# Getting Dansguardian work with squid and iptables

## elmar283

I'm trying to get Dansguardian work with squid and iptables.

I had squid and iptables configured for a while and this is working fine.

Basicly my setup is:

I have a Gentoo Linux server on a FIT PC-2. It has a wlan and an ethernet network interface.

Network interface  wlp3s0 is connected through wlan on the internal network 192.168.178.0. # WORKING

Network interface enp2s0 is a ethernet interface that is connected to a wireless access-point # WORKING

Al my computers in my house connects to this wireless access-point. # WORKING

All internet requests are transferred through  the FIT PC-2 without any configuration on the other computers.

This is my old http configuration:

all http from port 80 is redirected to port 3128 (iptables rule: iptables -t nat -A PREROUTING -i enp2s0 -p tcp --dport 80 -j REDIRECT --to-port 3128) #WORKING

Squid intercepts this traffic (http_port 3128 intercept) #WORKING

What I want to do is instead of redirecting to port 3128 to redirect to port 8080 like this:

```

iptables -t nat -A PREROUTING -i enp2s0 -p tcp --dport 80 -j REDIRECT --to-port 8080

```

Dansguardian intercepts the traffic form port 8080 and sends it to port 3128.

Problem is that when I do that squid denies this:

```

Error messeage form squid:

ERROR

The requested URL could not be retrieved

De volgende fout is opgetreden tijdens het ophalen van URL: http://www.nrc.nl/

    Toegang niet toegestaan.

U heeft geen toegang tot de URL die u probeerde op te vragen van deze server. Neem contact op met uw service provider als u denkt dat dit niet klopt.

De beheerder van deze cache is <removed>.

Gegenereerd Sat, 26 Oct 2013 19:35:02 GMT door ZaphodBeeblebrox (squid/3.2.13)

```

What must I do to make squid accept dansguardian?

Here are some config files:

```

ZaphodBeeblebrox ~ # iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination   

REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8080

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

MASQUERADE  all  --  anywhere             anywhere   

```

```

elmarotter@ZaphodBeeblebrox ~ $ sed -e 's/#.*//' -e '/^$/ d' /etc/squid/squid.conf 

acl localnet src 192.168.0.0/24

acl SSL_ports port 443 

acl Safe_ports port 80 

acl Safe_ports port 21 

acl CONNECT method CONNECT 

acl Safe_ports port 443 

acl Safe_ports port 70

acl Safe_ports port 210

acl Safe_ports port 1025-65535 

acl Safe_ports port 280 

acl Safe_ports port 488 

acl Safe_ports port 591 

acl Safe_ports port 777 

acl Safe_ports port 8080

acl CONNECT method CONNECT

acl DansGuardian src 192.168.0.1

acl ALL src all

http_access allow manager localhost

http_access allow localnet

http_access deny CONNECT !SSL_ports

http_access deny manager

http_access deny !Safe_ports

http_access allow DansGuardian

http_access deny to_localhost

http_access deny all

http_port 3128 intercept

cache_dir ufs /var/cache/squid 100 16 256 

cache_mem 256 MB

cache_dir ufs /usr/tmp/squid/cache 50000 64 512

coredump_dir /usr/tmp/squid/cache

refresh_pattern ^ftp:      1440   20%   10080

refresh_pattern ^gopher:   1440   0%   1440

refresh_pattern -i (/cgi-bin/|\?) 0   0%   0

refresh_pattern .      0   20%   4320

cache_effective_user squid

cache_effective_group squid

```

```

elmarotter@ZaphodBeeblebrox ~ $ sed -e 's/#.*//' -e '/^$/ d' /etc/dansguardian/dansguardian.conf

reportinglevel = 3

languagedir = '/usr/share/dansguardian/languages'

language = 'ukenglish'

loglevel = 3

logexceptionhits = 2

logfileformat = 1

loglocation = '/var/log/dansguardian/access.log'

filterip =

filterport = 8080

proxyip = 127.0.0.1

proxyport = 3128

accessdeniedaddress = 'http://elmarotter.eu/cgi-bin/dansguardian.pl'

nonstandarddelimiter = on

usecustombannedimage = on

custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'

filtergroups = 1

filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'

bannediplist = '/etc/dansguardian/lists/bannediplist'

exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'

showweightedfound = on

weightedphrasemode = 2

urlcachenumber = 1000

urlcacheage = 900

scancleancache = on

phrasefiltermode = 1

preservecase = 0

hexdecodecontent = off

forcequicksearch = off

reverseaddresslookups = off

reverseclientiplookups = off

logclienthostnames = off

createlistcachefiles = on

maxuploadsize = -1

maxcontentfiltersize = 256

maxcontentramcachescansize = 2000

maxcontentfilecachescansize = 20000

filecachedir = '/tmp'

deletedownloadedtempfiles = on

initialtrickledelay = 20

trickledelay = 10

downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'

downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'

contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'

contentscannertimeout = 60

contentscanexceptions = off

recheckreplacedurls = off

forwardedfor = off

usexforwardedfor = off

logconnectionhandlingerrors = on

logchildprocesshandling = off

maxchildren = 120

minchildren = 8

minsparechildren = 4

preforkchildren = 6

maxsparechildren = 32

maxagechildren = 500

maxips = 0

ipcfilename = '/tmp/.dguardianipc'

urlipcfilename = '/tmp/.dguardianurlipc'

ipipcfilename = '/tmp/.dguardianipipc'

nodaemon = off

nologger = off

logadblocks = off

loguseragent = off

daemonuser = 'clamav'

daemongroup = 'clamav'

softrestart = off

mailer = '/usr/sbin/sendmail -t'

originalip = off

```

```

elmarotter@ZaphodBeeblebrox ~ $ sed -e 's/#.*//' -e '/^$/ d' /etc/dansguardian/dansguardianf1.conf

groupmode = 1

groupname = 'group_one'

bannedphraselist = '/etc/dansguardian/lists/bannedphraselist'

weightedphraselist = '/etc/dansguardian/lists/weightedphraselist'

exceptionphraselist = '/etc/dansguardian/lists/exceptionphraselist'

bannedsitelist = '/etc/dansguardian/lists/bannedsitelist'

greysitelist = '/etc/dansguardian/lists/greysitelist'

exceptionsitelist = '/etc/dansguardian/lists/exceptionsitelist'

bannedurllist = '/etc/dansguardian/lists/bannedurllist'

greyurllist = '/etc/dansguardian/lists/greyurllist'

exceptionurllist = '/etc/dansguardian/lists/exceptionurllist'

exceptionregexpurllist = '/etc/dansguardian/lists/exceptionregexpurllist'

bannedregexpurllist = '/etc/dansguardian/lists/bannedregexpurllist'

picsfile = '/etc/dansguardian/lists/pics'

contentregexplist = '/etc/dansguardian/lists/contentregexplist'

urlregexplist = '/etc/dansguardian/lists/urlregexplist'

blockdownloads = off

exceptionextensionlist = '/etc/dansguardian/lists/exceptionextensionlist'

exceptionmimetypelist = '/etc/dansguardian/lists/exceptionmimetypelist'

bannedextensionlist = '/etc/dansguardian/lists/bannedextensionlist'

bannedmimetypelist = '/etc/dansguardian/lists/bannedmimetypelist'

exceptionfilesitelist = '/etc/dansguardian/lists/exceptionfilesitelist'

exceptionfileurllist = '/etc/dansguardian/lists/exceptionfileurllist'

headerregexplist = '/etc/dansguardian/lists/headerregexplist'

bannedregexpheaderlist = '/etc/dansguardian/lists/bannedregexpheaderlist'

naughtynesslimit = 50

categorydisplaythreshold = 0

embeddedurlweight = 0

enablepics = off

bypass = 0

bypasskey = ''

infectionbypass = 0

infectionbypasskey = ''

infectionbypasserrorsonly = on

disablecontentscan = off

deepurlanalysis = off

usesmtp = off

mailfrom = ''

avadmin = ''

contentadmin = ''

avsubject = 'dansguardian virus block'

contentsubject = 'dansguardian violation'

notifyav = off

notifycontent = off

thresholdbyuser = off

violations = 0

threshold = 0

```

```

elmarotter@ZaphodBeeblebrox ~ $ ifconfig

enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.1  netmask 255.255.255.0  broadcast 192.168.0.255

        inet6 fe80::201:c0ff:fe09:bd9a  prefixlen 64  scopeid 0x20<link>

        ether 00:01:c0:09:bd:9a  txqueuelen 1000  (Ethernet)

        RX packets 2017928  bytes 1461779926 (1.3 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 1385694  bytes 1150461380 (1.0 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 38769  bytes 18607657 (17.7 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 38769  bytes 18607657 (17.7 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.178.21  netmask 255.255.255.0  broadcast 192.168.178.255

        inet6 fe80::20d:f0ff:fe7d:ed98  prefixlen 64  scopeid 0x20<link>

        inet6 2001:981:88b0:1:20d:f0ff:fe7d:ed98  prefixlen 64  scopeid 0x0<global>

        ether 00:0d:f0:7d:ed:98  txqueuelen 1000  (Ethernet)

        RX packets 5233510  bytes 1673947926 (1.5 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 5695352  bytes 3096026591 (2.8 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

----------

