dansguardian + firewall issues

Michael Torrie torriem at gmail.com
Sat Apr 24 21:53:37 MDT 2010


On 04/24/2010 03:08 PM, Brett Rasmussen wrote:
> I'm at the point where DG and Squid are both working fine--I can set my
> browser's proxy settings to use 8080 and (turn off my images to be sure and)
> type in a naughty url and see the DG "access denied" page.
> 
> But I can't seem to get the firewall set up so that it allows a local
> browser to connect to 8080 but not 80 such that they could bypass the filter
> altogether.  I've tried the ufw rules as suggested in the tutorial:

Here're the rules I use, as exported by iptables-save:

*nat
:PREROUTING ACCEPT [9:690]
:POSTROUTING ACCEPT [3304:231437]
:OUTPUT ACCEPT [3302:231317]
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner dansguardian -j
ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner dansguardian
-j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8888 -m owner --uid-owner dansguardian
-j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8080

Note they are all in the nat chains.  Basically this only lets processes
owned by "dansguardian" (which I also run tinyproxy or squid as) access
port 80.  Also I block non-dansguardian access to squid or tinyproxy's
port (to any destination, even foreign proxies) to the local
dansguardian port.

This should do what you want, if you can figure out how to put it in ufw
rules.  I never bothered to learn the new, dumbed-down tools in ubuntu
and others; I stick to native iptables


More information about the PLUG mailing list