Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello forum.
I need to setup a linux box to restrict internet in my network,
users will only be allowed to use internet and email pop3 and IMAP. I already have one doing the web content filtering with squid and dansguardian but i need to enter the proxy settings inthe browser to be able to block the sites if they remove the proxy settings on they browser they are able to view all the pages also my box is not bocking p2p acess like limewire or ares.
I need my linuxbox to be able to
Share internet to clients
Block all ports except internet, pop3 smtp and imap
filter internet content
no need to configure proxy settiong on clients.
Assuming this is a separate box, set the input-from-lan-NIC iptables (aka firewall) to only accept calls to http, https, pop3, smtp, imap.
That way they don't need to bother with proxy settings in browser.
Yes it is a separate box, an it has 2 nics one for the lan and one for the WAN. The main problem here is if i set the linuxbox as my gateway in my clients it will only forward http to my clients.
This should only be a matter of configuring Squid/DG in transparent mode, and then disabling SNAT for the ports you're either doing content filtering for or enforcing proxy usage for (port 80/TCP, for example). Since you want the client's proxy settings to be automatically set, you'll need to use something like WPAD to achieve that (necessary for traffic which can't be transparently proxied, such as HTTPS).
This should only be a matter of configuring Squid/DG in transparent mode, and then disabling SNAT for the ports you're either doing content filtering for or enforcing proxy usage for (port 80/TCP, for example). Since you want the client's proxy settings to be automatically set, you'll need to use something like WPAD to achieve that (necessary for traffic which can't be transparently proxied, such as HTTPS).
An how can i do this???
right now i am working fine with Squid and dansguardian
bue if i set the linuxbox as my gateway in my clients i am not able to surf or send/receive mails in outlook. Is it just an iptables configurtion to do this?
Do what? The transparent setup? I gave you a link to get you started with that.
Quote:
right now i am working fine with Squid and dansguardian
That's good, it means you're halfway there already (you just need to make some tweaks).
Quote:
bue if i set the linuxbox as my gateway in my clients i am not able to surf
This conflicts with what you said originally:
Quote:
Originally Posted by jocast
if they remove the proxy settings on they browser they are able to view all the pages
Quote:
or send/receive mails in outlook. Is it just an iptables configurtion to do this?
If you go through the Google search I linked for you above, you'll see that doing transparent redirection is basically just a matter of one iptables rule. But since it sounds like you want to force clients to use Squid for everything, then you could simply forget about transparent redirection and just configure the clients (either manually or automatically) to use the proxy. Then you disable forwarding with something like:
Code:
echo 0 > /proc/sys/net/ipv4/ip_forward
And that way you make sure they can't bypass Squid.
Thank you for your response. Sorry about the conflict in the fist post i was "using" my router as a gateway.
Clients using the following configuration have Filtered sites, POP3, SMTP and unfortunately p2p and any other sharing files access but if they remove the proxy settings they will be able to browse unfiltered. This mean if they install another browser they have access to everything because i just configured iexplorer and firefox to use proxy. :
IP Adress: 192.168.1.xxx
Mask: 255.255.255.0
Gateway: 192.168.1.254 (my router)
DNS1: my ips dns
Proxy: 192.168.1.250 (my linux box)
Port: 8080
Clients using the following configuration does not have access to anything i know they can't access the web because i need to share the internet form my linux box.
IP Adress: 192.168.1.xxx
Mask: 255.255.255.0
Gateway: 192.168.1.250 (my linux box)
DNS1: my ips dns
Proxy: none
Port: none
I know that is a way to share internet access using iptables and here is where i need help.
WAN = eth0
Lan = eth1
lan ip = 192.168.1.250
wan ip = 216.251.10.20
my webserver = 192.168.1.251
my terminal server = 192.168.1.252 (so i'll need my clients to also be able to use remote desktop to this server )
If the setup is as per my diag (post #2) then use iptables REDIRECT as per http://www.openpages.info/iptables/, so that as each cxn comes into the box from the LAN side (on any port), it's immediately redirected to port 3128 (SQUID).
There's no way for them to get around that without hacking proxy box.
See also http://www.linuxtopia.org/Linux_Fire...les/x4508.html
Thank you for your response. Sorry about the conflict in the fist post i was "using" my router as a gateway.
Clients using the following configuration have Filtered sites, POP3, SMTP and unfortunately p2p and any other sharing files access but if they remove the proxy settings they will be able to browse unfiltered. This mean if they install another browser they have access to everything because i just configured iexplorer and firefox to use proxy. :
IP Adress: 192.168.1.xxx
Mask: 255.255.255.0
Gateway: 192.168.1.254 (my router)
DNS1: my ips dns
Proxy: 192.168.1.250 (my linux box)
Port: 8080
Clients using the following configuration does not have access to anything i know they can't access the web because i need to share the internet form my linux box.
IP Adress: 192.168.1.xxx
Mask: 255.255.255.0
Gateway: 192.168.1.250 (my linux box)
DNS1: my ips dns
Proxy: none
Port: none
I know that is a way to share internet access using iptables and here is where i need help.
WAN = eth0
Lan = eth1
lan ip = 192.168.1.250
wan ip = 216.251.10.20
my webserver = 192.168.1.251
my terminal server = 192.168.1.252 (so i'll need my clients to also be able to use remote desktop to this server )
Sounds to me like the only thing you need to do routing for is the remote desktop software (assuming they would be connecting from the WAN side). So you could just configure your router to do that (and nothing else). Then clients would need to use the proxy server for everything else, and they wouldn't have a way to bypass it. With this kind of setup, a client could have a configuration like (example):
If they remove the proxy settings and set 192.168.1.254 as the gateway, the configuration on the router wouldn't allow them to access the WAN (it would only allow outbound packets in state ESTABLISHED, for the remote desktop service).
That said, considering that this is the router you seem to be using yourself, your best bet (with regards to security) might be to put the router higher up, thereby eliminating the need to implement any special access restrictions on it with regards to the clients. Example of what I mean:
Notice how the clients can't physically bypass the proxy to get to the WAN side. This example assumes your router only has two interfaces (WAN and LAN), but if it has more then of course you could make things even tighter by not having the proxy, the server (remote desktop), and your PC in the same network.
Last edited by win32sux; 05-16-2009 at 12:33 AM.
Reason: Spelling and grammar.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.