How to integrate between iptables, dansguardian and squid?

I'm newbie in linux as weel as Firewall. Currently i need to develop a project which is to build up a firewall system for school using iptables, dansguardian and squid.

Are there anyone know how to integrate between iptables, dansguardian and squid so that a small LAN can access to internet via firewall?

Thanks in advance.

Welcome to firewall.cx, janekim.
Check out the following threads, here and here , then come back with any questions you have and we will be able to help you.

thanks DaLigh!
I have went through the thread u suggested, but still i can't solve my problem.
The following are some of my problems:
1. how to write iptables command in order to redirect traffic
client--> dansguardian -->squid --> internet
(client, dansguardian and squid are in a pc)
i have tried the following command, but the browser prompt Access Denial. iptables -A INPUT DROP
iptables -A OUTPUT DROP
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080

2. Do i need to make changes to dansguardian.conf and squid.conf in order do the most basic configuration?
the following were the changes i hav done:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

i feel sorry if i asked the stupid question, but i really in lost.
Thanks in advance

hi janekim,

sorry to answer you only now.. too busy.

for the purpose of isolating the problem do this first and i assume that your configuration is like this:


stations-->eth0|squid/dansguardian|eth1---- >externalnetwork


1. make sure you already have the right connectiviity, means you you identified your internal network and the external (what is the eth0 and eth1)

2. was the ip forwarding already enabled? the NAT or IP masquerading defined already in the iptables so that is NATted?

3. can you ping from a workstation on the same network of the internal ip of your linux box, even the external ip?

4. leave the default iptables entry but delete these previous entries:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 80


then follow this command in the same sequence.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128


port of dansguardian is 8080
the squid is 3128

yes you need to make changes to the ports being used by the squid.conf and dansguardian.conf

dont hesitate to ask

thanks a lot, monsky. i really apperciate ur help!!

i will try it later on because currently my pc only hav a NIC.

Then, i would like to ask do i need to make changes to squid.conf in order to allow internal network to surf to internet?
i was using the default rules and i had entered:
acl mynetwork src 10.0.0.3/15
http_access allow mynetwork
but the browser keep prompt me access denial, do you have idea what is going on?

thanks and thanks a lot!!

specify the static IP of your internal network ethx in the
http_port x.x.x.x:port line in the squid.conf (e.g 10.0.0.1:3128)

in your example you use:

acl mynetwork src 10.0.0.3/15
http_access allow mynetwork

maybe the right way is :

acl mynetwork src 10.0.0.0/15
http_access allow mynetwork

you put the subnet 10.0.0.0.