LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Squid Proxy Server (https://www.linuxquestions.org/questions/linux-networking-3/squid-proxy-server-611113/)

raider_jo 01-04-2008 09:33 AM
Squid Proxy Server
 
Hi...
I've a small home network with linux as a server and clients are windows.
I've configured squid to restrict porn sites on the clients.
and I've a switch not a router.

the clients cannot access porn sites when they configure thier firefox to use the squid proxy.
BUT if they choose the option 'direct access the internet' instead, then they can access porn sites.(how come???!!!)

it seems like an internet connection sharing not a proxy server...
so how can I enforce them to use the internet only through the squid proxy server ??

win32sux 01-04-2008 10:23 AM
What router/gateway are the boxes using? That's where your problem/solution lies. You can either stop them from getting routed, or force them to get proxied.

raider_jo 01-04-2008 10:38 AM
when they choose the option 'direct connection to the internet' in thier firefox or any browser...I want to force them get proxied.

win32sux 01-04-2008 11:21 AM
Quote:
Originally Posted by raider_jo (Post 3011167)
I want to force them get proxied.
Then you need to configure Squid in transparent mode.

RobertP 01-04-2008 02:10 PM
Quote:
I've a switch not a router
If you can use a second network interface on your server, it can be a router and absolutely police the access (unless clients move a cable).

ISP connects to eth0 on your server
Switch connects to eth1 on your server
The only way clients can get to the Internet is through you.

Block requests to port 80 from eth1 using iptables. Allow 8080 in from eth1. Block 3128 from eth1.

Then the only way the clients can get out is to talk to dansguardian on port 8080.

From your machine you should still be able to download executables/packages if you wish.

iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport --ports 80,3128 -j DROP

Depending on the policies of your firewall, you may have to enable forwarding and acceptance of 8080.

To make this magic transparent, you could reroute port 80 inputs from eth1 to go to port 8080 on the server.


iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport --ports 80,3128 -j REDIRECT --to-ports 8080

Then all requests to port 80 or 3128 from eth1 will be handled by dansguardian on 8080. If squid or dansguardian stops, access to the Internet stop. The security of all this depends on the clients only being able to access the Internet through eth1.

To read the gory details: man iptables.

You can use static IP addresses for your clients or set up DHCP to run on your server. Static is probably easy if you have a few clients.


All times are GMT -5. The time now is 12:37 PM.