i am a system administrator in our lab(university deptt). Our server is also a client of our university main server.
We've a proxy server. So when we banned some sites in our lab people can still access them by using the proxy settings of university main server.

thats why we want to setup a transprent proxy so that people have to give proxy settings of our local server otherwise they cant access the net.

I cant able to setup firewall using iptables kind of stuff.

Can anybody help me on this:

Os : debain
kernel version : 2.6.8-1-686
Apache/2.0.52
Squid Cache: Version 2.5.STABLE6
iptables v1.2.9


pleeeeeeeeez

I don't know if danguardian would be of any help.
So you are saying the clients change thier proxy setting from the labs proxy setting to the univeristy proxy settings and they can go anywhere.

The better option is to like you want is either build a linux router and set iptables not to connect to certain sites. You could possible place a router between all clients and the univeristy network. Some can define sites to block. But may not work based on univeristy proxy. using a simple linux router would be the better choice. You can configure the the univeristy side to the correct settings then setup lan side to non routable network class c like 192.168.1.0/24. Then use iptables to block sites. You can use a command like this to block based on IP
/sbin/iptables -A DST_EGRESS -d xxx.xxx.xxx.xxx -j DROP

Using domain name I am not sure. Kind of why proxy handles that better with danguardian.

Brian

you say that try to use dansgaurdian but as i know
it blocks the sites by seeing a pattern in http request.
But the problem remain same as i think.
because as clients are directly giving the university main server proxy settings our local server doesnt see what actually it contains. So It simply forward that request to university main server which inturn doesnt block that sites.
So that thing i want to say that if any request comes to our local server from a client having proxy settings for university main server. It simply redirect it to "permission denied" page or something like. which can be done by using firewall(iptables or something like that).
But the question remain same HOWTO ?
as i googled a lot i cant find any good solution.

sorry if i misunderstand something what you are saying.

A short term solution to stop them from connecting to the server:Replace $SERVER_IP with the IP of the server.

thnx dude its working !
i do the same thing as you said .
I run the command :
iptables -I FORWARD -d $SERVER_IP -j REJECT

but i want a solution which work permanently.
As i think, if i put this command as my startup script than i think
it works what you say.

if you have any other permanent solution then please let me know.

Well, the permanent solution would be to implement the transparent proxy you mentioned, and firewall everything else. Even though this was only meant as a workaround for your current bypass issue, it's perfectly fine for you to add this to your startup scripts.

You are saying that try to implement transparent proxy and firewalls etc.
but question again remain same HOWTO.
because i googled a lot on this topic but i cant find a reasonable solution. There are hell lot of documentation on this topic i tried some of them on our server(which i not supposed to). but no one can work properly. All of the commands given there(change to squid.conf,executing some iptables related commands etc.) are executed properly But No one can able to give me that result wat i want as your single command did.
So if you have any documentation related to this please let me know.

thnx for everything