LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-06-2004, 01:05 PM   #1
jymbo
Member
 
Registered: Jan 2003
Posts: 217

Rep: Reputation: 30
block access to other proxy servers


I have a transparent Squidbox (2.5-5) on a LAN of 13 users. It works well, but eventually some smarty is gonna try to bypass it with an external proxy server.

Is there an iptables rule/script that can prevent LAN users from cheating and using other proxy servers? Would I merely need to block tcp 3128 and 8080 outgoing at my firewall? Would it be possible to also block access to proxy servers that use port 80 without breaking my Squid?

Thanks in advance.

 
Old 07-06-2004, 01:55 PM   #2
LanRx
Member
 
Registered: Jul 2004
Posts: 85

Rep: Reputation: 15
The most correct way to do this, is to make your squid device the sole path out of your local network. That way, any HTTP traffic will have to traverse this link.
 
Old 07-06-2004, 02:14 PM   #3
jymbo
Member
 
Registered: Jan 2003
Posts: 217

Original Poster
Rep: Reputation: 30
Thanks, but yes, I did that already (to make my proxy server transparent). The problem is that squid is running on the firewall itself in order to allow users access to non-http services as well.

Blocking outbound tcp 3128 and 8080 did the trick, but blocking 80 breaks squid.

I guess my next question would be: is there an iptables rule that would only allow my squidbox access to outbound tcp port 80 and deny it to the rest of the LAN?
 
Old 07-06-2004, 02:47 PM   #4
LanRx
Member
 
Registered: Jul 2004
Posts: 85

Rep: Reputation: 15
If your squid is transparent, then you can't block 80. Squid is not using port 3128, as is default. It is picking up the traffic on port 80, and NATing it out on a different port. That's why you had to implement the netfilter.

As far as blocking outbound traffic, I would guess that the only way to effectively do that, would be to block all by default, and enable specifically. But, if your network permits all traffic outbound, then I don't know that you're going to be able to achieve your desired result. All you could really do, is to block common ports.

I'm sure that this is not the answer that you're looking for. But, I guess that based on your original questions, I'm not sure that I see an appropriate answer. Your traffic all has to go through the squid. But, your firewall allows all ports outbound, as long as the packets originated on your network, they're going to traverse round trip, I would imagine.
 
Old 07-06-2004, 02:59 PM   #5
jymbo
Member
 
Registered: Jan 2003
Posts: 217

Original Poster
Rep: Reputation: 30
Thanks for the reply LanRx.

I have Squid listening on port 8081 with iptables REDIRECTing all http traffic to it. This way, I can close off outbound 3128 and 8080 without breaking Squid. It's just that if I were a clever user, I'd simply use an external.proxy:80 to bypass it.

I emailed the author of my firewall script to see if some sort of ACL would be appropriate in this situation.

Thanks again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
block internal user to access external proxy server ckamheng Linux - Security 7 09-09-2005 04:37 AM
Proxy servers the_imax General 3 12-13-2004 01:04 AM
Proxy Servers... Grim Reaper Linux - Security 6 02-03-2003 04:24 PM
block ads (doubleclick and aol) servers using iptables LionKing Linux - Security 4 02-18-2002 02:28 AM
Need ideas to block traffic from advertisement servers LionKing Linux - Security 13 07-02-2001 11:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration