LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-03-2005, 09:57 PM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Rep: Reputation: 60
www-proxy


I use squid as a www-proxy. My question is as such:

If my kids are on the internet and I want them off when I say so I have a problem. What I tryed to do was issue from the command rcsquid stop and it says that is has shut down squid

Sludge:/etc/squid # rcsquid stop
Shutting down WWW-proxy squid
Sludge:/etc/squid#


but they can still get to the internet, why is that?

Last edited by metallica1973; 06-19-2005 at 05:37 PM.
 
Old 06-03-2005, 11:51 PM   #2
uberNUT69
Member
 
Registered: Jan 2005
Location: Tasmania
Distribution: Xen Debian Lenny/Sid
Posts: 578

Rep: Reputation: 30
Are you sure that their browser's are configured for that proxy?
Assuming they have separate machines, rather than their own accounts
on your machine, try removing the gateway setting from their network settings.
 
Old 06-05-2005, 11:47 AM   #3
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
Under Internet Explorer I specify the proxy as my 192.168.2.1 port 8080. If I delete that entry then they cannot get to the internet!
 
Old 06-05-2005, 08:56 PM   #4
uberNUT69
Member
 
Registered: Jan 2005
Location: Tasmania
Distribution: Xen Debian Lenny/Sid
Posts: 578

Rep: Reputation: 30
I didn't say to delete the proxy setting, but the gateway setting.

ps. FYI squid's default port is 3128, not 8080.
 
Old 06-06-2005, 08:19 AM   #5
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
If I took out the gateway IP then how is there machine going to route. I will just be able to operate internally. Please clarify you point. 3128 is the default port that squid is preset too. why not 8080. Isn't it going to go through 8080 anyway when my proxy server request cache pages anyway. I could alway schedule to block IP in squid.conf at a certain time but I just want to know why if I down squid they can still go to the Internet. That defeats the whole purpose of squid.
 
Old 06-14-2005, 10:42 PM   #6
uberNUT69
Member
 
Registered: Jan 2005
Location: Tasmania
Distribution: Xen Debian Lenny/Sid
Posts: 578

Rep: Reputation: 30
Quote:
Originally posted by metallica1973
If I took out the gateway IP then how is there machine going to route. I will just be able to operate internally. Please clarify you point.
You haven't indicated if you are using a single machine, or if your squid proxy is on a separate machine.
If it is separate, removing the gateway will mean that your browsing machine will ONLY be able to access the net through the proxy. Many applications have settings for this.
If squid is on the same machine, then removing the gateway will mean squid can't reach the net either!

Quote:
3128 is the default port that squid is preset too. why not 8080.
I didn't write squid! ... that being said... various 'other' proxy servers use that port ... maybe they wanted something else .

Quote:
Isn't it going to go through 8080 anyway when my proxy server request cache pages anyway.
Isn't what going where?
Do you mean when your browser requests pages from the proxy? If so, that will depend on how you have configured your browser!
If you mean when you proxy requests pages from the net, no ... unless you have an upstream proxy configured (ie. at your ISP)[/B][/QUOTE]

Quote:
I could alway schedule to block IP in squid.conf at a certain time but I just want to know why if I down squid they can still go to the Internet. That defeats the whole purpose of squid.
It sounds like what you've done is installed squid, but not configured your browser to use it.
I can assure you that the default port is 3128.
If you have configured your browser, disabling your proxy WILL cut off net access.

If this is all running on the same machine, your browser should be set to use a proxy like:
http://localhost:3128
(or similar) ... and disregard my 'remove gateway suggestion'!
 
Old 06-15-2005, 01:20 AM   #7
RijilV
Member
 
Registered: Sep 2002
Location: somewhere
Distribution: gentoo
Posts: 123

Rep: Reputation: 15
have you verified that

1) squid is really off ( ps aux | grep squid )
2) your browser is really using the proxy? ( /path/to/your/access.log )

also, since it *looks* like you're running squid on your gateway, why don't you just run it in transpartent proxy mode and you won't have to setup anything on the client machnes...as it sounds like you have more than one computer with a webbrowser and only one computer running as the proxy..would be less work to setup the proxy correctly.
 
Old 06-17-2005, 04:03 PM   #8
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
this is my network setup:

Linux router/http proxy/firewall
+++
+++
+++
DLINK wireless router
+++
+++
+++
Wireless PC++++++++++Wireless PC++++++++++++Wireless PC

I hope that give you a better view of my network.

If I disable the go through proxy setting in internet explorer then they cannot get to the internet but If I am on my linux firewall/http proxyrouter server I shut down squid like: rcsquid stop
my kids are still able to browse the net. I hope this help you understand. They shouldnt be able to do a freaking thing if I stop my proxy!

Last edited by metallica1973; 06-19-2005 at 05:39 PM.
 
Old 06-17-2005, 08:14 PM   #9
uberNUT69
Member
 
Registered: Jan 2005
Location: Tasmania
Distribution: Xen Debian Lenny/Sid
Posts: 578

Rep: Reputation: 30
OK, if
a) the wireless machines have IP addresses in the same subnet as your linux router (ie. linux router = 192.168.2.1, wireless#1=192.168.2.10 (for eg.)) then just delete the 'gateway' address in their network settings. They will still be able to reach everything in their own subnet, including the proxy, but nothing past that.

or

b) your wireless router has LAN and wireless as two subnets. Block http traffic (port 80 only) on your linux firewall. If you don't have a nice easy way to do that, try a rule something like (I'm guessing):
/sbin/iptables -A input -p tcp -s 192.168.2.0/24 -d 192.168.2.1/32 80 -j DENY -l


With either a or b, you should be able to turn the proxy off to stop all web traffic.
I am unsure why turning off the proxy still allows them to browse when their browsers are configured for the proxy (maybe explorer falls-back to non-proxy operation?), however, these suggestions should at least help you to isolate the problem. (ps. -l at end of iptables for "LOG")
 
Old 07-01-2005, 10:05 PM   #10
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
Is there a difference between a transparent proxy and an http proxy. Just another note, the other day I noticed that in Internet explorer if I changed the setting in the browser to auto configure or through proxy they can STILL get to the internet. I will take out the gateway from my wireless clients and see if they can still get to the internet that way. I am still a little puzzled!
 
Old 07-02-2005, 12:28 AM   #11
RijilV
Member
 
Registered: Sep 2002
Location: somewhere
Distribution: gentoo
Posts: 123

Rep: Reputation: 15
so is there anything on the firewall that would prevent someone from making a connection to port 80 on outside world ? if not, they still will beable to use the iNterwEb and stuff. I guess my arguement would be unless you're blocking outbound to port 80 it shouldn't matter if you have you proxy up or not. Moreover, just block http isn't going to do much if they start using IRC, aim, usenet, https, etc...you'd be better off with iptables.

uh whatelse... transparent proxy mode is cool...you should read up on it, basically you just redirect all outbound http connections to the squid cache which goes out and gets the webpages, so you never have to setup a client. there are lots of docs on the squid website. the iptables stuff is simple, just redirect stuff coming in on the internal interface going outbound port 80 to port <squid port>

again, is squid really off?

ps aux | grep squid
 
Old 07-02-2005, 01:05 AM   #12
uberNUT69
Member
 
Registered: Jan 2005
Location: Tasmania
Distribution: Xen Debian Lenny/Sid
Posts: 578

Rep: Reputation: 30
A transparent proxy operates on port 80, so that the clients don't set a proxy on their browser, but all requests actually go through the proxy anyway. This is an interesting way of doing it, but if/when your proxy kicks the bucket, you've got no backup. Personally I like to switch between proxy and no-proxy, but for your setup a transparent proxy might be the answer. I'd suggest you get it working on port 3128 first though.

I have to admit I'm still puzzled too! (You haven't confirmed a lot of my 'if-then' setups.)

To give an example using my setup (the proxy is on the gateway).
I have a client using a proxy with the following routing table.
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.0.133 0.0.0.0 UG 0 0 0 eth0
The 0.0.0.0 address (ie. everything) is available through my gateway (192.168.0.133 = an ipcop box running a proxy).

Let's just say, that I remove the defaut route through the gateway from the client:
# route del -net 0.0.0.0
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
# ping google.com
connect: Network is unreachable
# ping -c 1 192.168.0.133
PING 192.168.0.133 (192.168.0.133) 56(84) bytes of data.
64 bytes from 192.168.0.133: icmp_seq=1 ttl=64 time=5.05 ms

Right! So now the client can't reach the net at all, but can reach the machine running the proxy.
Now I can turn the proxy on and off to allow/disallow net access for my client. And this is not just the browser, most net apps can be set to use a proxy.

Does that help to explain the concept better?

Good luck!
 
Old 07-11-2005, 11:10 AM   #13
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
I think I finally understand. Everything is controlled via iptables, in my configuration through port 80. So whether or not I enable the proxy setting on the browers it will not make a difference because I have specified in my iptables rule to proxy out through 80. Which method is more secure for my users. I understand that it is an easier configuration but what about http proxy where my users have to login with a user name and password?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
configure squid proxy with microsoft proxy as a parent proxy nintykola Linux - Software 1 08-28-2007 01:38 AM
hey iam not able to open www.irctc.com . can it be because of proxy setting if some amolgupta Linux - Software 1 07-28-2005 12:28 PM
difference between www.google.com/linux and www.google.com dr_zayus69 General 4 01-12-2005 02:45 PM
Just bought www.helpwithlinux.net and www.helpwithwindows.com Whitehat General 15 05-08-2003 12:31 PM
Squid Proxy for DNS, WWW, & FTP gboutwel Linux - Networking 5 11-11-2002 05:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration