LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Transparent Squid : Deny direct requests to proxy (http://www.linuxquestions.org/questions/linux-server-73/transparent-squid-deny-direct-requests-to-proxy-819282/)

jma89 07-11-2010 05:37 PM

Transparent Squid : Deny direct requests to proxy
 
Hello all,

After much fruitless searching I've decided my best solution is to ask some experts in the field. :-)

I currently have a captive portal set up and running quite well using iptables, PHP, MySQL and some .htaccess magic. Additionally, the server runs Squid transparently to log where users go and to provide some relief for the Internet connection (It's only a 1.5 meg cable connection with horrible uplink speeds.)

My trouble is this: Even though Squid is in transparent mode it still accepts direct requests. (IE: A user puts the Squid IP and port into their browser) This bypasses the captive portal that would otherwise drop their packets until they are granted access.

Solution requested: A way to either stop Squid from accepting direct requests, a Squid ACL to deny any and all direct requests, or some set of rules for iptables that will deny direct requests to port 3128 but that will still allow the redirect from port 80 to work.

I'm running Ubuntu 10.04 server with the basic LAMP setup and such. The local subnet is 192.168.0.0/24. And yes, I do have two NICs. (eth0 is outside, eth1 is inside - Yay for dry erase markers!)

Thanks in advance for your help!

-- John

kaushalpatel1982 07-12-2010 04:04 AM

Configure IPTables to drop/reject the packets that requesting for the squid port. just accept from the localhost request.

iptables -I INPUT -s <yournetwork> -p tcp --dport <Squid Port> -j REJECT

jma89 07-12-2010 01:15 PM

Quote:

Originally Posted by kaushalpatel1982 (Post 4030615)
Configure IPTables to drop/reject the packets that requesting for the squid port. just accept from the localhost request.

iptables -I INPUT -s <yournetwork> -p tcp --dport <Squid Port> -j REJECT

I had done that, but the trouble is that it'll block requests being redirected to port 3128 from dest port 80. (Re: How transparent Squid works.)

When a packet gets redirected to a different port it maintains the same source IP, hence Squid is able to say what host went where (instead of it all being from the squid server's IP.)

When I get home I might try another idea I had regarding the original destination port (or just marking packets that are redirected and then dropping the packet on port 3128 that's not marked.)

SuperJediWombat! 07-12-2010 10:19 PM

Try this..
Code:

iptables -t nat -F PREROUTING
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3128 -j REDIRECT --to-ports=666
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports=3128

Or you could do this..
Code:

iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j MARK --set-mark 1
iptables -A INPUT -m mark --mark 1 -j DROP



All times are GMT -5. The time now is 09:59 AM.