LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-11-2010, 05:37 PM   #1
jma89
LQ Newbie
 
Registered: Jan 2010
Location: Earth
Distribution: Ubuntu
Posts: 5

Rep: Reputation: 0
Transparent Squid : Deny direct requests to proxy


Hello all,

After much fruitless searching I've decided my best solution is to ask some experts in the field. :-)

I currently have a captive portal set up and running quite well using iptables, PHP, MySQL and some .htaccess magic. Additionally, the server runs Squid transparently to log where users go and to provide some relief for the Internet connection (It's only a 1.5 meg cable connection with horrible uplink speeds.)

My trouble is this: Even though Squid is in transparent mode it still accepts direct requests. (IE: A user puts the Squid IP and port into their browser) This bypasses the captive portal that would otherwise drop their packets until they are granted access.

Solution requested: A way to either stop Squid from accepting direct requests, a Squid ACL to deny any and all direct requests, or some set of rules for iptables that will deny direct requests to port 3128 but that will still allow the redirect from port 80 to work.

I'm running Ubuntu 10.04 server with the basic LAMP setup and such. The local subnet is 192.168.0.0/24. And yes, I do have two NICs. (eth0 is outside, eth1 is inside - Yay for dry erase markers!)

Thanks in advance for your help!

-- John
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 07-12-2010, 04:04 AM   #2
kaushalpatel1982
Member
 
Registered: Aug 2007
Location: INDIA
Distribution: CentOS, RHEL, Fedora, Debian, Ubuntu, LinuxMint, PCLinuxOS
Posts: 148

Rep: Reputation: 9
Configure IPTables to drop/reject the packets that requesting for the squid port. just accept from the localhost request.

iptables -I INPUT -s <yournetwork> -p tcp --dport <Squid Port> -j REJECT
 
Old 07-12-2010, 01:15 PM   #3
jma89
LQ Newbie
 
Registered: Jan 2010
Location: Earth
Distribution: Ubuntu
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by kaushalpatel1982 View Post
Configure IPTables to drop/reject the packets that requesting for the squid port. just accept from the localhost request.

iptables -I INPUT -s <yournetwork> -p tcp --dport <Squid Port> -j REJECT
I had done that, but the trouble is that it'll block requests being redirected to port 3128 from dest port 80. (Re: How transparent Squid works.)

When a packet gets redirected to a different port it maintains the same source IP, hence Squid is able to say what host went where (instead of it all being from the squid server's IP.)

When I get home I might try another idea I had regarding the original destination port (or just marking packets that are redirected and then dropping the packet on port 3128 that's not marked.)
 
Old 07-12-2010, 10:19 PM   #4
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 50
Try this..
Code:
iptables -t nat -F PREROUTING
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3128 -j REDIRECT --to-ports=666
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports=3128
Or you could do this..
Code:
iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j MARK --set-mark 1
iptables -A INPUT -m mark --mark 1 -j DROP

Last edited by SuperJediWombat!; 07-12-2010 at 10:26 PM.
 
3 members found this post helpful.
  


Reply

Tags
iptables, proxy, squid


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid proxy allow/deny set of clients borganve Linux - Security 1 07-16-2009 08:22 AM
Squid Proxy: DNS Requests vaibhavs Linux - Software 7 07-11-2009 03:39 AM
Squid Transparent Proxy SBN Linux - Server 6 07-11-2007 03:54 AM
squid always direct and deny from cache cccc Linux - General 1 06-13-2005 01:17 AM
Squid Transparent Proxy 1jamie Linux - Security 7 09-26-2003 06:09 AM


All times are GMT -5. The time now is 08:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration