Transparent proxy using Squid + Dansguardian + SuSEfirewall2

[jshantz]

Hello,

I am trying to setup Internet filtering on my system using Squid and Dansguardian. I need to run a transparent proxy so that there is no way around it. I got the filtering working properly, but when I enable the SuSE firewall and then try to visit a web site, the page just loads forever. This is for a Google Summer of Code project, so I do need to support running the SuSE firewall and cannot simply disable it.

Okay, so here's my configuration.

Squid: port 3128
Dansguardian: port 8080

(these ports are non-negotiable and are standard, so please no suggestions to change Squid's port to 80, since that would preclude running a web server on the same machine)

I then have the following custom iptables rules:

Code:

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080

The last rule redirects all requests to port 80 to Dansguardian on port 8080 (which, in turn, forwards the requests to Squid). The first two rules ensure that Squid can request pages from the Internet.

Now, these work just fine when I have the SuSE firewall disabled. When I enable it, as I mentioned, pages just keep loading forever.

I have put these 3 custom rules in /etc/sysconfig/scripts/SuSEfirewall2-custom (I tried putting them in each of the hooks -- none of them work for me) and in /etc/sysconfig/SuSEfirewall2, I have the following line:

Code:

FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

Okay great, so the SuSEfirewall2 script is loading the rules, and I can see that when I start the firewall and then view the NAT table:

Code:

js3:/home/jeff # rcSuSEfirewall2 start
Starting Firewall Initialization (phase 2 of 2)                                                                                                   done
js3:/home/jeff # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http owner UID match squid 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ndl-aas owner UID match squid 
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 8080

Unfortunately, no pages will load after that. Before anyone suggests that I use the FW_REDIRECT configuration value in /etc/sysconfig/SuSEfirewall2, please keep in mind that that does not apply to packets originating from the firewall machine, and since this is a single-computer configuration, I cannot use FW_REDIRECT. Everything is originating from the firewall machine.

My iptables configuration (after enabling the firewall) is displayed below. I appreciate any help anyone can provide. This is for a Google Summer of Code project, so you'll be helping me help the community. Thank you.

Code:

js3:/home/jeff # iptables-save
# Generated by iptables-save v1.4.2-rc1 on Sun Jul  5 12:47:46 2009
*mangle
:PREROUTING ACCEPT [34439:25220562]
:INPUT ACCEPT [34305:25177659]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [32999:4559728]
:POSTROUTING ACCEPT [32999:4559728]
COMMIT
# Completed on Sun Jul  5 12:47:46 2009
# Generated by iptables-save v1.4.2-rc1 on Sun Jul  5 12:47:46 2009
*nat
:PREROUTING ACCEPT [262:61482]
:POSTROUTING ACCEPT [2886:191563]
:OUTPUT ACCEPT [2683:179222]
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 
COMMIT
# Completed on Sun Jul  5 12:47:46 2009
# Generated by iptables-save v1.4.2-rc1 on Sun Jul  5 12:47:46 2009
*raw
:PREROUTING ACCEPT [34945:25466868]
:OUTPUT ACCEPT [33465:4635679]
-A PREROUTING -i lo -j NOTRACK 
-A OUTPUT -o lo -j NOTRACK 
COMMIT
# Completed on Sun Jul  5 12:47:46 2009
# Generated by iptables-save v1.4.2-rc1 on Sun Jul  5 12:47:46 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:input_ext - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -m state --state RELATED -j ACCEPT 
-A INPUT -i eth0 -j input_ext 
-A INPUT -i wlan0 -j input_ext 
-A INPUT -i pan0 -j input_ext 
-A INPUT -i vmnet1 -j input_ext 
-A INPUT -i vmnet8 -j input_ext 
-A INPUT -i wmaster0 -j input_ext 
-A INPUT -j input_ext 
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options 
-A INPUT -j DROP 
-A FORWARD -m physdev  --physdev-is-bridged -j ACCEPT 
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options 
-A input_ext -m pkttype --pkt-type broadcast -j DROP 
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT 
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A input_ext -s 10.0.0.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A input_ext -m pkttype --pkt-type multicast -j DROP 
-A input_ext -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options 
-A input_ext -j DROP 
-A reject_func -p tcp -j REJECT --reject-with tcp-reset 
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable 
-A reject_func -j REJECT --reject-with icmp-proto-unreachable 
COMMIT
# Completed on Sun Jul  5 12:47:46 2009

Regards,
Jeff Shantz

[jshantz]

I should add that I am using openSUSE 11.1. My /etc/sysconfig/SuSEfirewall2 contents are as follows:

Code:

FW_DEV_EXT="any eth0 wlan0"
FW_DEV_INT=""
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_MASQUERADE="no"
FW_MASQ_DEV="zone:ext"
FW_MASQ_NETS="0/0"
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_CONFIGURATIONS_EXT=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT=""
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS="10.0.0.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT=""
FW_ALLOW_FW_BROADCAST_INT=""
FW_ALLOW_FW_BROADCAST_DMZ=""
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_REJECT=""
FW_REJECT_INT="yes"
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="no"
FW_ZONES=""
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""

iptables -tulpen gives the following:

Code:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name   
tcp        0      0 0.0.0.0:39496           0.0.0.0:*               LISTEN      1000       52632      15541/skype         
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      60         10410      4188/mysqld         
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      0          7706       2997/rpcbind        
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      65534      30477      10521/dansguardian  
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      0          8130       3176/X              
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      0          11794      4494/vsftpd         
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          11689      4469/sshd           
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      0          9878       4190/cupsd          
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN      0          30424      10508/(squid)       
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          11312      4384/master         
tcp        0      0 :::111                  :::*                    LISTEN      0          7711       2997/rpcbind        
tcp        0      0 :::6000                 :::*                    LISTEN      0          8129       3176/X              
tcp        0      0 :::22                   :::*                    LISTEN      0          11691      4469/sshd           
udp        0      0 0.0.0.0:55055           0.0.0.0:*                           31         30418      10508/(squid)       
udp        0      0 0.0.0.0:3130            0.0.0.0:*                           0          30425      10508/(squid)       
udp        0      0 0.0.0.0:68              0.0.0.0:*                           0          16787      5182/dhclient       
udp        0      0 0.0.0.0:39496           0.0.0.0:*                           1000       52633      15541/skype         
udp        0      0 0.0.0.0:3401            0.0.0.0:*                           0          30426      10508/(squid)       
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           103        9771       4128/avahi-daemon:  
udp        0      0 0.0.0.0:111             0.0.0.0:*                           0          7636       2997/rpcbind        
udp        0      0 0.0.0.0:631             0.0.0.0:*                           0          9885       4190/cupsd          
udp        0      0 0.0.0.0:35450           0.0.0.0:*                           103        9772       4128/avahi-daemon:  
udp        0      0 10.0.0.103:123          0.0.0.0:*                           74         18789      4333/ntpd           
udp        0      0 172.16.25.1:123         0.0.0.0:*                           0          10762      4333/ntpd           
udp        0      0 172.16.91.1:123         0.0.0.0:*                           0          10761      4333/ntpd           
udp        0      0 127.0.0.2:123           0.0.0.0:*                           0          10760      4333/ntpd           
udp        0      0 127.0.0.1:123           0.0.0.0:*                           0          10759      4333/ntpd           
udp        0      0 0.0.0.0:123             0.0.0.0:*                           0          10704      4333/ntpd           
udp        0      0 0.0.0.0:1020            0.0.0.0:*                           0          7705       2997/rpcbind        
udp        0      0 127.0.0.1:35325         0.0.0.0:*                           1000       49688      15541/skype         
udp        0      0 :::177                  :::*                                0          8074       3142/gdm            
udp        0      0 :::111                  :::*                                0          7708       2997/rpcbind        
udp        0      0 fe80::213:2ff:fe6c::123 :::*                                74         18788      4333/ntpd           
udp        0      0 fe80::250:56ff:fec0:123 :::*                                0          10712      4333/ntpd           
udp        0      0 ::1:123                 :::*                                0          10711      4333/ntpd           
udp        0      0 fe80::250:56ff:fec0:123 :::*                                0          10710      4333/ntpd           
udp        0      0 :::123                  :::*                                0          10705      4333/ntpd           
udp        0      0 :::1020                 :::*                                0          7710       2997/rpcbind

Thanks again.

Regards,
Jeff Shantz

[framp]

I had a squid and dansguardian setup long time ago - but I had a real firewall which wasn't used as a client like in your case. Frankly I don't understand why you allow a browser on a FW - but anyhow:

Make sure your custom iptable rules are in the fw_custom_before_denyall() section.

Then you should change -A (append) into -I (insert) to make sure your iptable rules have higher priority than the SuSE rules.

If it still does not work I would start with squid only - and if this works add dansguardian in front of squid. This way you increse the config complexity step by step

[jshantz]

Quote:

Originally Posted by framp

IFrankly I don't understand why you allow a browser on a FW - but anyhow:

Because it's not a real firewall system -- this is a web filtering solution for end users who may not have much technical knowledge whatsoever but want to setup filtering easily for their children/students. Those kinds of users don't generally have multiple systems which would allow a dedicated firewall setup. It needs to be an all-in-one solution.

Quote:

Then you should change -A (append) into -I (insert) to make sure your iptable rules have higher priority than the SuSE rules.

I don't think it will make a difference -- the custom rules that I have are in the NAT table. All other rules (added by the SUSE firewall) are in the filter table.

Thanks for your response.

[cyberorg]

Best places to get help is listed at the bottom of:

file:///usr/share/doc/packages/SuSEfirewall2/README.html

For discussion about SuSEfirewall2 join the opensuse-security mailinglist.

Most of it got rewritten and enhanced by it's current maintainer Ludwig Nussel : ludwig.nussel@suse.de

More:

Transparent Squid = Not working (SOLVED) - openSUSE Forums

[jshantz]

After speaking with Ludwig Nussel, I was able to resolve the problem.

The problem lies in the fact that SuSEfirewall2 adds NOTRACK rules to the lo interface for performance reasons. Adding NOTRACK to the OUTPUT chain disables connection tracking for all packets in the chain -- a problem if we want to use NAT to redirect our packets.

Therefore, the final ruleset I ended up with was as follows:

/etc/sysconfig/scripts/SuSEfirewall2-custom:

Code:

fw_custom_before_denyall() {

   # Allow Squid outbound access on port 8080 (Dansguardian)
   iptables -t nat -A OUTPUT -p tcp -m tcp --dport 8080 -m owner --uid-owner squid -j ACCEPT

   # Allow Squid outbound access on port 80
   iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT

   # Don't redirect root on port 80
   iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner root -j ACCEPT

   # Don't redirect root on port 3128 (Squid)
   iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner root -j ACCEPT

   # Redirect all requests on port 80 to 8080 (Dansguardian)
   iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

   # Accept requests on port 3128 from nobody (Dansguardian user)
   iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner nobody -j ACCEPT

   # Redirect all other requests on port 3128 to 8080 to prevent users from getting around Dansguardian by going directly to Squid
   iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8080

   # Delete the NOTRACK rule that SuSEfirewall2 adds to the raw table of the OUTPUT chain
   iptables -t raw -D OUTPUT -o lo -j NOTRACK

   true
}

Regards,
Jeff Shantz

[ken_yap]

Thanks for posting the solution. Learn something new everyday.

[mrabbat]

Hello,
I am using a similar configuration only using a bridge as to a transparent proxy bridge, with Squid and dansguardian, and my configuration is as follows :

ebtables -t broute -A BROUTING -p IPv4 –ip-protocol 6 –ip-destination-port 80 -j redirect –redirect-target ACCEPT
ebtables -t broute -A BROUTING -p IPv4 –ip-protocol 6 –ip-destination-port 80 -j redirect –redirect-target ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-port 8080
iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 -j REDIRECT –to-port 8080

where port 8080 is the dansguardian port.
Only I have noticed that a download is never finished and the connection resets, and I get a message saying that the connection with the server was reset.I can never complete a download.
Internet Browsing looks fine and quick, only the problem is with the downloads.
Any idea of what is happening, and why does the connection resets and the downloads cut ?
Any help is much appreciated.

Thanks.