block internet if no squid proxy

mrlinux2000 · 02-25-2008, 07:48 AM

hi !

it is working now, i mean squid proxy , but clients desactivate proxy and i want to force them to use proxy before they can explore internet
thnak you

acid_kewpie · 02-25-2008, 08:01 AM

well that's what a firewall is for. If you can please describe your architecture, we may be ale to help.

Emerson · 02-25-2008, 08:08 AM

I've seen networks where NAT is simply turned off, leaving no way but proxy to get out.

mrlinux2000 · 02-25-2008, 08:30 AM

i have linux server and local area network 192.168.1/24 and i configure a proxy which is working if i go to the explorer-internet options-connections-proxy 192.168.1.11 port 8080
it works, but clients delete proxy after i did that and they can go without proxy ...
now i want to obligate that

mrlinux2000 · 02-25-2008, 08:30 AM

i mean to get internet you have to pass through the proxy first not optionally

acid_kewpie · 02-25-2008, 09:00 AM

no, i meant what phsycial architecture do you have? what form does your internet connectivity take? what device is terminating it etc..?

mrlinux2000 · 02-25-2008, 09:43 AM

ok,
am using nat one card for internet and other for local , and i have router adsl

farslayer · 02-25-2008, 11:03 AM

So only allow the Proxy machine outbound access to destinations of port 80 and 443..

mrlinux2000 · 02-26-2008, 04:42 AM

that is not what am asking for

acid_kewpie · 02-26-2008, 05:19 AM

no, that *IS* what you're asking for, he means you should block access to any other system on those ports. quite how you do it with the minimal information you have given us is a different question. why is this box routing in the first place? should you not just disable routing on it? are you using some firewall gui on this box already? just add port 80 and 443 to the block list there.

mrlinux2000 · 02-26-2008, 05:52 AM

thank you all

as i mentioned i have squid proxy working well, but it work for the local post only if i set the proxy ip for them and port(they can disable proxy after i change it), and that is not what i dont want

simply i want that to be automatically

acid_kewpie · 02-26-2008, 05:58 AM

yes, you keep saying that and keep not giving us useful information. what are you doing for a firewall? is this box also the router etc..?

mrlinux2000 · 02-26-2008, 07:03 AM

ok, am using iptables , i think i have to add rules to forward all http requests (coming to port 80) to the Squid server port 3128 !!!

acid_kewpie · 02-26-2008, 07:18 AM

i would advise against an automatic proxy myself, it's much nicer to have them correctly using it directly, as you then have more clarity and visibility of what's going on. if you do want a transparent proxy, then there are many many docs online about the iptables and squid modifications to do this.

http://www.faqs.org/docs/Linux-mini/...rentProxy.html

as above, better to just block it normally though.

mrlinux2000 · 02-26-2008, 08:06 AM

thank you sooooooooooooooooooooooooooooo much
i appreciate your help
thank you