LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Forcing users to use DG on server. (https://www.linuxquestions.org/questions/linux-networking-3/forcing-users-to-use-dg-on-server-357472/)

Steve2001 08-27-2005 07:23 AM

Forcing users to use DG on server.
 
TITLE: Forcing users to use DG on server.

I want ot make all my users access the internet via Dansguardian running on my server.

I have set up a server running Dansguardian and Squid under FC4. My router is set up to deny all machines on my network access to the internet except the server. I am setting up all my machines on the network to access the internet via a proxy server (i.e. my server). However at the moment they can use port 8080 (Dansguardian) or 3128 (Squid) to get to the internet through my server. I want to make it so as they can only use port 8080.

So I need some sort of iptables rule on the server to do this. I have some sketchy advice that indicates the follwoing should do it but it does not seem to work:

[root@BASIL ~]# iptables -A OUTPUT -p tcp --dport 3128 -m owner ! --cmd-owner dansguardian -j REJECT --reject-with tcp-reset

But still Squid can be directly accessed from the other machines. So what is wrong any ideas? Below is the list of my iptables rules on the server:

[root@BASIL ~]# iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:squid ! OWNER CMD match dansguardian reject-with tcp-reset

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited



[root@BASIL ~]# iptables-save
# Generated by iptables-save v1.3.0 on Sat Aug 27 12:57:11 2005
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [6161:2295193]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -j RH-Firewall-1-INPUT
-A INPUT -j RH-Firewall-1-INPUT
-A OUTPUT -p tcp -m tcp --dport 3128 -m owner ! --cmd-owner dansguardian -j REJECT --reject-with tcp-reset
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Aug 27 12:57:11 2005

acid_kewpie 08-27-2005 08:33 AM

You wouldn't want to make them only use port 8080 really, you'd more need to transparently intercept normal port 80 requests and handle them in your own way. There's some good transparent proxy information here: http://www.tldp.org/HOWTO/TransparentProxy-6.html but maybe your router is capable of helping you out here?

Personally i'd say that the best solution is to build a dedicated proxy firewall box, something like ipcop with squid and dansguardian plugins on it. You can then easily use that box as a default gateway and not have to use a more important server as a network appliance.
http://ipcop.sf.net
http://www.dageek.co.uk/ipcop/addonz/dansguardian.htm


All times are GMT -5. The time now is 11:37 PM.