# dansguardian/squid/shorewall problem

## thecooptoo

ive got a  config thats

client -> server ->Dansguardian->Squid -> onward adn I want to

transparently redirect web traffic to DG/Squid

Not sure where the problem lies

When I point a browser straight at 3128 or 3129 I get web pages  back

and the appropriate stuff in the logs .

I get a squid error when the client browser is configured for 'direct

connection'

squid log

direct connection  (ie shorewall)

 *Quote:*   

> 
> 
> 1168243262.106      1 10.0.0.159 TCP_DENIED/400 1929 GET
> 
> error:invalid-request - NONE/- text/html

 

client browser -> port 3129

```
1168243337.878    209 127.0.0.1 TCP_MISS/200 21875 GET

http://www.google.co.uk/search? - DIRECT/66.249.85.99 text/html

```

client browser -> 3128

```
1168243389.259    304 10.0.0.159 TCP_MISS/200 6117 GET

http://www.google.co.uk/search? - DIRECT/66.249.85.104 text/html
```

I cant spot what the problem is , Im afraid

thanks for the help

 *Quote:*   

> gravity ~ # grep ^[A-Za-z] /etc/shorewall/rules
> 
> Web/ACCEPT  net       $FW
> 
> Web/ACCEPT  loc       $FW
> ...

 

----------

## dashnu

not sure exactly what shorewall is doing but you want to redirect port 80 to 3129 then dans will handle the redirect to squid... looks like you are redirecting 80 to 3128 aka squid.... By default dans listens on 8080 why are you changing the ports around?

fwiw my iptables rule

$IPT -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 8080

----------

## thecooptoo

I have had zope on 8080 in the past - hence changing it . So ive put it back

```

gravity ~ # grep ^[A-Za-z] /etc/shorewalll/rules

grep: /etc/shorewalll/rules: No such file or directory

gravity ~ # grep ^[A-Za-z] /etc/shorewall/rules

Web/ACCEPT  net       $FW

Web/ACCEPT  loc       $FW

SMB/ACCEPT      $FW      loc

SMB/ACCEPT      loc      $FW

DNS/ACCEPT      $FW             net

DNS/ACCEPT      loc             $FW

SSH/ACCEPT      loc             $FW

SSH/ACCEPT      net             $FW

Webmin/ACCEPT   loc             $FW

Webmin/ACCEPT   net             $FW

Ping/ACCEPT     loc             $FW

Ping/ACCEPT     net             $FW

REDIRECT  loc        8080     tcp      www              -

ACCEPT    $FW         net      tcp      www

gravity ~ # grep ^[A-Za-z] /etc/dansguardian/dansguardian.conf

reportinglevel = 3

languagedir = '/etc/dansguardian/languages'

language = 'ukenglish'

loglevel = 3

logexceptionhits = on

logfileformat = 1

filterip =

filterport = 8080

proxyip = 127.0.0.1

proxyport = 3128

accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'

nonstandarddelimiter = on

usecustombannedimage = 1

custombannedimagefile = '/etc/dansguardian/transparent1x1.gif'

filtergroups = 1

filtergroupslist = '/etc/dansguardian/filtergroupslist'

bannediplist = '/etc/dansguardian/bannediplist'

exceptioniplist = '/etc/dansguardian/exceptioniplist'

banneduserlist = '/etc/dansguardian/banneduserlist'

exceptionuserlist = '/etc/dansguardian/exceptionuserlist'

showweightedfound = on

weightedphrasemode = 2

urlcachenumber = 1000

urlcacheage = 900

phrasefiltermode = 2

preservecase = 0

hexdecodecontent = 0

forcequicksearch = 0

reverseaddresslookups = off

reverseclientiplookups = off

createlistcachefiles = on

maxuploadsize = -1

maxcontentfiltersize = 256

usernameidmethodproxyauth = on

usernameidmethodntlm = off # **NOT IMPLEMENTED**

usernameidmethodident = off

preemptivebanning = on

forwardedfor = on

usexforwardedfor = off

logconnectionhandlingerrors = on

maxchildren = 120

minchildren = 8

minsparechildren = 4

preforkchildren = 6

maxsparechildren = 32

maxagechildren = 500

ipcfilename = '/tmp/.dguardianipc'

urlipcfilename = '/tmp/.dguardianurlipc'

nodaemon = off

nologger = off

softrestart = off

gravity ~ # grep ^[A-Za-z] /etc/squid/squid.conf

http_port 3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 901         # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

acl our_networks src 192.168.0.0/24 10.0.0.0/24 127.0.0.1

http_access allow our_networks

http_access allow localhost

http_reply_access allow all

icp_access allow all

forwarded_for off

coredump_dir /var/cache/squid

gravity ~ #

```

the client now gives this in DG 

```

2007.1.8 18:10:40 - 10.0.0.159 http://www.google.co.uk/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-GB%3Aofficial&hs=76o&q=wsedf&btnG=Search&meta=  GET 1346

                       
```

and in squid 

```
1168280063.728      3 127.0.0.1 TCP_DENIED/400 1754 GET error:invalid-request - NONE/- text/html

1168280063.785      1 127.0.0.1 TCP_DENIED/400 1612 GET error:invalid-request - NONE/- text/html

                                                                                                             
```

im using squid-2.6.5 and dansguardian-2.8.0.6-r1

----------

## jpl888

See the bit that says

```
http_port 3128
```

in your squid config?

That needs a "transparent" on the end otherwise it won't proxy a thing directly.

And I think

```
filterport = 8080
```

in you Dansguardian config means it is still listening on port 8080.

So I would change "filterport" to "3128" and "http_port" to "3129" and that will work with your Shorewall config.

Happy transparent proxying!

----------

## mikegpitt

Did you ever get this working?  I'm having a big problem trying to redirect my http traffic to port 8080 for dansguardian.  What do you use for your loc zone?   I think that is the source of my problems.

You can take a look at my thread here:

https://forums.gentoo.org/viewtopic-t-537436.html

----------

