LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-27-2005, 07:23 AM   #1
Steve2001
LQ Newbie
 
Registered: Sep 2004
Location: England
Distribution: Suse 9.1
Posts: 19

Rep: Reputation: 0
Forcing users to use DG on server.


TITLE: Forcing users to use DG on server.

I want ot make all my users access the internet via Dansguardian running on my server.

I have set up a server running Dansguardian and Squid under FC4. My router is set up to deny all machines on my network access to the internet except the server. I am setting up all my machines on the network to access the internet via a proxy server (i.e. my server). However at the moment they can use port 8080 (Dansguardian) or 3128 (Squid) to get to the internet through my server. I want to make it so as they can only use port 8080.

So I need some sort of iptables rule on the server to do this. I have some sketchy advice that indicates the follwoing should do it but it does not seem to work:

[root@BASIL ~]# iptables -A OUTPUT -p tcp --dport 3128 -m owner ! --cmd-owner dansguardian -j REJECT --reject-with tcp-reset

But still Squid can be directly accessed from the other machines. So what is wrong any ideas? Below is the list of my iptables rules on the server:

[root@BASIL ~]# iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:squid ! OWNER CMD match dansguardian reject-with tcp-reset

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited



[root@BASIL ~]# iptables-save
# Generated by iptables-save v1.3.0 on Sat Aug 27 12:57:11 2005
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [6161:2295193]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -j RH-Firewall-1-INPUT
-A INPUT -j RH-Firewall-1-INPUT
-A OUTPUT -p tcp -m tcp --dport 3128 -m owner ! --cmd-owner dansguardian -j REJECT --reject-with tcp-reset
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Aug 27 12:57:11 2005
 
Old 08-27-2005, 08:33 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,396

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
You wouldn't want to make them only use port 8080 really, you'd more need to transparently intercept normal port 80 requests and handle them in your own way. There's some good transparent proxy information here: http://www.tldp.org/HOWTO/TransparentProxy-6.html but maybe your router is capable of helping you out here?

Personally i'd say that the best solution is to build a dedicated proxy firewall box, something like ipcop with squid and dansguardian plugins on it. You can then easily use that box as a default gateway and not have to use a more important server as a network appliance.
http://ipcop.sf.net
http://www.dageek.co.uk/ipcop/addonz/dansguardian.htm

Last edited by acid_kewpie; 08-27-2005 at 08:34 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH Forcing users to use RSA keys XaViaR Linux - Security 8 07-07-2005 12:42 AM
Sendmail question! Forcing FROM lines from local users? Bungo2000 Linux - Networking 5 12-15-2003 10:37 PM
How many users on a www server!?? FreakboY Linux - Newbie 6 10-12-2003 01:42 PM
X server + 2 users != work vexer Linux - Software 6 07-30-2003 03:15 PM
Server Users on Line radnix Linux - Software 3 04-10-2003 06:31 PM


All times are GMT -5. The time now is 06:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration