# [SOLVED] Dansguardian+squid not working

## Joseph_sys

I've setup dansguardian+squid but I can not get it to work. I used instructions from:

http://www.gentoo-wiki.info/Dansguardian

iptables -t nat -L

```
Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 8080

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
```

dansguardian/dansguardian.conf

```
reportinglevel = 3

languagedir = '/usr/share/dansguardian/languages'

language = 'ukenglish'

loglevel = 2

logexceptionhits = 2

logfileformat = 1

filterip =

filterport = 8080

proxyip = 127.0.0.1

proxyport = 3128

accessdeniedaddress = 'http://localhost/cgi-bin/dansguardian.pl'

nonstandarddelimiter = on

usecustombannedimage = on

custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'

filtergroups = 1

filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'

bannediplist = '/etc/dansguardian/lists/bannediplist'

exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'

showweightedfound = on

weightedphrasemode = 2

urlcachenumber = 1000

urlcacheage = 900

scancleancache = on

phrasefiltermode = 2

preservecase = 0

hexdecodecontent = off

forcequicksearch = off

reverseaddresslookups = off

reverseclientiplookups = off

logclienthostnames = off

createlistcachefiles = on

maxuploadsize = -1

maxcontentfiltersize = 256

maxcontentramcachescansize = 2000

maxcontentfilecachescansize = 20000

filecachedir = '/tmp'

deletedownloadedtempfiles = on

initialtrickledelay = 20

trickledelay = 10

downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'

downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'

contentscannertimeout = 60

contentscanexceptions = off

recheckreplacedurls = off

forwardedfor = off

usexforwardedfor = off

logconnectionhandlingerrors = on

logchildprocesshandling = off

maxchildren = 120

minchildren = 8

minsparechildren = 4

preforkchildren = 6

maxsparechildren = 32

maxagechildren = 500

maxips = 0

ipcfilename = '/tmp/.dguardianipc'

urlipcfilename = '/tmp/.dguardianurlipc'

ipipcfilename = '/tmp/.dguardianipipc'

nodaemon = off

nologger = off

logadblocks = off

loguseragent = off

softrestart = off

mailer = '/usr/sbin/sendmail -t'
```

squid.conf

```
acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl localnet src 10.0.0.0/8

acl SSL_ports port 443

acl Safe_ports port 80

acl Safe_ports port 21

acl Safe_ports port 443

acl Safe_ports port 70

acl Safe_ports port 210

acl Safe_ports port 1025-65535

acl Safe_ports port 280

acl Safe_ports port 488

acl Safe_ports port 591

acl Safe_ports port 777

acl Safe_ports port 901

acl purge method PURGE

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

acl our_networks src 10.0.0.0/24 127.0.0.1

http_access allow our_networks

http_access allow localhost

http_access deny all

icp_access allow localnet

icp_access deny all

http_port 127.0.0.1:3128 transparent

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]

upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

forwarded_for off

coredump_dir /var/cache/squid
```

netstat -pantu

```
Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     4746/mysqld

tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN     5514/smbd

tcp        0      0 10.0.0.104:139          0.0.0.0:*               LISTEN     5514/smbd

tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN     5266/dansguardian

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     4962/apache2

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     4897/sshd

tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     5151/cupsd

tcp        0      0 127.0.0.1:3128          0.0.0.0:*               LISTEN     6750/(squid)

tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN     4835/postmaster

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     5460/master

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     4962/apache2

tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN     5514/smbd

tcp        0      0 10.0.0.104:445          0.0.0.0:*               LISTEN     5514/smbd

tcp        0      0 10.0.0.104:22           10.0.0.109:33494        ESTABLISHED6030/sshd: joseph [

udp        0      0 10.0.0.104:137          0.0.0.0:*                          5523/nmbd

udp        0      0 0.0.0.0:137             0.0.0.0:*                          5523/nmbd

udp        0      0 10.0.0.104:138          0.0.0.0:*                          5523/nmbd

udp        0      0 0.0.0.0:138             0.0.0.0:*                          5523/nmbd

udp        0      0 0.0.0.0:3130            0.0.0.0:*                          6750/(squid)

udp        0      0 127.0.0.1:37706         127.0.0.1:37706         ESTABLISHED4835/postmaster

udp        0      0 0.0.0.0:56932           0.0.0.0:*                          6750/(squid)

udp        0      0 0.0.0.0:631             0.0.0.0:*                          5151/cupsd
```

Logs:

tail -f /var/log/dansguardian/access.log

tail -f /var/log/squid/access.log

are not showing any activityLast edited by Joseph_sys on Fri Apr 10, 2009 3:39 am; edited 1 time in total

----------

## Joseph_sys

I configure firefox network setting manual proxy:

    * Input 127.0.0.1 as the proxy IP

    * Input 8080 as the proxy port

and dansguardian is working. So it seems to me iptables input:

```

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
```

 is not correct.

Does anybody has any idea what is missing?

----------

## Joseph_sys

Solved.

It seems to me I new kernel had re-arrange something so[/code] I had to set in kernel:

CONFIG_NETFILTER_XT_MATCH_OWNER=y

----------

## fbcyborg

Hello, 

I was looking for some howto to setup squid+dansguardian+iptables and I found this thread. I also read many howtos, but without results.

I also read this one, but it didn't help me a lot.

First of all, this is my situation. My Gentoo server has two Ethernet interfaces: 

eth1 (which is connected directly to the Internet through a modem/router and it receives a dynamic IP from a DHCP server) 192.168.1.104

eth0 (that is the interface which creates another subnet 10.0.0.0/8 ) (A DHCP Server has been bound to this interface and releases 10.0.0.x IP addresses)

My first target is to setup squid as a transparent proxy server, because I don't want to configure each browser. It should be possible to browse the Internet automatically, without any further browser proxy configuration.

The eth1 interface's main purpose would be the way the 10.0.0.0/8 subnet can browse the Internet (the next step would be to setup dansguardian for web filtering).

There are many things that I don't understand, firstly I don't know if a bridge between eth0 and eth1 is really necessary.

Please, could you help me to setup squid to work in a transparent mode?

Thanks a lot in advance.

----------

## Joseph_sys

Setup you ip table according to this links:

http://www.linux.com/articles/113733

----------

## fbcyborg

Thanks a lot Joseph_sys,

the iptables commands at the link you mentioned before are the same reported in this thread, actually.

Maybe the problem is somewhere else, for example in the squid configuration file.

I tried a lot of changes in the squid.conf file but nothing goes OK.

If I try to type some URL in my web browser client (10.0.0.2) i get three results:

a) If automatic proxy detection is selected: Address not found

b) If manual proxy configuration has been set up: Proxy server refused connection. Firefox is configured to use a proxy server that is refusing connections.

c) No proxy: Address not found

d) Use system proxy settings: Address not found

What's goin'on?

EDIT: I made some change in the squid.conf file.

It seems to work now, but, only if I specify the proxy server in the Firefox preferences (i.e. 10.0.0.1:3128). It seems to not work in transparent mode, and I can't understand why

Another problem is that, if I try to connect to an URL using links2 (e.g. links2 www.google.it), due to the firewall it gives me "Connection refused". I need to solve also this problem, since this may cause problems during fetching files for emerge.

----------

## Joseph_sys

Post your output of:

iptables -t nat -L

----------

## fbcyborg

Here we go:

```

# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http owner UID match squid

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:3128 owner UID match squid

REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 8080
```

Thanks a lot.  :Smile: 

----------

## Joseph_sys

 *fbcyborg wrote:*   

> Here we go:
> 
> ```
> 
> # iptables -t nat -L
> ...

 

iptables looks OK to me.

Did you start, iptables, squid, dansguardian?

Compare your squid.conf to mine:

```
sed -e 's/#.*//' -e '/^$/ d' /etc/squid/squid.conf

acl manager proto cache_object

acl localhost src 127.0.0.1/32

acl to_localhost dst 127.0.0.0/8

acl localnet src 10.0.0.0/8

acl localnet src 172.16.0.0/12

acl localnet src 192.168.0.0/16

acl SSL_ports port 443

acl Safe_ports port 80

acl Safe_ports port 21

acl Safe_ports port 443

acl Safe_ports port 70

acl Safe_ports port 210

acl Safe_ports port 1025-65535

acl Safe_ports port 280

acl Safe_ports port 488

acl Safe_ports port 591

acl Safe_ports port 777

acl Safe_ports port 901

acl purge method PURGE

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet

http_access allow localhost

http_access deny all

icp_access allow localnet

icp_access deny all

htcp_access allow localnet

htcp_access deny all

http_port 3128

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern (cgi-bin|\?)    0       0%      0

refresh_pattern .               0       20%     4320

icp_port 3130

forwarded_for off

coredump_dir /var/cache/squid
```

----------

## fbcyborg

I used your squid.conf, but it's the same as before. 

I can browse the Internet only if I set up a proxy in the browser preferences.   :Crying or Very sad: 

----------

## Joseph_sys

 *fbcyborg wrote:*   

> I used your squid.conf, but it's the same as before. 
> 
> I can browse the Internet only if I set up a proxy in the browser preferences.  

 

What is your internal network IP?

----------

## fbcyborg

The IP where http request come from is 10.0.0.2.

----------

## Joseph_sys

 *fbcyborg wrote:*   

> The IP where http request come from is 10.0.0.2.

 

Do you see any activity in:

/var/log/squid/access.log

tail /var/log/squid/access.log

----------

## fbcyborg

I don't see any activity! This could be the problem!

----------

## Joseph_sys

another thing, check your dansguardian.conf

here is mine: 

```
sed -e 's/#.*//' -e '/^$/ d' /etc/dansguardian/dansguardian.conf

reportinglevel = 3

languagedir = '/usr/share/dansguardian/languages'

language = 'ukenglish'

loglevel = 2

logexceptionhits = 2

logfileformat = 1

filterip =

filterport = 8080

proxyip = 127.0.0.1

proxyport = 3128

accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'

nonstandarddelimiter = on

usecustombannedimage = on

custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'

filtergroups = 1

filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'

bannediplist = '/etc/dansguardian/lists/bannediplist'

exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'

showweightedfound = on

weightedphrasemode = 2

urlcachenumber = 1000

urlcacheage = 900

scancleancache = on

phrasefiltermode = 2

preservecase = 0

hexdecodecontent = off

forcequicksearch = off

reverseaddresslookups = off

reverseclientiplookups = off

logclienthostnames = off

createlistcachefiles = on

maxuploadsize = -1

maxcontentfiltersize = 256

maxcontentramcachescansize = 2000

maxcontentfilecachescansize = 20000

filecachedir = '/tmp'

deletedownloadedtempfiles = on

initialtrickledelay = 20

trickledelay = 10

downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'

downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'

contentscannertimeout = 60

contentscanexceptions = off

recheckreplacedurls = off

forwardedfor = off

usexforwardedfor = off

logconnectionhandlingerrors = on

logchildprocesshandling = off

maxchildren = 120

minchildren = 8

minsparechildren = 4

preforkchildren = 6

maxsparechildren = 32

maxagechildren = 500

maxips = 0

ipcfilename = '/tmp/.dguardianipc'

urlipcfilename = '/tmp/.dguardianurlipc'

ipipcfilename = '/tmp/.dguardianipipc'

nodaemon = off

nologger = off

logadblocks = off

loguseragent = off

softrestart = off

mailer = '/usr/sbin/sendmail -t'
```

----------

## Joseph_sys

The way it works is as follow:

```
    * browser -> port 80 ->

    * firewall redirects to 8080 ->

    * dansguardian listens on 8080 and outputs on 3128 ->

    * squid listening on 3128

    * ->www
```

see:

http://www.gentoo-wiki.info/Dansguardian

----------

## Joseph_sys

 *fbcyborg wrote:*   

> I don't see any activity! This could be the problem!

 

so you should have some entries in: /var/log/dansguardian/access.log

tail -f /var/log/dansguardian/access.log

----------

## fbcyborg

I've already seen http://www.gentoo-wiki.info/Dansguardian . 

But I couldn't get it working. Maybe I've made a lot of confusion reading all these howtos.

I tried your dansguardian.conf but I also had to add the two following lines:

```
daemonuser = 'squid'

daemongroup = 'squid'
```

That's because starting dansguardian I got:

```
Error opening/creating log file. (check ownership and access rights).

I am running as clamav and I am trying to open /var/log/dansguardian//access.log
```

I don't know if it is necessary to unmerge squid and dansguardian and restart from the beginning.

Note that, I tried to do as this howto describes, but, a lot of problems happend to me.

```
tail -f /var/log/dansguardian/access.log
```

gives me nothing during browsing attempts.

----------

## Joseph_sys

Well, I'm not sure what can be the problem. Try unmerging squid, dansguardian, remove all the configuration files from etc/... pertaining to these entires and copy my configuration setting.  This is a working copy from my amd64

Why do you have to add 

daemonuser = 'squid'

daemongroup = 'squid'

----------

## fbcyborg

 *Joseph_sys wrote:*   

> Well, I'm not sure what can be the problem. Try unmerging squid, dansguardian, remove all the configuration files from etc/... pertaining to these entires and copy my configuration setting.  This is a working copy from my amd64

 

I guess you have my same situation, as regard the presence of two Ethernet interfaces. Isn't it?

 *Joseph_sys wrote:*   

> 
> 
> Why do you have to add 
> 
> daemonuser = 'squid'
> ...

 

I added that lines, as described here at point 3.2.

----------

## Joseph_sys

Try to follow simple troubleshooting: 

One of your entry is not working: 

If this is the sequence hot it works:

* browser -> port 80 ->

* firewall redirects to 8080 ->

* dansguardian listens on 8080 and outputs on 3128 ->

* squid listening on 3128

* ->www

stop iptables and see if you can access the internet, if you can it meas it is working

start it back.

Next, check dansquardian, you should have some entires in the log 

etc.

----------

## fbcyborg

The main problem is that I should not set a proxy server inside firefox preferences. If I don't do that, there's no way to access to the Internet.

----------

## Joseph_sys

 *fbcyborg wrote:*   

> The main problem is that I should not set a proxy server inside firefox preferences. If I don't do that, there's no way to access to the Internet.

 

Yes, remove the proxy setting from firefox and try to eliminate one application at a time.

If you stop iptables you should be able to access the internet it means the iptable is working, go to next one.

I'm not sure if your interfaces have anything to do with it, iptables redirects all requests to port 8080

----------

## fbcyborg

Ok, could we try to setup only squid?

By the way, I was trying to setup only the proxy, but without any important result.

It may be useful to setup squid such that it listens on port 80 all requests. 

So, if only squid is running on my server, I should be able to browse the Internet.. 

This is what appens if I try to do that:

(All times the browser settings are set as "No proxy")

dansguardian, iptables, apache are stopped.

Squid is listening on port 80:

typing www.gentoo.org gives me Address not found

And this is what tcpdump says:

```
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

09:06:29.199558 IP 10.0.0.2.54821 > ML310-G5.myworkgroup.domain: 27770+ A? www.gentoo.org. (32)

09:06:29.232341 IP ML310-G5.myworkgroup > 10.0.0.2: ICMP ML310-G5.myworkgroup udp port domain unreachable, length 68

09:06:29.200007 IP 10.0.0.2.45761 > ML310-G5.myworkgroup.domain: 27770+ A? www.gentoo.org. (32)

09:06:29.200021 IP ML310-G5.myworkgroup > 10.0.0.2: ICMP ML310-G5.myworkgroup udp port domain unreachable, length 68

09:06:29.200257 IP 10.0.0.2.53802 > ML310-G5.myworkgroup.domain: 46166+ A? www.gentoo.org.myworkgroup.lan. (46)

09:06:29.200267 IP ML310-G5.myworkgroup > 10.0.0.2: ICMP ML310-G5.myworkgroup udp port domain unreachable, length 82

09:06:29.200507 IP 10.0.0.2.34540 > ML310-G5.myworkgroup.domain: 46166+ A? www.gentoo.org.myworkgroup.lan. (46)

09:06:29.200524 IP ML310-G5.myworkgroup > 10.0.0.2: ICMP ML310-G5.myworkgroup udp port domain unreachable, length 82

09:06:29.201005 IP 10.0.0.2.58217 > ML310-G5.myworkgroup.domain: 29878+ A? www.gentoo.org. (32)

09:06:29.201016 IP ML310-G5.myworkgroup > 10.0.0.2: ICMP ML310-G5.myworkgroup udp port domain unreachable, length 68

09:06:29.201256 IP 10.0.0.2.34343 > ML310-G5.myworkgroup.domain: 29878+ A? www.gentoo.org. (32)

09:06:29.201267 IP ML310-G5.myworkgroup > 10.0.0.2: ICMP ML310-G5.myworkgroup udp port domain unreachable, length 68

09:06:29.201506 IP 10.0.0.2.37347 > ML310-G5.myworkgroup.domain: 2144+ A? www.gentoo.org.myworkgroup.lan. (46)

09:06:34.207863 IP 10.0.0.2.37347 > ML310-G5.myworkgroup.domain: 2144+ A? www.gentoo.org.myworkgroup.lan. (46)

09:06:34.207888 IP ML310-G5.myworkgroup > 10.0.0.2: ICMP ML310-G5.myworkgroup udp port domain unreachable, length 82

09:06:34.214358 IP 10.0.0.2.37005 > ML310-G5.myworkgroup.domain: 26648+ A? toolbarqueries.google.it. (42)

09:06:34.214375 IP ML310-G5.myworkgroup > 10.0.0.2: ICMP ML310-G5.myworkgroup udp port domain unreachable, length 78

09:06:34.214609 IP 10.0.0.2.47547 > ML310-G5.myworkgroup.domain: 26648+ A? toolbarqueries.google.it. (42)

09:06:34.214623 IP ML310-G5.myworkgroup > 10.0.0.2: ICMP ML310-G5.myworkgroup udp port domain unreachable, length 78

09:06:34.214859 IP 10.0.0.2.34478 > ML310-G5.myworkgroup.domain: 41084+[|domain]

09:06:34.214872 IP ML310-G5.myworkgroup > 10.0.0.2: ICMP ML310-G5.myworkgroup udp port domain unreachable, length 92

09:06:34.215108 IP 10.0.0.2.35466 > ML310-G5.myworkgroup.domain: 41084+[|domain]

09:06:34.215123 IP ML310-G5.myworkgroup > 10.0.0.2: ICMP ML310-G5.myworkgroup udp port domain unreachable, length 92
```

Thanks for your support.

----------

