LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-07-2005, 04:08 AM   #1
ckamheng
Member
 
Registered: Apr 2003
Location: Malaysia
Distribution: Slackware 10.2
Posts: 75

Rep: Reputation: 15
block internal user to access external proxy server


Hi,



I just implement a center firewall (iptables) with transparent proxy (squid) in my company. I block the msn and yahoo chatting program in my iptables rules. However, the users still can use external free proxy to use msn and yahoo messenger. May I know got any way for me to block the users for doing this and force all the traffic must go though my proxy?



Thanks.
 
Old 09-07-2005, 08:10 AM   #2
pats
Member
 
Registered: Jul 2005
Distribution: Debian Sarge/Etch, (K)Ubuntu, FC6, AIX5.3, VMWare ESXServer
Posts: 159

Rep: Reputation: 30
you must have a set up like this

internal network ---------- proxy server -------- router/gateway to internet

all internet traffic has to go through the proxy server. otherwise there is no real point in having a proxy server. this means that every pc at your company must be set up to connect to the internet using this proxy.

what i suspect you have is something like this

proxy server
|
|
internal network -----------router/gateway to internet


let me know if this makes any sense
 
Old 09-07-2005, 07:37 PM   #3
ckamheng
Member
 
Registered: Apr 2003
Location: Malaysia
Distribution: Slackware 10.2
Posts: 75

Original Poster
Rep: Reputation: 15
My original plan for transparent proxy is to force all the traffic from our internal LAN must go through but i unable to do it so now I just manage to force traffice for port 80 and 21 go through it only.

Now my problem is to force every user in my LAN must go through the transparent proxy.

How can I change my configuration from

proxy server
|
|
internal network -----------router/gateway to internet

to

internal network ---------- proxy server -------- router/gateway to internet

thanks.
 
Old 09-08-2005, 03:39 AM   #4
pats
Member
 
Registered: Jul 2005
Distribution: Debian Sarge/Etch, (K)Ubuntu, FC6, AIX5.3, VMWare ESXServer
Posts: 159

Rep: Reputation: 30
what you'll have is two network cards in the proxy server. one on the internal side and one on the external side. The proxy server should effectively be working as a gateway server with all internet traffic going through it. this is the only way it can work as a proxy/firewall. unless the only way onto the internet from your network is through the proxy/firewall there is no way to gaurentee blocking of certian ports


so what you'll have is



_________ ___________ ~~~~~
|switch/hub|-----------|proxy/firewall|--------(internet)
------_-------- nic1-----------nic2 ~~~~~
|
____|_____
|internal PC|
---------------

(i could make these diagrams all day)

what i think you might be confused about is a slightly different proxy setup which has separate proxy servers and firewalls

this looks like
___________
|proxy server|
------_----------
____|_____ _____ ~~~~~
|switch/hub|-----------|firewall|--------(internet)
------_-------- nic1-------nic2 ~~~~~
|
____|_____
|internal PC|
---------------

in this setup the firewall blocks any outgoing traffic that isn't from the proxy server. this in some ways better to manage. it just depends what kit you've got to spare.

good luck
 
Old 09-08-2005, 03:43 AM   #5
pats
Member
 
Registered: Jul 2005
Distribution: Debian Sarge/Etch, (K)Ubuntu, FC6, AIX5.3, VMWare ESXServer
Posts: 159

Rep: Reputation: 30
ok so those diagrams didn't turn out how they should have so here they are again



|switch/hub|-----------|proxy/firewall|--------(internet)
|
|
|internal PC|



and the second....


|proxy server|
|
|
switch/hub|-----------|firewall|--------(internet)
|
|
|internal PC|
 
Old 09-08-2005, 05:39 AM   #6
ckamheng
Member
 
Registered: Apr 2003
Location: Malaysia
Distribution: Slackware 10.2
Posts: 75

Original Poster
Rep: Reputation: 15
My configuration is look like this:

|proxy server|
|
|
switch/hub|-----------|firewall|--------(internet)
|
|
|internal PC|


so can you teach me how to block the traffice not come from the proxy ( in iptables) cause i just new comer for linux.

Thanks.
 
Old 09-08-2005, 06:51 AM   #7
pats
Member
 
Registered: Jul 2005
Distribution: Debian Sarge/Etch, (K)Ubuntu, FC6, AIX5.3, VMWare ESXServer
Posts: 159

Rep: Reputation: 30
so i can assume that you have two machines. one for the firewall and one for the proxy?

lets assume that you have an ip range of 192.168.1.*
your firewall/gateway should be something like 192.168.1.1
and your proxy could be anything but lets assume its 192.168.1.2
all the other addresses can be any othe laptop/desktop/whatever on your network.

what you want to do it set it so the firewall only forwards traffic to the internet from the proxy. also on the firewall you want to set which programs should and shouldn't be allowed access. i'm no expert with manually editing the iptables config. you'll have to do your own home work for that i'm afraid.


http://www.smoothwall.org/
might help you out for the firewall. its an entire distro which acts as a firewall and is configured via a web interface.

also a firewall called firestarter (just google for it) is nice and easy to use but thats more of a personal firewall rather than something you'd trust to protect an entire network

i'm not entirely sure why you want the proxy server? if all your internet traffic is going through the firewall you should be able to block certain aplications with no troubles.

what do you need the proxy for?
you seem to want to block certain programs from accessing the internet and thats the job for a firewall not a proxy.

a proxy had 3 main uses :
-authentication to make sure only certified users can access the internet
-to aid with caching
-and to stop certain websites being used.

unless you want to do these then i suggest you don't bother with a proxy.

either way for usefullness i'd go for smoothwall as your firewall. you won't get a lot of linux experience but its a good product

good luck
 
Old 09-09-2005, 04:37 AM   #8
ckamheng
Member
 
Registered: Apr 2003
Location: Malaysia
Distribution: Slackware 10.2
Posts: 75

Original Poster
Rep: Reputation: 15
thanks I got the idea already
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Internal/External Mail Server Aeiedil Linux - Software 27 10-13-2009 10:16 AM
vsftpd only can access for internal but not external bbmak Linux - Software 9 04-29-2005 09:36 PM
setup email client for internal and external mail access shadoxity Linux - Software 15 04-21-2005 09:17 AM
How can I block net access for 1 user? jimk Linux - Security 10 11-26-2004 12:43 PM
block access to other proxy servers jymbo Linux - Networking 4 07-06-2004 02:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration