Re: Transparent proxy single machine question

[Dimitar Katerinski <train@bofh.bg>]

ken scott wrote:
> I am trying to build a single machine that  performs web filtering
> (using DansGuardian)  for several users.
> The box (Morphix/Debian system) will be behind a cable router and has
> five users (kids).
> I have running Dansguardian and Squid correctly in normal proxy mode.
> The next step is to make the proxy transparent
> so that users cannot bypass the Danguardian/squid path simply by telling
> their browser to connect directly.
> I have looked around and see instructions on this at several places
> (mostly for non-single machine implementations)
> and know I need a line something like like:
> 
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8181
> 
>       where 8181 is where Dansguardian is listening.
> 
> I also need to configure squid with (I think) :
> 
> http_port 3128     # where squid is listening
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy  on
> httpd_accel_uses_host_header on
> httpd_accel_single_host off
> 
> The question is, on a single machine, will this work?
> The part I can't figure out pertains to when squid finally wants to send 
> out the actual
> request to the internet, isn't that a port 80 request that the above 
> iptables rule will
> redirect back to Dansguardian??
> Please reply all as I am not quite sure than I have joined the list 
> correctly.
> Thanks in advance
> Ken S.

Hello ken,

Yes, on single machine it will work with no problems. You should specify 
an incoming interface for the above iptables rule though. Do it like this:

iptables -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j 
REDIRECT --to-ports 8181

where $LAN_IFACE is the interface connected to your internal network.

And the scheme is as follows:
1. A client sends request for specific page
2. The linux box sees its a request for destination port 80 and 
redirects it to port 8181 where DG is listening.
3. DG takes the request, do what it does (content filtering, etc.), and 
sends it to Squid.
4. Squid request the specific page, and gives it back to DG, which again 
do what it does.
5. DG then, if everything is ok, server the request page to the client.


About your question:
 > ..when squid finally wants to send
 > out the actual
 > request to the internet, isn't that a port 80 request that the above
 > iptables rule will
 > redirect back to Dansguardian??

No basicly it won't. Unless you dont have same rule in the OUTPUT chain 
of the nat table. the PREROUTING chain applies to packets which hit the 
box coming from somewhere outside, and not packets which origin from the 
machine itself.
Hope I was able to clarify all this to you.



Regards,
Dimitar

-- 
"The only thing necessary for the triumph of evil is for good men to do 
nothing."
                                                   --Edmund Burke.