Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-25-2013, 08:48 AM
|
#1
|
Member
Registered: Jul 2012
Location: India,Kolkata
Distribution: fedora,ubuntu
Posts: 35
Rep:
|
squid proxy queries
Hi All
I am using a squid proxy in a desktop with fedora 14, through which all users are accessing internet
i want to block some sites.. for that i have declare some ACl here as follows
Quote:
======================================================
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl morning_hours time M T W H F 9:00-12:59
acl evening_hours time M T W H F 14:00-18:45
acl deniedDomains url_regex "/usr/local/etc/deniedDomains"
acl blacklistIP src "/usr/local/etc/blacklistIP"
http_access deny deniedDomains morning_hours blacklistIP
http_access deny deniedDomains evening_hours blacklistIP
acl myNetwork src "/usr/local/etc/whitelistIP"
http_access allow myNetwork
================================================================
*[deniedDomains list are as follow]
.facebook.com
.server14.kproxy.com
.kproxy.com
.myspace.com
.metacafe.com
.kproxyfree.com
.orkut.com
.jabong.com
.snapdeal.com
================================================================
*[blacklistIP list are as follow]
192.168.100.10
192.168.100.12
192.168.100.15
etc etc etc..and so on
================================================================
*[whitelistIP list are as follow]
192.168.100.100
192.168.100.120
192.168.100.150
======================================================
|
NOTE: we have DHCP configured on another machine by which wi-fi user can access internet using automatic assigned IP i.e. DHCP
NOW my questions are
1> How to block or define DHCP IP in blacklistIP so that DHCP user also cannot browse the deniedDomains, by default DHCP user can access facebook,orkut,etc etc. Don't know how they can access !!
2>How to block gmail browser chat(not Gtalk),yahoo chat for all user
3>Since all my users are connected to internet through my proxy machine, how to know which user IP address is utilizing heavy internet resource i.e. downloading stuffs or streaming live videos which may cause slow internet connectivity to rest of the users.
Can i view/detect the particular IP address
Hope I am brief enough to explain my problems
Awaiting for you answer ....
|
|
|
10-25-2013, 10:20 AM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,331
|
Quote:
Originally Posted by swaggerlee
Hi All
I am using a squid proxy in a desktop with fedora 14, through which all users are accessing internet i want to block some sites.. for that i have declare some ACl here as follows
NOTE: we have DHCP configured on another machine by which wi-fi user can access internet using automatic assigned IP i.e. DHCP NOW my questions are
1> How to block or define DHCP IP in blacklistIP so that DHCP user also cannot browse the deniedDomains, by default DHCP user can access facebook,orkut,etc etc. Don't know how they can access !!
|
They can access those sites, because you probably don't have them in the ACL. You're not posting all of your squid configurations, but chances are you're only applying the deny ACL to 'known' users...however they're 'known'. If you're identifying them by IP address, then there's your answer...the DHCP users don't HAVE static addresses, so the DENY,ALLOW takes effect, letting them out. So modify your ACL to deny those sites to ANYONE, on ANY address, or add the DHCP address range to the deny ACL.
Quote:
2>How to block gmail browser chat(not Gtalk),yahoo chat for all user
|
You don't, at least not with Squid...this has been asked and answered on here MANY times.
Quote:
3>Since all my users are connected to internet through my proxy machine, how to know which user IP address is utilizing heavy internet resource i.e. downloading stuffs or streaming live videos which may cause slow internet connectivity to rest of the users. Can i view/detect the particular IP address
|
You go to the Squid website, and look up one of the VERY easily-found Squid reporting tools, install them, and run them. Find out which one fits your needs best.
|
|
|
10-28-2013, 12:19 AM
|
#3
|
Member
Registered: Jul 2012
Location: India,Kolkata
Distribution: fedora,ubuntu
Posts: 35
Original Poster
Rep:
|
OKAY here is my complete squid config file for you ... can you tell me what's wrong i am doing.
Quote:
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443 8100
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8100 #java socket
acl CONNECT method CONNECT
acl ftp proto FTP #(Creating a new acl for ftp protocol)
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
#http_access allow Safe_ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
http_access allow ftp
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl morning_hours time M T W H F 9:00-12:59
acl evening_hours time M T W H F 14:00-18:45
acl deniedDomains url_regex "/usr/local/etc/deniedDomains"
acl blacklistIP src "/usr/local/etc/blacklistIP"
http_access deny deniedDomains morning_hours blacklistIP
http_access deny deniedDomains evening_hours blacklistIP
acl myNetwork src "/usr/local/etc/whitelistIP"
http_access allow myNetwork
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
|
notify me if i missed something to post ..
|
|
|
10-28-2013, 10:28 AM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,331
|
Quote:
Originally Posted by swaggerlee
OKAY here is my complete squid config file for you ... can you tell me what's wrong i am doing.
notify me if i missed something to post ..
|
From my first post, I told you what the problem was and how to correct it. Did you read/understand it?
You're still allowing access from that network range somehow. You mention the 'whitelistIP' range, but you don't give any details about what range/network your DHCP server is on. Again...create an ACL with the address range of your DHCP server, and apply your rules to it.
|
|
|
All times are GMT -5. The time now is 09:05 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|