LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-06-2011, 10:52 AM   #1
proxykid
LQ Newbie
 
Registered: Jul 2011
Distribution: Debian, Ubuntu, CentOS
Posts: 2

Rep: Reputation: Disabled
SQUID intercept + iptables + whitelisting ports and sites


Hi!

I'm having some issues settings up a transparent proxy server, which should allow only regular web browsing (port 80), any other port (including HTTPS (443)) HAS to be blocked, as well as any other port.

Right now, I'm using Debian 6 and Squid3. The server only has one NIC.

The topology is like this:
Clients <-> Proxy Server + DHCP Server <-> Internet

With this setup, the network does have internet access and the websites I whitelisted are the only ones accesible via browser, however port block is not working, every port is open, hence why trying to access blacklisted websites through HTTPS is possible.

Seems to me Squid3 is doing it's job fine, however IPTABLES for some reason seems to be redirecting all the trafic to port 3128 (Squid3 port).

I could be wrong, but I've been unable to do anything related to ports with squid3 (either whitelisting or blacklisting).

For Iptables I used:
Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp -j REDIRECT --dport 80 --to-port 3128
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 443 -j DROP
Squid3 config:
Code:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl Safe_ports port 80          # http
acl whitelist dstdomain "/etc/squid3/whitelist"
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny !whitelist
http_access allow localhost
http_access allow all
http_port 3128 intercept
hierarchy_stoplist cgi-bin ?
Any idea on this? I have like a week trying to fix this and now has become kinda urgent =/.

Thank you very much.

Last edited by proxykid; 07-06-2011 at 11:07 AM.
 
Old 07-07-2011, 12:38 AM   #2
Lexus45
Member
 
Registered: Jan 2010
Location: Kurgan, Russia
Distribution: Slackware, Ubuntu
Posts: 339
Blog Entries: 3

Rep: Reputation: 47
Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp -j REDIRECT --dport 80 --to-port 3128
I'd write this rule in this way:
Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
And you allow access to everything:
Code:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl Safe_ports port 80          # http
acl whitelist dstdomain "/etc/squid3/whitelist"
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny !whitelist
http_access allow localhost
http_access allow all
http_port 3128 intercept
hierarchy_stoplist cgi-bin ?
You must delete this rule - http_access allow all and put another, blocking, one as the last http_access rule: http_access deny all.

Don't forget to squid -k reconfigure then.

Last edited by Lexus45; 07-07-2011 at 12:42 AM.
 
Old 07-15-2011, 01:30 PM   #3
proxykid
LQ Newbie
 
Registered: Jul 2011
Distribution: Debian, Ubuntu, CentOS
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thanks for your reply Lexus but that still didn't help. At least not for a transparent proxy.

However because of the lack of time, I had to setup the proxy without being transparent, so clients are setting up their browsers with the proxy settings.

Being transparent, they still have access to anything else than browsing.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Squid+DansGuardian not working properly. squid blocking sites that should be linuxlover.chaitanya Linux - Server 12 12-19-2010 11:47 PM
Squid to block all the sites except 1 or 2 sites winxandlinx Linux - Networking 8 10-27-2010 02:53 AM
Squid does not listen at transparent (intercept) mode!!! HELP! mpeg2server Linux - Server 4 12-05-2009 04:25 AM
squid 2.6 not blocking sites even i entered ACL to block sites mohantorvalds Linux - Server 1 01-08-2009 04:17 AM
Squid Problem (squid restrict some trusted sites.). jpmaxyusuf Linux - Networking 3 01-01-2009 11:33 AM


All times are GMT -5. The time now is 12:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration