LinuxQuestions.org - block access to other proxy servers

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - block access to other proxy servers (https://www.linuxquestions.org/questions/linux-networking-3/block-access-to-other-proxy-servers-201764/)

jymbo

07-06-2004 12:05 PM

block access to other proxy servers

I have a transparent Squidbox (2.5-5) on a LAN of 13 users. It works well, but eventually some smarty is gonna try to bypass it with an external proxy server.

Is there an iptables rule/script that can prevent LAN users from cheating and using other proxy servers? Would I merely need to block tcp 3128 and 8080 outgoing at my firewall? Would it be possible to also block access to proxy servers that use port 80 without breaking my Squid?

Thanks in advance.

:)

LanRx

07-06-2004 12:55 PM

The most correct way to do this, is to make your squid device the sole path out of your local network. That way, any HTTP traffic will have to traverse this link.

jymbo

07-06-2004 01:14 PM

Thanks, but yes, I did that already (to make my proxy server transparent). The problem is that squid is running on the firewall itself in order to allow users access to non-http services as well.

Blocking outbound tcp 3128 and 8080 did the trick, but blocking 80 breaks squid.

I guess my next question would be: is there an iptables rule that would only allow my squidbox access to outbound tcp port 80 and deny it to the rest of the LAN?

LanRx

07-06-2004 01:47 PM

If your squid is transparent, then you can't block 80. Squid is not using port 3128, as is default. It is picking up the traffic on port 80, and NATing it out on a different port. That's why you had to implement the netfilter.

As far as blocking outbound traffic, I would guess that the only way to effectively do that, would be to block all by default, and enable specifically. But, if your network permits all traffic outbound, then I don't know that you're going to be able to achieve your desired result. All you could really do, is to block common ports.

I'm sure that this is not the answer that you're looking for. But, I guess that based on your original questions, I'm not sure that I see an appropriate answer. Your traffic all has to go through the squid. But, your firewall allows all ports outbound, as long as the packets originated on your network, they're going to traverse round trip, I would imagine.

jymbo

07-06-2004 01:59 PM

Thanks for the reply LanRx.

I have Squid listening on port 8081 with iptables REDIRECTing all http traffic to it. This way, I can close off outbound 3128 and 8080 without breaking Squid. It's just that if I were a clever user, I'd simply use an external.proxy:80 to bypass it.

I emailed the author of my firewall script to see if some sort of ACL would be appropriate in this situation.

Thanks again.

All times are GMT -5. The time now is 06:22 AM.