[NoCatNet] Setup NoCatSplash with Dansguardian/Squid/Transparent proxy
Chan, Wilson
wchan at honolulu.gov
Tue Jul 3 19:05:01 PDT 2007
Hi Group,
Im trying to setup a free wireless network however im having a problem getting nocatsplash to work right with dansguardian, squid, and transparent proxy all in one box.
Here is the current setup and my understanding of how the web traffic is flowing.
===NoCat Traffic Flow==
Laptop sends port 80 traffic (google.com)
||
NoCat Splash intercepts port 80 traffic
||
Redirects traffic to port 5180
||
Acceptance splash page
||
Forwards web traffic (google.com)
==ALL IN ONE PROXY SERVER==
Laptop sends port 80 traffic (google.com)
||
IPTABLES redirects port 80 traffic to port 8080 (DansGuardain)
||
DansGuardian Checks content and then redirects traffic to port 3128 (Squid)
||
Squid sents traffic out port 80 to Internet connection
However, I have an all in one proxy firewall that is doing transparent proxying (redirect w/iptables). When I try to incorporate NoCatSplash into this proxy server it doesn’t work because the Transparent Proxying doesn’t allow the traffic to flow to NoCat first. Is there anyone who knows how to make this work?
Eth0 = RR Modem
Eth1 = LAN (192.168.100.1)
-------------------------------------------------------------------------------------------------
/etc/squid/squid.conf
http_port 3128 transparent <----Add transparent
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl wirelessNetwork src 192.168.100.0/255.255.255.0 <----
# And finally deny all other access to this proxy
## Allow Wireless
http_access allow wirelessNetwork <----
http_access allow localhost
http_access deny all
## Transparent Proxying
httpd_accel_host virtual <----
httpd_accel_port 80 <----
httpd_accel_with_proxy on <----
httpd_accel_uses_host_header on <----
-------------------------------------------------------------------------------------------------
/etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
# Some ICMP messages aren't particularly useful and can be particularly
# nasty, so drop them or rate limit them as appropriate.
#
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 5 -j DROP
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 9 -j DROP
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 10 -j DROP
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 15 -j DROP
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 16 -j DROP
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 18 -j DROP
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A RH-Firewall-1-INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Wilson
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.9.14/885 - Release Date: 7/3/2007 10:02 AM
More information about the NoCatNet
mailing list