[isf-wifidog] Content filtering

[Benoit Grégoire]

On 13 November 2007, Eric S. Jensen wrote:
> Hello Wifidog list,
>
> What is the best way to configure iptables, Wifidog, and a web proxy so
> they work simulataneously?
>
> Specifically, I am trying to add tinyproxy to a Wifidog machine so it acts
> as a transparent proxy for all the traffic it routes.  These iptables rules
> that redirect port 80 to 8888 make tinyproxy work, but they bypass Wifidog:
>
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
> 192.168.1.1:8888
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 8888
>
> If I start Wifidog and then invoke these commands, it works correctly:
> iptables -t nat -I WiFiDog_WIFI2Internet -i eth0 -m mark --mark 0x2 -p tcp
> --dport 80 -j REDIRECT --to-port 8888
> iptables -t nat -I  WiFiDog_WIFI2Internet -i eth1 -m mark --mark 0x2 -p tcp
> --dport 80 -j DNAT --to 192.168.1.1:8888
>
> I have modified Wifidog so that if I add "WebProxyPort 8888" to the config
> file, Wifidog sets up those second rules along with the rest of its
> iptables changes.   This works, but it does not seem like the way it ought
> to be done.

Well, if you want to do it the "clean" way, you'll need to help us do a little 
firewall refactoring.  

(Note:  you need to have 
http://dev.wifidog.org/browser/trunk/wifidog/doc/wifidog_firewall_diagram.dia?format=raw 
in front of your eyes to understand what follows)

In this case we didn't set up our rules properly to comply with our stated 
goal to not mess up existing firewalls. 

In this case, what probably has to be done is change the ACCEPT at the top 
right of the diagram to a RETURN (there are 3 places in the code where this 
has to be done).  From a cursory inspection, I think this is all you need to 
do, and then your original two rules should work.  

Off course, there are other things we should refactor in the firewall (access 
control is all over the place), but I think may be all you have to do.