Hi, We're using squid 2.2.stable5 as proxy on a SuSE 7.0 box and i would like ALL users to go through the proxy... I know we have some users that play with internet and disable their proxy parameters.... how can I ban "direct internet access" so only proxy connections pass through (whatever is configure on users win stations) ? Regards Stephane
Hi Stephane, I don't know if you are using kernel 2.4 on your proxy(-machine) but if you are you can use iptables to do this. You can do the following iptables -A SQUID = "your proxy ip":"port http-traffic" (e.g. 192.168.1.1:3128) SQUIDSSL = "your proxy ip":"port SSL" (e.g. 192.168.1.1:3128) iptables -t nat -A PREROUTING -i eth1 -tcp --dport 80 -j DNAT --to $SQUID iptables -t nat -A PREROUTING -i eth1 -tcp --dport 443 -j DNAT --to $SQUIDSSL Greetings, Nash P.S. I "borrowed this from http://www.securityportal.com/articles/netfilter20010219.html" On Thursday 31 May 2001 11:55, you wrote:
Hi,
We're using squid 2.2.stable5 as proxy on a SuSE 7.0 box and i would like ALL users to go through the proxy... I know we have some users that play with internet and disable their proxy parameters.... how can I ban "direct internet access" so only proxy connections pass through (whatever is configure on users win stations) ?
Regards Stephane
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Sorry skip first line "iptables -A" (copy mistake) Nash On Thursday 31 May 2001 12:05, you wrote:
Hi Stephane,
I don't know if you are using kernel 2.4 on your proxy(-machine) but if you are you can use iptables to do this. You can do the following
iptables -A SQUID = "your proxy ip":"port http-traffic" (e.g. 192.168.1.1:3128) SQUIDSSL = "your proxy ip":"port SSL" (e.g. 192.168.1.1:3128) iptables -t nat -A PREROUTING -i eth1 -tcp --dport 80 -j DNAT --to $SQUID iptables -t nat -A PREROUTING -i eth1 -tcp --dport 443 -j DNAT --to $SQUIDSSL
Greetings,
Nash
P.S. I "borrowed this from http://www.securityportal.com/articles/netfilter20010219.html"
On Thursday 31 May 2001 11:55, you wrote:
Hi,
We're using squid 2.2.stable5 as proxy on a SuSE 7.0 box and i would like ALL users to go through the proxy... I know we have some users that play with internet and disable their proxy parameters.... how can I ban "direct internet access" so only proxy connections pass through (whatever is configure on users win stations) ?
Regards Stephane
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Thu, May 31, 2001 at 11:55:56AM +0200, stephane parenton wrote:
We're using squid 2.2.stable5 as proxy on a SuSE 7.0 box and i would like ALL users to go through the proxy... I know we have some users that play with internet and disable their proxy parameters.... how can I ban "direct internet access" so only proxy connections pass through (whatever is configure on users win stations) ?
You may have a look at http://www.unxsoft.com/transproxy.html best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts link@suse.de | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
On 31-May-01 stephane parenton wrote:
We're using squid 2.2.stable5 as proxy on a SuSE 7.0 box and i would like ALL users to go through the proxy... I know we have some users that play with internet and disable their proxy parameters.... how can I ban "direct internet access" so only proxy connections pass through (whatever is configure on users win stations) ?
One way would be to set up a transparent proxy: You route traffic through the machine that has squid running on it (make it to the default gateway) and use a firewall rule that redirects traffic to the squid-port, e.g.: /sbin/ipchains -A input -i eth0 -p tcp --destination-port 80 -j REDIRECT 3128 /sbin/ipchains -A input -i eth0 -p tcp --destination-port 443 -j REDIRECT 3128 ...assuming that the websites the guys are surfing only use standard http / https ports. The second thing you have to do is to configure your squid to do http acceleration so that it can handle request like "http://target.com" instead of "http://target.com@your.proxy.address" which is the default proxy-request if I remember correctly. You find the detailed setup for that on www.squid-cache.org (look for reverse / transparent / acceleration proxy)
Stephane
Bjoern Engels
We're using squid 2.2.stable5 as proxy on a SuSE 7.0 box and i would like ALL users to go through the proxy... I know we have some users that play with internet and disable their proxy parameters.... how can I ban "direct internet access" so only proxy connections pass through (whatever is configure on users win stations) ?
The other answers are good if they have to route outgoing packets through your firewall/router. But 2 general points : 1) Why are they circumventing the cache? Some sites use things like NTLM authentication and don't work with squid (unless they've added it in last 6 months), or break RFCs with things like spaces in filenames. squid will (against rfcs) do translations, perhaps that will make the cache more popular. It might not just be tinkering for the sake of it, you may have to build quite large lists of uncacheable sites which should be served direct. 2) A sneaky user can still break through your security, by using other ports and an outside proxy. So if it's important, use a private network, and explicitly enable the services they need, rather than trying to plug holes in a dyke. Regards Rob
As an aside if you use Netscape you can make your admin job easier by utilising its enterprise configuration feature. With netscape.cfg you have facilities to "lock" any/all of their preferences including proxy settings. stephane parenton wrote:
Hi,
We're using squid 2.2.stable5 as proxy on a SuSE 7.0 box and i would like ALL users to go through the proxy... I know we have some users that play with internet and disable their proxy parameters.... how can I ban "direct internet access" so only proxy connections pass through (whatever is configure on users win stations) ?
Regards Stephane
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (6)
-
Bjoern Engels -
Nash Hoogwater -
Rainer Link -
Robert Davies -
stephane parenton -
Tom Dossis