iptables+squid
Well ... I read about iptables+squid to block msn+yahoo+radios .... I can do it with iptables with 2 rules:
/sbin/iptables -A INPUT -p TCP -s $filter -j DROP /sbin/iptables -A INPUT -p UDP -s $filter -j DROP where $filter is a list of servers to block. With this I found that iptables doesnt block some domains .... I try with squid doing : acl intra src 192.168.1.0/255.255.255.0 acl msn req_mime_type ^application/x-msn-messenger acl MSN-MESSENGER dst "sfilterip" acl msnd dstdomain .webmessenger.msn.com acl msnd dstdomain *.iloveim.com acl listamsn dstdomain "/etc/squid/sfilter" acl yahoo dstdomain pager.yahoo.com acl yahoo dstdomain shttp.msg.yahoo.com acl yahoo dstdomain update.messenger.yahoo.com acl yahoo dstdomain update.pager.yahoo.com http_access deny intra msn http_access allow intra http_access deny intra MSN-MESSENGER http_access deny msnd http_access deny intra listamsn http_access allow localhost http_access deny yahoo http_access allow all And nothing ... so ... I want to see if I can block it but not block to me ;) any advice ? |
Depending on your setup, if your proxy is transparent, you will need some DNAT or REDIRECT rules to force traffic into the proxy.
Packets going from clients will have an external ip destination address in them. Rules will need to be interface specific and specify checking the destination address.. eg -A INPUT -i eth0 -p tcp -d $filter -j DROP For clients that are set to use the proxy on say port 8080, they will have a local address as a destination address, so squid will have to send to the external ip address. You can filter in the OUTPUT chain as above.. -A OUTPUT -o eth1 -p tcp -d $filter -j DROP I can't comment on the squid rules coz I use Dansguardian to do url/content filtering.. www.dansguardian.org |
All times are GMT -5. The time now is 12:53 PM. |