Squid Server with Global IP... 8.8.8.8
Hi Friends,
Today i am facing some issue with 8.8.8.8 DNS... I have blocked all unwanted websites in squid (Linux Server is running on RHEL5) in same server DHCP is running... Now all windows clients are getting IP + Internet from same server (Squid + DHCP)... ISSUE... Now what problem is going on means, some xp clients are using 8.8.8.8 DNS and opening unwanted (blocked sites)... I have tried with blocking 8.8.8.8 IP in squid... but when client gives 8.8.8.8 as DNS that client machine is not reflecting to squid... if i stop squid then also they are able to access internet... how to stop this? is there any way that i can block this DNS ? Please help on this ASAP... Regards, Sandeep CC |
Why would blocking a single DNS server make any difference whatsoever? What if they then use 4.4.8.8?
you should simply not be permitting outbound internet access from any device that is not your proxy. Put a firewall between your users and the internet and it's painfully simple then. |
Becoming big issue in squid server
Hi Sorry for late reply,
This issue is raising like big problem for me at office... same squid server i have configured as DNS server also for ping resolve issue... now if xp clients keep my local squid/dns server IP or any 8.8.8.8/4.2.2.2 etc... as DNS then they are removing proxy setup from client IE and using internet... That time i am not finding that particular machine logs in /var/log/squid/access file.... That means if client remove IE setting proxy then client is getting direct Internet from my router (Shorewall configured on RHEL)... Can you tell me what firewall/iptables i can make setup? Thanks and Regards, Sandeep CC |
you would need to just stop shorewall allowing any outbound traffic from any machine that isn't the proxy or other authorised sources. That's presuming that this shorewall instance it physically in between your clients and the internet connection.
|
I'm no expert but you should block all direct access to the Internet (or outside world) except from your proxy server. All traffic should be redirected through your proxy server to the Internet.
Quote:
|
Thanks for your reply,
I am not understanding where exactly i am doing mistake... Below i am putting my rules file... I have opened required port in rules file... please check my file and let me know where i am doing wrong ------------------------------------------------------------------- cat /etc/shorewall/rules # # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # #################################################################################################### ################################################ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT PORT(S) DEST LIMIT GROUP # # Accept DNS connections from the firewall to the Internet # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # # # Accept SSH connections from the local network to the firewall and DMZ # ACCEPT loc fw tcp 22 ACCEPT loc dmz tcp 22 # # DMZ DNS access to the Internet # ACCEPT dmz net tcp 53 ACCEPT dmz net udp 53 ACCEPT loc net tcp 53 ACCEPT loc net udp 53 ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 ACCEPT dmz fw tcp 53 ACCEPT dmz fw udp 53 ACCEPT loc net udp 123 ACCEPT loc fw udp 4242 # Ntop # # Make ping work bi-directionally between the dmz, net, Firewall and local zone # (assumes that the loc-> net policy is ACCEPT). # ACCEPT net fw icmp 8 ACCEPT loc fw icmp 8 ACCEPT dmz fw icmp 8 ACCEPT loc dmz icmp 8 # #ACCEPT vpn dmz icmp 8 #ACCEPT dmz vpn icmp 8 # ACCEPT dmz loc icmp 8 ACCEPT dmz net icmp 8 ACCEPT fw net icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw dmz icmp 8 ACCEPT net dmz icmp 8 # Only with Proxy ARP and ACCEPT net loc icmp 8 # static NAT ACCEPT loc net icmp 8 # additional rules by Sandeep CC(Office: Sept 04, 2013) ACCEPT loc net tcp # # DMZ to net access rules # ACCEPT loc fw tcp # # remote Desktop ACCEPT fw net tcp 3389 ACCEPT net loc tcp 3389 ACCEPT net dmz tcp 3389 ACCEPT loc dmz tcp 3389 ACCEPT dmz loc tcp 3389 #FTP ACCEPT net fw tcp 21 ACCEPT net fw udp 21 ACCEPT net fw tcp 20 ACCEPT net fw udp 20 ACCEPT net loc tcp 21 ACCEPT net loc udp 21 ACCEPT net loc tcp 20 ACCEPT net loc udp 20 ##Office FTP ACCEPT net fw tcp 1021 ACCEPT net fw udp 1021 ACCEPT net loc tcp 1021 ACCEPT net loc udp 1021 ##http allow ACCEPT net fw tcp 80 ACCEPT net fw udp 80 ACCEPT net loc tcp 80 ACCEPT net loc udp 80 ACCEPT loc net tcp 80 ACCEPT loc net udp 80 ACCEPT all dmz tcp 80 ##Office http ACCEPT net fw tcp 81 ACCEPT net fw udp 81 ACCEPT net loc tcp 81 ACCEPT net loc udp 81 ##Office http ACCEPT net fw tcp 82 ACCEPT net fw udp 82 ACCEPT net loc tcp 82 ACCEPT net loc udp 82 ##Office http ACCEPT net fw tcp 85 ACCEPT net fw udp 85 ACCEPT net loc tcp 85 ACCEPT net loc udp 85 ##Office eduproxy1 ##http allow ACCEPT net fw tcp 9542 ACCEPT net fw udp 9542 ACCEPT net loc tcp 9542 ACCEPT net loc udp 9542 ##POP3 ACCEPT net fw tcp 100 ACCEPT net fw udp 110 ACCEPT net loc tcp 110 ACCEPT net loc udp 110 ##SMTP ACCEPT net fw tcp 25 ACCEPT net fw udp 25 ACCEPT net loc tcp 25 ACCEPT net loc udp 25 ##HHTPS POP ACCEPT net fw tcp 587 ACCEPT net fw udp 587 ACCEPT net loc tcp 587 ACCEPT net loc udp 587 ##HHTPS SMTP ACCEPT net fw tcp 995 ACCEPT net fw udp 995 ACCEPT net loc tcp 995 ACCEPT net loc udp 995 ##HHTPS SMTP ACCEPT net fw tcp 465 ACCEPT net fw udp 465 ACCEPT net loc tcp 465 ACCEPT net loc udp 465 ##HHTPS SMTP ACCEPT net fw tcp 443 ACCEPT net fw udp 443 ACCEPT net loc tcp 443 ACCEPT net loc udp 443 ##FTP ACCEPT net fw tcp 20 ACCEPT net fw udp 20 ACCEPT net loc tcp 20 ACCEPT net loc udp 20 ACCEPT net fw tcp 21 ACCEPT net fw udp 21 ACCEPT net loc tcp 21 ACCEPT net loc udp 21 #SECTION ESTABLISHED #SECTION RELATED #SECTION NEW Regards, Sandeep CC |
it's not about opening ports, it's about closing the closing them
Code:
##http allow |
Hi acid_kewpie,
Thanks for your reply, Here i have tried what you said me to do, as per my before post rule file i have commented #ACCEPT loc net tcp 80 #ACCEPT loc net udp 80 this 2 lines, but even its not working as per my requirement, so I have commented more 2 lines #ACCEPT loc net tcp 53 #ACCEPT loc net udp 53 in this case clients not able to access internet without IE setting proxy... here everything is blocking.... but here i am getting 2 more problems 1. Client are not able to ping any website by name like ping www.google.com yahoo.com (By IP able to ping any sites) 2. DMZ line is not working (Internet is not working in one more line) (In shorewall server I have done setup like eth0 for net means direct lease line IP, eth1 is for DMZ means public IP's which we have got free 14 IP's with lease line , eth2 is for loc for local lan... if i need to use that 14 free IP's means i have to route main lease line IP and this free IP's then only i can use as direct public IP..) Here I am getting problem in direct free 14 IP's are not working internet... where again i m doing mistake please help me out... Regards, Sandeep CC |
Even when i do this all setting without proxy by IP address i can open any websites... exp: 74.125.128.103 google.com can open without proxy setting...
That means by dns is blocking internet for client if clients are not setting IE proxy setting... I think somewhere is missing my configuration... Please let me know where i can correct my setup.. Regards, Sandeep CC |
so youre two problems: 1) You blocked DNS so of course they can't reach them. If you don't know what these port numbers and servcies mean, should you be changing them? 2) this seems unrelated to commenting out those lines, until the DMZ boxes somehow rely on a service that does live in the "loc" network.
As for still accessing by IP. You've not blocked 443, are you just using https to get there rather than http? As you say DNS did stop working, you are presumably applying these changes correctly so something else is relevant to the web connections. Maybe you've also got a transparent proxy running on that box which is separately intercept and redirecting the requests? |
Thanks,
actually 443 is not opened from loc net , its net loc , even shall I REJECT below lines? ACCEPT net loc tcp 443 ACCEPT net loc udp 443 Sorry this is 1st time i am using shorewall, before someone has done some setup and left, now i had tried something and something gone in hell, thats what i wanna correct it... My requirement is, Any client should not access internet without proxy, even if he use any kind of DNS 8.8.8.8 etc...and he should able to ping by name or IP... also all 3 Lines need to access internet (Direct net line, public free IP's dmz, and loc local network lan) Regards, Sandeep CC |
to me it sounds like you may be transparently proxying. i've no idea how whatever configuration you have would make squid d this within shorewall, so can't guide you there. A full "iptables -vnL" might be handy to clarify. You'd certainly want to blcok https on 80 and https on 443 though. morevoer, you should be blocking EVERYTHING by default, only opening by exception.
|
Hi chris,
sorry i have tried with all ways but finally i failed to correct my mistakes... As per my requirement I am unable to setup my network... I am not understanding where I am doing mistakes (shorewall or squid server or iptables)... I can provide you my all setup files if you can find out exact problem... I am ready to configure totally newly serer if you guide me... Just I need all my clients need to get internet vai my squid server, and if they use any inside or outside DNS IP they should not get blocked websites... Thanks for your help... Scenario of my network... I have configured RHEL server as router by using shorewall software (Having 3 NIC cards) Configured eth0 to direct lease line IP, eth1 configured 14 free public IP's (this IP's got freely with lease line, I can use this IP's as public IP, But i must need to do routing for this), eth2 configured for local network...by this free IP's I have taken 1 IP and configured squid server on RHEL-5 (Same squid configured for DHCP also, all clients getting dhcp IP + Internet by this IP/squid server)... In this squid server i have blocked all unwanted sites....Users are removing proxy setting from IE and giving 8.8.8.8 DNS and using internet so that client is getting internet from direct router server so he is able to open all websites... Regards, Sandeep CC |
All times are GMT -5. The time now is 12:51 AM. |