After speaking with Ludwig Nussel, I was able to resolve the problem.
The problem lies in the fact that SuSEfirewall2 adds NOTRACK rules to the lo interface for performance reasons. Adding NOTRACK to the OUTPUT chain disables connection tracking for all packets in the chain -- a problem if we want to use NAT to redirect our packets.
Therefore, the final ruleset I ended up with was as follows:
/etc/sysconfig/scripts/SuSEfirewall2-custom:
Code:
fw_custom_before_denyall() {
# Allow Squid outbound access on port 8080 (Dansguardian)
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 8080 -m owner --uid-owner squid -j ACCEPT
# Allow Squid outbound access on port 80
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
# Don't redirect root on port 80
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner root -j ACCEPT
# Don't redirect root on port 3128 (Squid)
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner root -j ACCEPT
# Redirect all requests on port 80 to 8080 (Dansguardian)
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
# Accept requests on port 3128 from nobody (Dansguardian user)
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner nobody -j ACCEPT
# Redirect all other requests on port 3128 to 8080 to prevent users from getting around Dansguardian by going directly to Squid
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8080
# Delete the NOTRACK rule that SuSEfirewall2 adds to the raw table of the OUTPUT chain
iptables -t raw -D OUTPUT -o lo -j NOTRACK
true
}
Regards,
Jeff Shantz