a transparent content filter proxy, having some problems

[xtimmahx]

Hi all,

I'm having some issues with a server I had setup for a customer awhile back. I'll give you some background on the situation first...

I had setup a proxy server with 2 NICs on the same subnet, and had configured masquerading with what would be the "external" interface setup to poing to the actual router that served the internet connection, squid, dansguardian, and enabled the port redirection for transparent proxying. For awhile this worked fine, and then he started to have some problems with sites loading very slowly, or timing out completely. I took a look into it, and after some research I realized that I had misconfigured things and that because I had 2 NICs on the same subnet with the same subnet mask, I was running into routing issues and that sites were taking long to load or timing out because the routing table on the box was seeing 2 valid interfaces to forward traffic to, and for that reason traffic was never really being forwarded properly, even though I had IP masquerading setup.

In my time spent searching around for a solution, one user posted that he rectified the same situation by removing 1 NIC, and simply creating subinterfaces, and masquerading through them. The idea behind it was to have only 1 physical interface present on the system, thereby removing extra routing table entries that could contribute to the problem. This made sense to me, and so I tried it myself. Removed the second NIC, and setup a subinterface. Adjusted my firewall rules, and tested the system at my office. Everything seemed to be in order. Simple gateway access, to squid, to dansguardian. I tried everything one step at a time, and had fast caching with no sites misbehaving. I thought the issue was solved.

I brought the box back to my customer and set it up again on his network. I did a quick test and it seemed to work. He has since called me back saying that the problem has resurfaced. Once again I checked it out on his network and found that he was correct. I verified my configuration and everything looks good. Squid, dansguardian, iptables, everything *seems* to be setup correctly, according to the howtos I've been following. While I still had the 2 NICs in the server, even when disabling squid and dans, and just using the system as a gateway, I experienced slow surfing or timeouts. Now with the single NIC, I can easily use the system as a plain gateway with no difficulties, but as soon as I add the proxy into the mix, transparent or not, I see the problem after visiting 2 or 3 sites. If I rerun the scripts and restart squid and dans, I can surf another 3 sites quickly before the slowdown comes back.

My guess is that it's working up until the TCP/IP buffers (or something along those lines) gets full of open sessions, and at that point it just lags out. Tailing the squid logs shows the hits from the first 2 to 3 sites, and then no requests come through, though I am sitting at the test workstation typing in new site addresses to surf to. It just times out with "page cannot be displayed."

I think it's a configuration issue due to a misunderstanding on my part, but I just don't know where to look anymore. Below are the relevant pieces of my config files that I have setup. I'm hoping that someone here can point out my mistake, and help me solve this issue. If you need any more information, please let me know, and I will be happy to provide it.

Just a recap of what works and what doesn't, and I'll post configs after:

Box as a gateway, squid enabled, dans enabled, transparency enabled = NOT OK
Box as a gateway, squid enabled, dans enabled, transparency disabled (manual browser configuration) = NOT OK
Box as a gateway, squid enabled, dans disabled, transparency disabled = NOT OK
Box as a gateway, squid disabled, dans disabled, transparency disabled = OK
Test workstation pointed to internet router for gateway, manually configured for proxy access to server = NOT OK

/etc/conf.d/net
config_eth0=(
"10.52.96.149/24"
"10.52.96.148/24"
)
routes_eth0=( "default gw 10.52.96.17" )

The default gateway statement here points to the router that actually connects to the internet, which is a sonicwall.

Just to ease the reading:
10.52.96.149 = eth0, treated as "internal" address
10.52.96.148 = eth0:1, treated as "external" address, or outgoing interface that forwards to the sonicwall router
10.52.96.17 = sonicwall router address, physically connects to internet via DSL connection.


/etc/init.d/firewall (firewall rule script, loads on startup)

# First we flush our current rules
iptables -F
iptables -t nat -F

# Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Copy and paste these examples ...
export LAN=eth0
export WAN=eth0:1

# Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 10.52.96.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 10.52.96.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 10.52.96.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Enables transparent proxying
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

# Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

/etc/dansguardian/dansguardian.conf (relevant portion posted below):

filterip = 10.52.96.149

# the port that DansGuardian listens to.
filterport = 8080

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1

# the port DansGuardian connects to proxy on
proxyport = 3128

the relevant entries from /etc/init.d/squid.conf (i won't paste the whole file)

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

the access lists permitting traffic on the local network and the implicit deny afterwards are in there as well.

The howto I followed is here, http://tldp.org/HOWTO/TransparentProxy.html

Thanks in advance for any help you guys can give me. I'm just plain out of ideas on this one.
My apologies for the long read.

Tim

[think4urs11]

shot in the dark: you have squid 2.6stable1 or higher installed and didn't follow http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE1-RELEASENOTES.html#s2
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself

[xtimmahx]

Nope, thanks though. I did at one point try installing squid 2.6, but reverted back to 2.5 since I was more comfortable with the configuration.