Squid Transparent Proxy (How to force users)

Taking care of your Linux box.
Post Reply
manwerjalil
Lance Naik
Posts: 28
Joined: Wed Apr 30, 2008 10:44 am
Location: Karachi
Contact:

Squid Transparent Proxy (How to force users)

Post by manwerjalil »

Dear All,

I have squid proxy server and iptables firewall as below.

[Squid Configuration]

http_port 8080 transparent
acl our_network src 172.22.2.10-172.22.2.254
http_access allow our_network
always_direct allow all
===============================

[Iptables Rules]
#!/bin/sh
# squid server IP
SQUID_SERVER="172.22.2.1"

# Interface connected to Internet
INTERNET="eth0"

# Interface connected to LAN
LAN_IN="eth1"

# Interface Firewall NATING
LAN_FIR="eth2"

# Squid port
SQUID_PORT="8080"

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

# ulimited access on LAN_FIR
iptables -A INPUT -i $LAN_FIR -j ACCEPT
iptables -A OUTPUT -o $LAN_FIR -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

====================================

On the clients machine they using Firewall Gateway which is 172.22.2.252 and DNS x.x.x.x which map the local ip address to proxy server public IP,

Actually the problem is that, i am unable to force the users to use squid rules where i have definated bandwidth limit (Delay_pool) and downloading of few files been blocked. but users still bypassing the proxy and can access everything, in squid log there is nothing like users information etc.

Please tell me how to force the users to access internet using squid rules but i can definte proxy IP in users system as its not in our company policy
Best regards,
M.Anwar
kbukhari
Major General
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Location: Lahore
Contact:

Post by kbukhari »

stop port 80 8080 3128 3128 6555 port by MASQUERADING (all these ports are used by open proxies usually)
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
manwerjalil
Lance Naik
Posts: 28
Joined: Wed Apr 30, 2008 10:44 am
Location: Karachi
Contact:

Post by manwerjalil »

sweetoo, u not getting my question.

anyone else there????????????????????????
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

Your delay pools will only deals with port 80 traffic. Traffic other than port 80 you won't be able to shape it with squid. And yes block those other proxy ports that usually being used for proxy.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
kbukhari
Major General
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Location: Lahore
Contact:

Post by kbukhari »

manwerjalil wrote:sweetoo, u not getting my question.

anyone else there????????????????????????
that is the ultimate solution for your problem. blocking port 80 and other described ports in forward chain for users will help you yo stop connecting them with any third party proxy and you can easily force them to use your own proxy....
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

If you don't want to work that hard give a try to some free suit which has all these kind of feature to act like a real gateway (I mean IPCOP, IPFire, SmoothWall)
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
Post Reply