Blocking port 80 on NAT and allowing browsing thru squid

krishvij · 07-17-2005, 11:47 PM

Hi,

Let me first explain my setup. I have a linux box that is both a NAT as well as a Squid Proxy Server connected to the ISP on 1 NIC and to my LAN on antoher NIC. IP address of the NIC connected to the LAN is 192.168.10.99/24.

I have configured the web browser settings on all systems in my lan to use 192.168.10.99 as the proxy server on port 3128. I am having to provide NAT so that people within my network can use Microsoft Outlook to connect to the mail server hosted elsewhere on the internet.

I have configured my squid to provide full access to the directors, restricted site access to others. Have also blocked porn.

My main problem is that if any user just unselects the proxy settings in their browser, they can happily browse without any restriction which needs to be prevented.

I tried the following command :-

iptables -t nat -A FORWARD -p tcp --dport 80 -j DROP

This seemed to work, i.e., i was not able to browse from any other pc in my lan thru the gateway, but was able to browse only when the proxy settings are configured in the clients' web browser settings. Problem was some people complained that their outlook could not send and receive messages after I had issued the above command. When I flushed it, their outlook started working fine.

Please do let me know how to go about doing this. Blocking porn is very very important for my company. I just need to disable web browsing thru the NAT gateway, and allow browsing for my users only thru the squid proxy.

roopunix · 07-18-2005, 01:36 AM

/sbin/iptables -t nat -F
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
/sbin/iptables -t nat -A POSTROUTING -s 192.168.10.99/24 -o eth0 -j MASQUERADE

eth1 is my lan intf
eth0 in my wan intf

My default chains are set to ACCEPT

But it should work even though the chains are set to DROP by default.But do not forget to configure the OUTPUT
chain and FORWARD chain if it is set to DROP

krishvij · 07-19-2005, 05:10 AM

Hi,

Thanks a million. It worked well.

There is one small problem that I am facing. Just got to understand that one of my network users uses a job site for searching resumes and sending them mails from that site itself. Unfortunately, that particular site uses an IP address instead of a domain name as the link.

I have configured squid proxy to deny everyone access to the net by the use of IP Addresses.

Just want one more statement from you wherein I can allow only this particular person's ip to browse thru my NAT instead of squid. Would be grateful if you could help.