Prevent user bypassing DansGuardian
I need urgent help
Configuration are follows Proxy = Squid 3.1 running on port 8080 (Transparent) (without http_port virtual etc. its running fine) http_port 127.0.0.1:8080 If required I will post my configuration files as well Filtering = Dansguardian 2.10 running on port 3128 LAN IP's = 192.168.0.0/255.255.0.0 eth0 = 192.168.0.47/255.255.0.0 LAN Interface eth0:1 = 192.168.0.61/255.255.0.0 (Virtually External Interface) As we have no dual interfaces on single machine, we have only gateway/firewall address with DNS IP Forwarding Enable IP forwarding by modifying the value of net.ipv4.ip_forward = 1 in /etc/sysctl.conf because our LAN users need to access mail servers out side our LAN Redirecting Port 80 traffic to 3128 through IP tables iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j DNAT --to 192.168.0.47:3128 iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 8080 -j DNAT --to 192.168.0.47:3128 iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -d 192.168.0.61 -p tcp --dport 80 -j REDIRECT --to-port 3128 Every thing working perfect filtering with Dansguardian and other things by enforcing proxy address in browser When I configured browser with no proxy, and configure (192.168.0.47) as a gateway. Users are able to access those site which are restricted One more thing sometimes its working with the above settings sometimes not. Means sometime it filter the browsing sometime it doesn't. Could any one help me, it's the first time that I have raised a question on linuxquestion.org, because I have to resolve this issues on urgent basis. Thanks in advance |
Quote:
And if I'm understanding what you wrote...your proxy is working fine...except when you bypass it? Yep...that sounds about right. If you don't want people to get out, block any other path. |
Your network currently looks like:
Code:
Sys. Sys. Sys. Proxy Gateway Code:
Sys. Sys. Sys. Proxy Gateway |
Dear All,
Thanks for your help and assistance, Next time I will be careful about “URGENT” The scenario here is I need to provide internet access to our users transparently as they don't need to know about the proxy address. We have a router in place, through which I am accessing internet. Now I need to provide filtered internet to all of our users in the following way [Internet] | [Router/Gateway] | | [Squid/Dansguardian] | | [Client PCs] PCs PCs PCs Proxy(Squid+Dansguardian) Gateway(Router) [] [] [] [] [] [ ] [ ] [ ] [ ] [ ] |______|_________|________________|___________________| All are well connected with switches on a same segment. Client PC's only has the access on Squid machine to get the internet. I want to do some magic with IP tables that the web traffic goes through DansGuardian---> Squid for filtration purpose. Remaining POP and SMTP traffic route through gateway without any interception. Hope above will clear the situation and requirements Once again thanks in advance |
Thanks guys
I think i was unable to demonstrate my problem, But finally I got the solution http://ubuntuforums.org/archive/index.php/t-479407.html |
All times are GMT -5. The time now is 12:09 PM. |