LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-04-2003, 12:02 AM   #1
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
Exclamation SQUID for blocking yahoo and msn [inc squid.conf]


I am trying to block yahoo and msn in the office and need some help...

I have recently built a robust iptables firewall only allowing out requests that we really need (eg 80, 443 etc etc) and theoretically this should do the job however yahoo and msn will go through on any port they can (including 80!)

So i have implimented a squid proxy server with the hope of blocking the IP's and/or the domain names of the services.

the problem is that I have blocked EVERYTHING that i can think of but the littles horrors still get through.

this is what i have done so far and everything APPEARS to be working.. if i browse to the IP i have selected I get an error message and same with the websites BUT msn and yahoo can still connect... any ideas?

#############################
squid.conf
#############################

mum_object_size 200 KB

#This creates 5000mb disk space with 16 first level subdirectories and 256 second level #subdirectories.
cache_dir ufs /usr/local/squid/var/cache 5000 16 256

cache_access_log /usr/local/squid/var/logs/access.log

cache_log /usr/local/squid/var/logs/cache.log

#This is the redirect program which we will use to zap the ads.
#redirect_program /usr/local/adzap/scripts/wrapzap

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl MYDC src 192.168.0.0/255.255.255.0 #specify a name for your network
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Banned sites and Services
acl bannedurls url_regex "/usr/local/squid/etc/url.txt"
acl bannedips dst "/usr/local/squid/etc/ip.txt"

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny bannedurls
http_access deny bannedips

http_access allow all
icp_access allow all
miss_access allow all
cache_mgr chris@leadingside.com.my
visible_hostname proxy.leadingside.com.my
unique_hostname proxy.leadingside.com.my

#We will run squid with accelerator on
httpd_accel_host virtual
httpd_accel_port 80

httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_port 3128



#############################
url.txt
#############################

.messenger.yahoo.com
.msg.yahoo.com
.scd.yahoo.com
.sc5.yahoo.com
webcam.yahoo.com
filetransfer.yahoo.com
#############################



#############################
ip.txt
#############################

64.4.13.0/24 #MSN Messenger
#############################
 
Old 11-04-2003, 12:49 AM   #2
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
QUICK UPDATE
----------------------

managed to block MSN by adding another IP into the ip.txt
207.46.104.0/24

however am not 100% if this ip will block it forever... so another way of doing it would be nice.

another way i could maybe block it is the MIME: application/x-msn-messenger because this stays constent throughout the log. what would the squid.conf line look like to block a mime?

Thanks
Chris
 
Old 11-04-2003, 10:40 AM   #3
aqoliveira
Member
 
Registered: Dec 2001
Location: Portugal
Distribution: /Red Hat/Fedora/Solaris
Posts: 620

Rep: Reputation: 30
Howzit

I had the same problem with @ my company I was workring at try these products it will sort u them out for sure, squidguard http://www.squidguard.org/, dan gaurdian (http://dansguardian.org/), censornet (http://www.intrago.co.uk/products/censornet.php). These products r web filters and also comes with a blacklist of sites that u may block or not. I? not going to go into gr8 detail as the websites have all info needed.

hope this helps

chow
 
Old 11-04-2003, 08:20 PM   #4
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
I actually got it all working without those... I will post somewhere else how i did it all so others can see more detailed cause it seems to be a problem a lot of people are trying to get around but not many helpful answers out there...
 
Old 07-15-2006, 03:05 AM   #5
syedjanu
LQ Newbie
 
Registered: Jun 2006
Posts: 11

Rep: Reputation: 0
Using a Linux firewall (IPTABLES in my case), first of all you need to
have a running copy of squid which you make transparent for your local
LAN. Add this to your squid.conf:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

And this to your IPTABLES:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
-o eth0 -p tcp --dport 80

...where eth0 is your external interface and eth1 your internal.

Next you need to DROP or REJECT all instant messenger software ports
in you IPTABLES. The port for MSN Messenger is 1863, thus add this to
IPTABLES:

iptables -I FORWARD -p tcp --dport 1863 -j REJECT

Next, create an ACL in your squid.conf file for MSN Messenger and deny
access for it:

acl MSN-Mess dst 64.4.13.0/24 152.163.241.0/24 64.12.163.0/24
207.46.110.0/24 207.46.1.0/24 65.54.0.0/16
http_access deny MSN-Mess

That's it. Easy as pie.
You can do the same to other instant messaging software too. Here is a few acl's:

# Yahoo Messenger service
acl Yahoo-Mess dst 24.71.200.68/32 204.71.202.73/32 204.71.200.0/24
204.71.177.35/32 204.71.202.59/32 204.71.202.58/32 216.115.105.214/32
204.71.201.47/32 204.71.201.48/32 216.115.105.215/32
216.136.172.221/32 *.msg.yahoo.com
http_access deny Yahoo-Mess
# AOL and ICQ service
acl ICQ-Mess dst 64.12.200.89/32 205.188.153.121/32 205.188.179.233/32
64.12.161.153/32 64.12.161.185/32
http_access deny ICQ-Mess
# Trillian service
acl Trillian-Mess dst 66.216.70.167/32
http_access deny Trillian-Mess
"I have read this from site and i think this is the Solution for your problem so i did copy and paste for you. "

Last edited by syedjanu; 07-15-2006 at 03:10 AM.
 
Old 07-15-2006, 02:33 PM   #6
msound
Member
 
Registered: Jun 2003
Location: SoCal
Distribution: CentOS
Posts: 465

Rep: Reputation: 30
Post your final squid.conf file on serversamples.com. I have a working conf file posted that includes an acl named blocked_domains that admins can use to filter out individual domain names. You can check my squid.conf file out here: http://www.serversamples.com/view.php?sample=3
 
Old 07-17-2007, 08:08 AM   #7
JF1980
LQ Newbie
 
Registered: Mar 2003
Posts: 26

Rep: Reputation: 15
How has that worked? I'm using an OpenBSD PF firewall and block based on IP. Problem is that this blocks Windows Updates too

I was thinking of using squid to block content types:

application/x-msn-messenger
text/x-msmsgsprofile
text/x-msmsgsinitialmdatanotification

As described here for ISA setup:

http://support.microsoft.com/kb/925120
http://support.microsoft.com/?scid=k...32486&x=9&y=11

Will this work? Has anyone tried it? WIll I need to use the rejecttype.so filter (http://sites.inka.de/bigred/devel/squid-filter.html)?

Thanks!
 
Old 08-15-2007, 09:40 AM   #8
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 231Reputation: 231Reputation: 231
msound, your link seems broken -- all I see is a blank page.

In the meantime, try http://pastebin.ca/.
 
Old 08-15-2007, 09:45 AM   #9
JF1980
LQ Newbie
 
Registered: Mar 2003
Posts: 26

Rep: Reputation: 15
Try this:

http://blogs.techrepublic.com.com/networking/?p=308

Works great.
 
Old 03-02-2008, 11:47 AM   #10
grizly
Member
 
Registered: Nov 2006
Location: Melbourne Australia
Distribution: Centos, RHEL, Debian, Ubuntu, Mint
Posts: 128

Rep: Reputation: 16
It Works!

Add following to squid.conf:
## Kill MSN
acl msn_mime req_mime_type -i ^application/x-msn-messenger$
acl msn_gw url_regex -i gateway.dll

http_access deny all msn_mime
http_access deny all msn_gw
## END MSN

Does the trick if you block port 1863 at gateway.

Last edited by grizly; 03-02-2008 at 11:52 AM.
 
Old 03-03-2008, 09:33 AM   #11
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 231Reputation: 231Reputation: 231
You might also want to investigate writing & displaying a custom Squid error page that tells your e'ees what has happened -- MSN is being blocked -- & why -- against company policy. It might contain a link to your AUP.

Last edited by archtoad6; 04-06-2009 at 11:06 AM. Reason: link AUP
 
  


Reply

Tags
howto, squid


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
using squid -blocking yahoo messenger gadekishore Linux - Software 3 08-04-2010 02:41 AM
MSN & Yahoo Msngr through squid proxy jomy Linux - Networking 3 11-30-2007 08:31 PM
Squid IP BLOCKING secrets Linux - Networking 4 06-14-2007 11:36 AM
enable voice chat, web cam in MSN & Yahoo Messenger in a squid Configuration shajal_linux Linux - Networking 8 07-14-2006 10:51 PM
squid conf: squid failed when I type insert redirect_program /usr/bin/squidguard Niceman2005 Linux - Software 1 11-24-2004 03:29 PM


All times are GMT -5. The time now is 11:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration