Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
i set up a firefox browser with the startup page linking to a cgiproxy. to surf the internet anonymously where ever they are. I want that if the user tries to type an address in the address bar, get a forbidden message saying it can't do so.. or is redirected to the cgiproxy script. the goal force the users to go online only using the cgiproxy. is there any iptables configuration or something similar?
You can name the script whatever you like, and place it anywhere (just make sure it has proper permissions set). You'd tell Squid to use the redirector by using a "redirect_program" line in your squid.conf file. For example, let's say you make directory /redirectors and you name your redirector script forcecgiproxy.pl. The line in squid.conf would look like:
BTW, considering you are doing this on localhost, you might wanna execute an iptables rule that makes sure outgoing HTTP/HTTPS packets have been generated by Squid - that way users can't bypass the proxy by changing the proxy setting in Firefox. Assuming your OUTPUT policy is set to DROP, and there are no other rules to send TCP port 80 and 443 packets to ACCEPT, something like this should do the trick:
No, the --enable-ssl option is only needed if you were planning to do SSL gatewaying. Here's the options used to compile Squid officially on Ubuntu 7.04 in case you want to look at a known-good set of ./configure options (I am currently using this on localhost, much like you are planning to):
I installed squid using ./configure --prefix=/usr --libexecdir=/usr/lib --sysconfdir=/etc
i search for a line redirect_program in squid.conf but I can't find.. in which section does it have to be written.
I'd suggest you backup the default Squid conf file only for reference and instead use this one here as a base to get started. It's basically what I use on my desktop with some minor edits. I place the redirect_program line at the end (I use a redirector to force the use of HTTPS when accessing my Gmail) but I don't think it matters where you put it.
Notice how I have the disk cache size set to 1GB, and the memory cache size set to 16MB - you'll need to adjust these to your needs (as well as several other things - this is just meant as a base for you).
Here's a quick rundown of what it would take to set Squid up when the above is the content of your squid.conf file:
Create squid group and user (make sure the squid user doesn't get a real shell):
but the redirection doesn't work.. it's true that if i type in the address bar google.com i get permission denied... but there's no redirection
Okay, troubleshooting time!
Comment-out the redirector_program line in your squid.conf file and then to activate the changes do a:
squid -k reconfigure
You should now be able to visit marioweb.no-ip.org, but should receive an Access Denied if you try to visit any other site. If this is the case, then at least the ACL config is sane, and you can then proceed to troubleshoot the redirector itself. What does your redirector script currently look like? My bet is that there is some sort of typo in the script, so it's redirecting to a URL that doesn't exactly match the ACL, hence the ACL kicks-in with an Access Denied.
You can check what is happening by setting the "access_log" line and looking at the log when you get the Access Denied. There should be a TCP_DENIED/403 showing the exact URL Squid redirected to. For example, I just set this redirector so that I get redirected to example.com no matter what I type:
maybe it is a mistake in my redirector. here's the code I wrote for it. I don't know if the escape characters are good.
I'll have a look and see.
where can I find access.log?
You can put it wherever you want. The config I gave you has it disabled. It's the line "access_log none". Change it to "access_log /path/to/access.log" or whatever you want, then reload the new config with a "squid -k reconfigure".