LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-18-2005, 12:47 AM   #1
krishvij
Member
 
Registered: Feb 2005
Location: India
Distribution: RHEL 3
Posts: 108

Rep: Reputation: 15
Blocking port 80 on NAT and allowing browsing thru squid


Hi,

Let me first explain my setup. I have a linux box that is both a NAT as well as a Squid Proxy Server connected to the ISP on 1 NIC and to my LAN on antoher NIC. IP address of the NIC connected to the LAN is 192.168.10.99/24.

I have configured the web browser settings on all systems in my lan to use 192.168.10.99 as the proxy server on port 3128. I am having to provide NAT so that people within my network can use Microsoft Outlook to connect to the mail server hosted elsewhere on the internet.

I have configured my squid to provide full access to the directors, restricted site access to others. Have also blocked porn.

My main problem is that if any user just unselects the proxy settings in their browser, they can happily browse without any restriction which needs to be prevented.

I tried the following command :-

iptables -t nat -A FORWARD -p tcp --dport 80 -j DROP

This seemed to work, i.e., i was not able to browse from any other pc in my lan thru the gateway, but was able to browse only when the proxy settings are configured in the clients' web browser settings. Problem was some people complained that their outlook could not send and receive messages after I had issued the above command. When I flushed it, their outlook started working fine.

Please do let me know how to go about doing this. Blocking porn is very very important for my company. I just need to disable web browsing thru the NAT gateway, and allow browsing for my users only thru the squid proxy.
 
Old 07-18-2005, 02:36 AM   #2
roopunix
Member
 
Registered: Feb 2004
Location: Kathmandu
Distribution: Redhat/fedora/Suse [Wanna Drive With Debian]
Posts: 208

Rep: Reputation: 30
/sbin/iptables -t nat -F
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
/sbin/iptables -t nat -A POSTROUTING -s 192.168.10.99/24 -o eth0 -j MASQUERADE

eth1 is my lan intf
eth0 in my wan intf

My default chains are set to ACCEPT

But it should work even though the chains are set to DROP by default.But do not forget to configure the OUTPUT
chain and FORWARD chain if it is set to DROP
 
Old 07-19-2005, 06:10 AM   #3
krishvij
Member
 
Registered: Feb 2005
Location: India
Distribution: RHEL 3
Posts: 108

Original Poster
Rep: Reputation: 15
Hi,

Thanks a million. It worked well.

There is one small problem that I am facing. Just got to understand that one of my network users uses a job site for searching resumes and sending them mails from that site itself. Unfortunately, that particular site uses an IP address instead of a domain name as the link.

I have configured squid proxy to deny everyone access to the net by the use of IP Addresses.

Just want one more statement from you wherein I can allow only this particular person's ip to browse thru my NAT instead of squid. Would be grateful if you could help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SQUID for blocking yahoo and msn [inc squid.conf] chrisfirestar Linux - Security 10 03-03-2008 09:33 AM
Allowing IPsec through NAT ffkodd Linux - Security 2 10-29-2005 03:53 AM
SQUID - Blocking port 80 tekquest Linux - Software 2 08-27-2005 07:05 AM
blocking and allowing ports drumlix18 Linux - Networking 4 11-30-2004 07:36 PM
blocking some port for NAT clients freelinuxcpp Linux - Networking 2 02-14-2004 06:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration