Transparent Squid : Deny direct requests to proxy
 

Hello all,

After much fruitless searching I've decided my best solution is to ask some experts in the field. :-)

I currently have a captive portal set up and running quite well using iptables, PHP, MySQL and some .htaccess magic. Additionally, the server runs Squid transparently to log where users go and to provide some relief for the Internet connection (It's only a 1.5 meg cable connection with horrible uplink speeds.)

My trouble is this: Even though Squid is in transparent mode it still accepts direct requests. (IE: A user puts the Squid IP and port into their browser) This bypasses the captive portal that would otherwise drop their packets until they are granted access.

Solution requested: A way to either stop Squid from accepting direct requests, a Squid ACL to deny any and all direct requests, or some set of rules for iptables that will deny direct requests to port 3128 but that will still allow the redirect from port 80 to work.

I'm running Ubuntu 10.04 server with the basic LAMP setup and such. The local subnet is 192.168.0.0/24. And yes, I do have two NICs. (eth0 is outside, eth1 is inside - Yay for dry erase markers!)

Thanks in advance for your help!

-- John

Configure IPTables to drop/reject the packets that requesting for the squid port. just accept from the localhost request.

iptables -I INPUT -s <yournetwork> -p tcp --dport <Squid Port> -j REJECT

I had done that, but the trouble is that it'll block requests being redirected to port 3128 from dest port 80. (Re: How transparent Squid works.)

When a packet gets redirected to a different port it maintains the same source IP, hence Squid is able to say what host went where (instead of it all being from the squid server's IP.)

When I get home I might try another idea I had regarding the original destination port (or just marking packets that are redirected and then dropping the packet on port 3128 that's not marked.)

Try this..
Or you could do this..