Dear All,
I have squid proxy server and iptables firewall as below.
[Squid Configuration]
http_port 8080 transparent
acl our_network src 172.22.2.10-172.22.2.254
http_access allow our_network
always_direct allow all
===============================
[Iptables Rules]
#!/bin/sh
# squid server IP
SQUID_SERVER="172.22.2.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Interface Firewall NATING
LAN_FIR="eth2"
# Squid port
SQUID_PORT="8080"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# ulimited access on LAN_FIR
iptables -A INPUT -i $LAN_FIR -j ACCEPT
iptables -A OUTPUT -o $LAN_FIR -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
====================================
On the clients machine they using Firewall Gateway which is 172.22.2.252 and DNS x.x.x.x which map the local ip address to proxy server public IP,
Actually the problem is that, i am unable to force the users to use squid rules where i have definated bandwidth limit (Delay_pool) and downloading of few files been blocked. but users still bypassing the proxy and can access everything, in squid log there is nothing like users information etc.
Please tell me how to force the users to access internet using squid rules but i can definte proxy IP in users system as its not in our company policy
Squid Transparent Proxy (How to force users)
-
- Lance Naik
- Posts: 28
- Joined: Wed Apr 30, 2008 10:44 am
- Location: Karachi
- Contact:
Squid Transparent Proxy (How to force users)
Best regards,
M.Anwar
M.Anwar
-
- Lance Naik
- Posts: 28
- Joined: Wed Apr 30, 2008 10:44 am
- Location: Karachi
- Contact:
that is the ultimate solution for your problem. blocking port 80 and other described ports in forward chain for users will help you yo stop connecting them with any third party proxy and you can easily force them to use your own proxy....manwerjalil wrote:sweetoo, u not getting my question.
anyone else there????????????????????????