Hello forum.
I need to setup a linux box to restrict internet in my network,
users will only be allowed to use internet and email pop3 and IMAP. I already have one doing the web content filtering with squid and dansguardian but i need to enter the proxy settings inthe browser to be able to block the sites if they remove the proxy settings on they browser they are able to view all the pages also my box is not bocking p2p acess like limewire or ares.

I need my linuxbox to be able to
Share internet to clients
Block all ports except internet, pop3 smtp and imap
filter internet content
no need to configure proxy settiong on clients.

please help

Assuming this is a separate box, set the input-from-lan-NIC iptables (aka firewall) to only accept calls to http, https, pop3, smtp, imap.
That way they don't need to bother with proxy settings in browser.

So :

LAN ---- PROXY ---- router ---- internet

Yes it is a separate box, an it has 2 nics one for the lan and one for the WAN. The main problem here is if i set the linuxbox as my gateway in my clients it will only forward http to my clients.

This should only be a matter of configuring Squid/DG in transparent mode, and then disabling SNAT for the ports you're either doing content filtering for or enforcing proxy usage for (port 80/TCP, for example). Since you want the client's proxy settings to be automatically set, you'll need to use something like WPAD to achieve that (necessary for traffic which can't be transparently proxied, such as HTTPS).

An how can i do this???

right now i am working fine with Squid and dansguardian
bue if i set the linuxbox as my gateway in my clients i am not able to surf or send/receive mails in outlook. Is it just an iptables configurtion to do this?

Do what? The transparent setup? I gave you a link to get you started with that.

That's good, it means you're halfway there already (you just need to make some tweaks).

This conflicts with what you said originally:If you go through the Google search I linked for you above, you'll see that doing transparent redirection is basically just a matter of one iptables rule. But since it sounds like you want to force clients to use Squid for everything, then you could simply forget about transparent redirection and just configure the clients (either manually or automatically) to use the proxy. Then you disable forwarding with something like:And that way you make sure they can't bypass Squid.

Thank you for your response. Sorry about the conflict in the fist post i was "using" my router as a gateway.

Clients using the following configuration have Filtered sites, POP3, SMTP and unfortunately p2p and any other sharing files access but if they remove the proxy settings they will be able to browse unfiltered. This mean if they install another browser they have access to everything because i just configured iexplorer and firefox to use proxy. :
IP Adress: 192.168.1.xxx
Mask: 255.255.255.0
Gateway: 192.168.1.254 (my router)
DNS1: my ips dns
Proxy: 192.168.1.250 (my linux box)
Port: 8080

Clients using the following configuration does not have access to anything i know they can't access the web because i need to share the internet form my linux box.
IP Adress: 192.168.1.xxx
Mask: 255.255.255.0
Gateway: 192.168.1.250 (my linux box)
DNS1: my ips dns
Proxy: none
Port: none

I know that is a way to share internet access using iptables and here is where i need help.
WAN = eth0
Lan = eth1
lan ip = 192.168.1.250
wan ip = 216.251.10.20
my webserver = 192.168.1.251
my terminal server = 192.168.1.252 (so i'll need my clients to also be able to use remote desktop to this server )

If the setup is as per my diag (post #2) then use iptables REDIRECT as per http://www.openpages.info/iptables/, so that as each cxn comes into the box from the LAN side (on any port), it's immediately redirected to port 3128 (SQUID).
There's no way for them to get around that without hacking proxy box.
See also http://www.linuxtopia.org/Linux_Fire...les/x4508.html

Sounds to me like the only thing you need to do routing for is the remote desktop software (assuming they would be connecting from the WAN side). So you could just configure your router to do that (and nothing else). Then clients would need to use the proxy server for everything else, and they wouldn't have a way to bypass it. With this kind of setup, a client could have a configuration like (example):If they remove the proxy settings and set 192.168.1.254 as the gateway, the configuration on the router wouldn't allow them to access the WAN (it would only allow outbound packets in state ESTABLISHED, for the remote desktop service).

That said, considering that this is the router you seem to be using yourself, your best bet (with regards to security) might be to put the router higher up, thereby eliminating the need to implement any special access restrictions on it with regards to the clients. Example of what I mean:Notice how the clients can't physically bypass the proxy to get to the WAN side. This example assumes your router only has two interfaces (WAN and LAN), but if it has more then of course you could make things even tighter by not having the proxy, the server (remote desktop), and your PC in the same network.