LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   access and deny (https://www.linuxquestions.org/questions/linux-security-4/access-and-deny-172794/)

mchitrakar 04-21-2004 04:15 AM
access and deny
 
Hi

I need to disable porn sites as per our company's policy. Is there any way through squid to disable? Also can I disable http access to some computers also? please send me some examples also. Thank you

TheIrish 04-21-2004 06:41 PM
Hi,
I'm not actually a squid expert... though I'd love to.
As far as I know, you should use this kind of syntax:

Code:
acl badURL url_regex -i sex
http_access deny badUrl
http_access allow myNet
http_access deny all
In this code above, I deny all urls containing the word "sex". Obviously, the only way you can deny access to porn sites is parsing the words and this means that something might pass through; safe 99% anyway, I believe.
Reguarding the second question, there are more then one way for not allowing http traffic.
The easiest way is:
assuming your clients cannot change their ip addresses, you can use iptables to filter.
example:
Code:
iptables -I FORWARD -s 192.168.0.5 --dport 80 -j DROP
this line denies http traffir from host 192.168.0.5.
Or, using squid:
Code:
acl theweb proto HTTP
acl thebadip src 192.168.0.5
http_access deny theweb
http_access allow all
In both solutions, you must be sure that the bad client won't be able to change it's own ip.
If you really are an evil one, you can try this with iptables:
Code:
iptables -A INPUT -m mac --mac uu:vv:ww:xx:yy:zz --dport 80 -j DROP
Well, I hope i didn't type any mistake as usual.
Good Luck!

mchitrakar 04-22-2004 06:13 AM
still new problem
 
thank you for your suggestions. I have included your script into my squid.conf in /etc/squid/ and restarted the computer. BUt nothing happens.
please help me.

silver2003 04-22-2004 07:01 AM
You could use this command in you iptables script to redirectionate the porn sites to a another site like www.google.com

iptables -t nat -A PREROUTING -s 192.168.0.0/24 -d www.newpornstars.com -j DNAT --to-destination www.google.com

As for the http acces i can't help you with that.

And if don't want that you network client not change theirs ip you coul use the "arp". To get the arp you first type "arp -e" to see theirs ip and mac address, or for more informations you could se tha man pages


This are some exemplase, the comand must be like this "arp -s 192.168.0.27"

[comand] [theirs IP] [MAC ADDRESS]

arp -s 192.168.0.27 00:40:F4:85:35:EC
arp -s 192.168.0.4 00:50:BF:20:B2:D9

Those comands must be run when the server starts and you should put this commands in an initilizing script.

And if you want only some of the computers have internet you could use this comand in your iptables script:

iptables -t nat -A POSTROUTING -s 192.168.0.11 -j SNAT --to-source 197.31.125.8(this is the public address)

And you must quit using MASQUERADE if you use the command above.

CYA

TheIrish 04-22-2004 07:14 AM
mmm... silver....
I was wondering how iptables can do...
Quote:
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -d www.newpornstars.com -j DNAT --to-destination www.google.com
it cannot resolve names... unless you altered your kernel with some kind of patch... let me know, 'cuz i'd love that patch too!

mchitrakar, maybe the problem is in the way squid is configured. Assuming you customized the scripts i gave you (assigning MyNet with your network address, adding more words to be blocked etc.) the only thing I can think about is squid is not analyzing any traffic.
So, a few hints:
1. check if the global configuration is correct (traffic is really passing through it?)
2. check if there are other rules contrasting with the new ones. Remember the rules are checked TOP-DOWN: the first match rulez.

Let us know!

mchitrakar 04-23-2004 01:31 AM
Thanks for replies. I dont know how but i have found that it did worked.
But temporarily. When first accessing, there showed timed out error !!! (:-)
But again if I refresh it, alo!! and the page is accessed. (:-(
So I was thinking of producing "ACCESS DENIED because you surfed..."
on the web page of client instead of timed out error. How can we acheive this? And how can we fully block such sites even after refreshing...?

silver2003 04-23-2004 04:05 AM
"Also can I disable http access to some computers also? please send me some examples also."

Ofcourse you can do that i have read some of the Iptables HOWTO and i have write the next command:

iptables -A INPUT -p tcp --destination-port 80 -s 192.168.0.4(network IP client) -j DROP

This command don't allows acces on port 80 from 192.168.0.4 machine.
and you can do this for every machine that you don't want to acces http. Http is working on port 80 on tcp protocol.

TheIrish if you cannot resolve names you could you the sites ip and is much better because an machine can hold more then one site with the same IP address.

mchitrakar if that haven't work then try this comand in you iptables script:

iptables -A OUTPUT -p tcp --destination-port 80 -d 215.191.81.125(the porn site ip) -j DROP

Please send me a msg if it works.

CYA

mchitrakar 04-23-2004 07:54 PM
yeah..thank you..silver...your last code worked...but not the code snippet for squid.conf. Main problem with iptables banning sites is that i cannot undo it back. Can you send me code to undo it? Moreover, there was time out error instead of ACCESS DENIED type of message I would like to display.

silver2003 04-24-2004 03:53 AM
To show them acces denied you should have an webpage. And you will derectionate the porn sites to that webpage in what it will write ACCES DENIED. Another way i don't know it.

CYA


All times are GMT -5. The time now is 03:25 PM.