To: dansguardian@yahoogroups.com
From: "Ernest W. Lessenger" <ernest@oacys _ com>
Date: Sun, 06 Apr 2003 17:00:17 -0700
Subject: Re: [dansguardian] dansguardian not function

At 10:21 AM 4/6/2003 +0700, you wrote:
>Where i can found manual (web) for running dansguardian as transparent
>proxy ?

There are many out there (just do the obvious google search), but they are 
mostly out of date. Here's the abbreviated version...

DG 2.5.x, Squid 2.5.x, Redhat 8.0 (iptables + kernel 2.4)

Step 0: Configure and compile Squid with the "--enable-linux-netfilter" option
Step 1: Set up DG and Squid so that they work in normal proxy mode.
Step 2: Add or update the following lines in Squid.conf
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_single_host off
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Step 3: Run the following command as root
iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT 
--to-port 8080
Where 8080 is the port that DG is running on. You may also want to add an 
exclusion for you own internal servers, etc. Do a "man iptables" for more 
help, or visit http://www.netfilter.org/.

If you want, you can set up a separate machine to handle the redirect...
iptables -t nat -A PREROUTING -m tcp -p tcp -s ! {DG's IP ADDRESS} --dport 
80 -j DNAT --to {DG's IP ADDRESS}:8080
The "!" is important, because you don't want to redirect traffic from the 
filter server (infinite loop).

Step 3b: Run the following command as root
iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
This will block your kids/customers/employees from connecting to Squid 
directly in order to bypass the filter.

Step 3c: Run the following command as root
/etc/init.d/iptables save
"So let it be written, so let it be done..."

Step 4: Add or update these lines in /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
You will want to add lines for each interface.

Step 5: Forward traffic through your filter box (or whichever box is 
handling the redirect) by changing the default gateway on any filtered 
machines.

This works on my machine (DG 2.5, Redhat 8.0), it should work on yours. I 
am not responsible if you screw up, blah, blah, blah. Good luck :) Also, 
you've made enough kernel-level changes, etc that it would be a good idea 
to reboot and make sure everything comes up running.

--Ernest