Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i am a system administrator in our lab(university deptt). Our server is also a client of our university main server.
We've a proxy server. So when we banned some sites in our lab people can still access them by using the proxy settings of university main server.
thats why we want to setup a transprent proxy so that people have to give proxy settings of our local server otherwise they cant access the net.
I cant able to setup firewall using iptables kind of stuff.
Can anybody help me on this:
Os : debain
kernel version : 2.6.8-1-686
Apache/2.0.52
Squid Cache: Version 2.5.STABLE6
iptables v1.2.9
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700
Rep:
I don't know if danguardian would be of any help.
So you are saying the clients change thier proxy setting from the labs proxy setting to the univeristy proxy settings and they can go anywhere.
The better option is to like you want is either build a linux router and set iptables not to connect to certain sites. You could possible place a router between all clients and the univeristy network. Some can define sites to block. But may not work based on univeristy proxy. using a simple linux router would be the better choice. You can configure the the univeristy side to the correct settings then setup lan side to non routable network class c like 192.168.1.0/24. Then use iptables to block sites. You can use a command like this to block based on IP
/sbin/iptables -A DST_EGRESS -d xxx.xxx.xxx.xxx -j DROP
Using domain name I am not sure. Kind of why proxy handles that better with danguardian.
you say that try to use dansgaurdian but as i know
it blocks the sites by seeing a pattern in http request.
But the problem remain same as i think.
because as clients are directly giving the university main server proxy settings our local server doesnt see what actually it contains. So It simply forward that request to university main server which inturn doesnt block that sites.
So that thing i want to say that if any request comes to our local server from a client having proxy settings for university main server. It simply redirect it to "permission denied" page or something like. which can be done by using firewall(iptables or something like that).
But the question remain same HOWTO ?
as i googled a lot i cant find any good solution.
sorry if i misunderstand something what you are saying.
thnx dude its working !
i do the same thing as you said .
I run the command :
iptables -I FORWARD -d $SERVER_IP -j REJECT
but i want a solution which work permanently.
As i think, if i put this command as my startup script than i think
it works what you say.
if you have any other permanent solution then please let me know.
Well, the permanent solution would be to implement the transparent proxy you mentioned, and firewall everything else. Even though this was only meant as a workaround for your current bypass issue, it's perfectly fine for you to add this to your startup scripts.
Well, the permanent solution would be to implement the transparent proxy you mentioned, and firewall everything else. Even though this was only meant as a workaround for your current bypass issue, it's perfectly fine for you to add this to your startup scripts.
You are saying that try to implement transparent proxy and firewalls etc.
but question again remain same HOWTO.
because i googled a lot on this topic but i cant find a reasonable solution. There are hell lot of documentation on this topic i tried some of them on our server(which i not supposed to). but no one can work properly. All of the commands given there(change to squid.conf,executing some iptables related commands etc.) are executed properly But No one can able to give me that result wat i want as your single command did.
So if you have any documentation related to this please let me know.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.