LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   squid 2.6 not blocking sites even i entered ACL to block sites (http://www.linuxquestions.org/questions/linux-server-73/squid-2-6-not-blocking-sites-even-i-entered-acl-to-block-sites-695804/)

mohantorvalds 01-08-2009 04:06 AM

squid 2.6 not blocking sites even i entered ACL to block sites
 
Hi,

I configured proxy initially without blocking any sites....den i planned to block some site...i create some acl as below...but even i cont block the site...but my clients are connect net through my proxy only...


"I'm using squid 2.6 stable version in fedora 8"
#Squid normally listens to port 3128

http_port 192.168.1.100:3128

#Recommended minimum configuration

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT


http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports

http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports

http_access deny CONNECT !SSL_ports


# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
631,12 13%

acl our_networks src 192.168.1.0/24 192.168.2.0/24 #This is my network ip#
http_access allow our_networks

acl badsites dstdomain .tamilbeat.com

acl restricted-sites dstdomain "/usr/local/etc/restricted-sites" # Restricted files present in this location #

acl adult_sites url_regex -i sex adult hack crack casino gambl nude desibaba
acl download_sites dstdomain "/usr/local/etc/download-sites"
acl adult_sites url_regex -i "/usr/local/etc/restricted-domains"
acl denyfiletypes url_regex -i .mp3$ .mpg$ .mpeg$ .mp2$ .avi$ .wmv$ .wma$ .ra$ .rm$ .mid$ .mov$ .asf$ .wav$ .dat$ .qt$ .snd$ .wm$ .asx$ .aiff$ .ogg$ .ram$ .au$ .exe$
acl block dstdomain walkincareers.com careerpluz.com jobsdream.com intervieweasy.com ecareer.org hamaraphotos.com ifilm.com janubaba.com moviegupshup.net bollywoodmantra.com bollywoodmovies.us bollywoodpremiere.com buzz18.com crickethighlights.com cricketlivelinks.com cricketnext.com cricketworlduplatest.com dgreetings.com z.com .mmy88.cn/ .gazzag.com .meebo.com .topproxysites.com .proxytopsite.com .topfreeproxy.com .proxy200.com .topproxies.info .gotoproxy.com .hotproxies.com .top-proxies.com .listofproxies.com .topproxylist.com .proxyring.com .lushdxb.com .birthdaytime.com .mobilemoney.com .kproxy.com .masalaguru.com .masalaindia.com .masalaforum.com .lbnlive.com .google.com/mail/ .movies.yahoo.com .orkut.com .raaga.com .timesjob.com .jobsahead.com .monster.com .jhoos.com .thecinema.in .clickjobs.com .6sos.com .123greetings.com .myfuncards.com .egreetings.com .fropper.com .maalaimalar.com .jeevansanthi.com .simplymarry.com .matrimonials.com .careerenclave.com .500papers.com .sgeek.com .lifepartnerindia.com .geekinterview.com .behindwoods.com .aboutjobs.com .timesmatri.com .cinemanow.com .match.com .xradio.com .puretracks.com .emusic.com .mixplay.com .43things.com .friendsmahal.com .jeevansanti.com .masalapunch.com .yourspic.com .shaadi.com .onlymasti.com .desihotmasala.com .techinterview.com .threenineconsulting.com .birthdayalarm.com .amateurmatch.com .actressphoto.com .indianactress.com .friednster.com .dinamalar.com .cricinfo.com .cricbuzz.com .xxx*.com .employment.com .sex*.com .*sex.com .jobstreet.com .sunporno.com .exploitedbabysitters.com .imlive.com .sapphicgirlmovies.com .drm-fetishes.com .sextracker.com .xxxoracle.com .pornmoviesparadise.com .sexlist.com .el-ladies.com .musicgiants.com .idiatimes.com .jobsinthemoney.com .insightexpressai.com .desibaba.com .dailythanthi.com .photobucket.com .sinekithan.com .puretamil.com .employmentguide.com .cyberbrowse.com .musicnet.com .movielink.com .songtouch.com .youtube.com .smashits.com .foxsports.com .interviewcorner.com .newinterviewquestions.com .songsforteaching.com .musicmatch.com .21.com .freelotto.com .desimartini.com
# TAG: http_access
# Allowing or Denying access based on defined access lists
# And finally deny all other access to this proxy

http_access allow localhost
http_access deny badsites

http_access deny adult_sites

http_access deny download_sites
http_access deny denyfiletypes
http_access deny block
http_access deny restricted-sites

# And finally deny all other access to this proxy

http_access deny all
561,27-33 12%

============================================================================
============================================================================

#Iptables configuration#


Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.100:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128


Note:

here "eth0" has ip 192.168.1.100 ----> Lan ---> squid prxy configure in this ip only...

and "eth1" has static ip ----> Internet


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Plz any one help me..how to block sites...

acid_kewpie 01-08-2009 04:17 AM

the allow for our_networks will override everything below it. move it to the bottom above the deny all


All times are GMT -5. The time now is 01:34 AM.