Proxy Issue

**vndpundir2007** · 02-08-2012

Hi All,
I have configured squid proxy on my network. Everything is working fine. I have blocked all social networking sites except for some users. No one who do not have the permisson, can access the site. But there is a loophole, if anybody under Manual Proxy setting put a site name in ''No Proxy For' column, the site gets unblocked. It means if somebody has no access, he can still access the website by just putting site name in 'No Proxy For' setting of any web browser. Any idea, how to resolve issue??

Thanks in Advance...!!

**Lazydog** · 02-08-2012

Yeah, in this case you need to configure your firewall to only allow web traffic from your proxy. Then you can either redirect all web traffic to the proxy for processing (then you don't have to worry about ensuring everyone has the proper proxy configured) or simply refuse any traffic that is not coming from your proxy (which everyone not using the proxy will be rejected).

**vndpundir2007** · 02-08-2012

Originally Posted by Lazydog

Yeah, in this case you need to configure your firewall to only allow web traffic from your proxy. Then you can either redirect all web traffic to the proxy for processing (then you don't have to worry about ensuring everyone has the proper proxy configured) or simply refuse any traffic that is not coming from your proxy (which everyone not using the proxy will be rejected).

Can u please elaborate....how can i do this? Should i use iptables rule to do this task. I m not so gud in this, so can u please tell me exactly what iptables command i have to run.

**Lazydog** · 02-09-2012

The commands needed all depend on if the firewall and the proxy are on the same system.

If they are on the same system then you are going to need to use REDIRECT

If they are on different systems then you are going to need DNAT

You can read up on a lot of the commands for IPTABLES here and in the MAN pages.

Bottom line is I need to know more about your setup before I can give you the rules that you would need to use to set this up.

**vndpundir2007** · 02-09-2012

Originally Posted by Lazydog

The commands needed all depend on if the firewall and the proxy are on the same system.

If they are on the same system then you are going to need to use REDIRECT

If they are on different systems then you are going to need DNAT

You can read up on a lot of the commands for IPTABLES here and in the MAN pages.

Bottom line is I need to know more about your setup before I can give you the rules that you would need to use to set this up.

Following is my proxy setup:

eth1: 122.25.*.* [public ip]
eth0:10.0.0.254 [private ip which is proxy gateway for users]

Note: Proxy server is also working as DNS server for my entire network.

Please let me know if you need more information to understand my network.

Thanks in Advance,,,!!

**Lazydog** · 02-09-2012

OK, I take it that this box is also the gateway/router to the Internet. After some more thinking last night I think the best is to use DNAT, so the following rules need to be placed on the firewall/iptables box:

Code:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination <proxy ip>:<port>
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination <proxy ip>:<port>

You will need to replace <porxy ip> with the proxy ip address and <port> with the port that the proxy is listening on.

Please be aware that you can list both port in one rule but I will leave that to you to figure out by reading the link I have posted above to IPTABLES Tutorial.

**vndpundir2007** · 02-10-2012

Originally Posted by Lazydog

OK, I take it that this box is also the gateway/router to the Internet. After some more thinking last night I think the best is to use DNAT, so the following rules need to be placed on the firewall/iptables box:

Code:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination <proxy ip>:<port>
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination <proxy ip>:<port>

You will need to replace <porxy ip> with the proxy ip address and <port> with the port that the proxy is listening on.

Please be aware that you can list both port in one rule but I will leave that to you to figure out by reading the link I have posted above to IPTABLES Tutorial.

I have implemented the iptables rule which you mentioned here, but it doesn't look effective, because user are still accessing restricted sites by just entering their url at 'No Proxy For' setting of Manual proxy option.

**Lazydog** · 02-10-2012

Have these rules been placed on the gateway firewall?

**vndpundir2007** · 02-10-2012

Originally Posted by Lazydog

Have these rules been placed on the gateway firewall?

Yes, these are placed on my gateway firewall..

**vndpundir2007** · 02-16-2012

I have not configured any special firewall settings on my server. There is both Firewall and Selinux are disabled.

View First Unread

Thread Tools

Display

Proxy Issue

Posting Permissions