't connect to dansguardian, instead is dansguardian which connects to squid ...

now when I use iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080 [note: it's OUTPUT as I'm testing from the same machine when squid/dansguardian is installed ] , the request get's to dansguardian and than to squid but squid than it's put in to a loop and the page never opens...

(from cache.log)

2013/08/17 20:07:18| WARNING: Forwarding loop detected for:
GET /downloads/DGandTransparent.txt HTTP/1.1
Host: dansguardian.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Accept-Encoding: identity,gzip,deflate
If-Modified-Since: Tue, 15 Apr 2003 00:56:54 GMT
If-None-Match: "4249-999-3bb4de8476180"
Via: 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20), 1.0 localhost (squid/3.1.20)
X-Forwarded-For: 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1, 127.0.0.1
Cache-Control: max-age=0
Connection: keep-alive

I know the solution should be an easy one but right know my brain is in stall mode
Any idea?

Last edited by r0b0t (2013-08-23 16:52:08)

vah · 2013-08-18 22:06:14

You have to tell iptables not to redirect (again) any traffic originating from squid. The magic is in having something like "-A OUTPUT -m owner --uid-owner proxy -j ACCEPT" before the DNAT rule. ("proxy" is the user squid daemon uses in Arch by default. A numeric UID would work, too.) Here's a link for reference that helped me get this working: http://stuvel.eu/transproxy

r0b0t · 2013-08-23 07:53:41

Thanks for the heads-up, I will try it and I think will work (than mark the thread as solved),
thanks again.

r0b0t · 2013-08-23 16:51:40

Not yet I think,
with this setup:

 # iptables -nvL OUTPUT -t nat
Chain OUTPUT (policy ACCEPT 154 packets, 9489 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   97  5820 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 117
   26  1557 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 13
   68  4080 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:127.0.0.1:8080
   29  1740 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:127.0.0.1:8080

# cat firewall.sh 
#!/bin/sh
/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner 117 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner 13 -j ACCEPT
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to 127.0.0.1:8080
/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080
exit 0

Note the --uid-owner 117 which is dansguardian in this case and you need that as well to make this work.
I'm beeing able to get only HTTP traffic to work, but no https traffic through the proxy (should remove 443 rule) , and I guess that I have to either configure ssl-bump and act as man-in-the-middle or either force the HTTPS to be configured as "non-transparent" proxy.

Last edited by r0b0t (2013-08-23 16:52:44)

Arch Linux

#1 2013-08-17 17:33:10

[SOLVED]Loop between dansguardian and squid

#2 2013-08-18 22:06:14

Re: [SOLVED]Loop between dansguardian and squid

#3 2013-08-23 07:53:41

Re: [SOLVED]Loop between dansguardian and squid

#4 2013-08-23 16:51:40

Re: [SOLVED]Loop between dansguardian and squid

Board footer