Any and all non-support discussions
Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N
by gmcust3 » Sun Dec 19, 2010 11:16 pm
I want to block Microsoft website from 192.168.0.205 IP.
I have written below code in squid.conf file.
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl banned_clients src 192.168.0.205-192.168.0.205
acl sucky_urls dstdomain .microsoft.com .sco.com .doubleclick.com
http_access deny banned_clients sucky_urls
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all
and then
/etc/rc.d/init.d/squid restart
But I can still open Microsoft site from 192.168.0.205 IP.
Please advice where I am wrong.
Note : I have followed Instructions from
http://www.linuxquestions.org/questions ... id-500476/
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
-
gmcust3
-
- Posts: 1148
- Joined: Sat Oct 24, 2009 1:15 pm
by boybawang » Mon Dec 20, 2010 1:55 am
put this banned_clients sucky_urls
before the http_access deny all
so it should be like this:
http_access deny banned_clients sucky_urls
http_access deny all
merry christmas
-
boybawang
-
- Posts: 989
- Joined: Sat Nov 14, 2009 1:18 pm
- Location: Dumaguete City, Negros Oriental, Philippines
-
by gmcust3 » Mon Dec 20, 2010 2:27 am
Merry Christmas !!
Here is now what I have :
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl banned_clients src 192.168.0.205-192.168.0.205
# And finally deny all other access to this proxy
http_access allow localhost
acl sucky_urls dstdomain .microsoft.com .sco.com .doubleclick.com
http_access deny banned_clients sucky_urls
http_access deny all
# TAG: http_access2
But Still the same !!!
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
-
gmcust3
-
- Posts: 1148
- Joined: Sat Oct 24, 2009 1:15 pm
by boybawang » Mon Dec 20, 2010 3:13 am
try putting
http_access deny all
http_access deny banned_clients sucky_urls
-
boybawang
-
- Posts: 989
- Joined: Sat Nov 14, 2009 1:18 pm
- Location: Dumaguete City, Negros Oriental, Philippines
-
by williamconley » Mon Dec 20, 2010 10:55 am
Interesting. A support question in the "General Discussion" section that's not even remotely related to Vicidial. LOL
Have you set up this squid server as your proxy server for your web browser? (had to ask!)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
by gmcust3 » Tue Dec 21, 2010 6:55 am
My squid File :
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl banned_clients src 192.168.0.205
http_access allow localhost
acl sucky_urls dstdomain .microsoft.com .sco.com .doubleclick.com
http_access deny banned_clients sucky_urls
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp:
refresh_pattern ^gopher:
refresh_pattern .
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
-
gmcust3
-
- Posts: 1148
- Joined: Sat Oct 24, 2009 1:15 pm
by boybawang » Wed Dec 22, 2010 11:39 am
are you trying to achieve transparent proxying + filtering?
-
boybawang
-
- Posts: 989
- Joined: Sat Nov 14, 2009 1:18 pm
- Location: Dumaguete City, Negros Oriental, Philippines
-
by gmcust3 » Wed Dec 22, 2010 2:25 pm
transparent proxyin means ?
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
-
gmcust3
-
- Posts: 1148
- Joined: Sat Oct 24, 2009 1:15 pm
by williamconley » Wed Dec 22, 2010 2:33 pm
transparent means the user does not change any settings on their pc
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
by gmcust3 » Wed Dec 22, 2010 2:34 pm
Then Yes, I am NOT configuring anything on Agent PC.
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
-
gmcust3
-
- Posts: 1148
- Joined: Sat Oct 24, 2009 1:15 pm
by williamconley » Wed Dec 22, 2010 2:38 pm
you may want to read up on transparent proxy setup.
have you set up a proper dhcp server (giving the appropriate information to the client boxes so they use the proxy server)?
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
by gmcust3 » Wed Dec 22, 2010 2:42 pm
Will Do.
My Client Boxes are NOT on DHCP.
I have assigned them IP like 192.168.0.11,192.168.0.12 , etc with Gateway as IP of the Server where WAN is terminating on eth.
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
-
gmcust3
-
- Posts: 1148
- Joined: Sat Oct 24, 2009 1:15 pm
by williamconley » Wed Dec 22, 2010 2:48 pm
is that the proxy server? (if it's not ... how exactly do the client boxes know to get their internet content from the proxy server?)
a little reading may come in handy.
and also setting up DHCP can be helpful (you'd be amazed what you can do with a proper DHCP service ...)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
by gmcust3 » Wed Dec 22, 2010 2:50 pm
I have Enabled IP Forwarding.
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
-
gmcust3
-
- Posts: 1148
- Joined: Sat Oct 24, 2009 1:15 pm
by williamconley » Wed Dec 22, 2010 4:04 pm
if i were you, i'd go through a step by step proxy setup tutorial.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
by gmcust3 » Wed Dec 22, 2010 11:32 pm
Let me Disable IP forwarding and Study / Follow the Transparent Proxy set up
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
-
gmcust3
-
- Posts: 1148
- Joined: Sat Oct 24, 2009 1:15 pm
by gmcust3 » Mon Jan 03, 2011 10:25 pm
This is what I tried :
- Code: Select all
#!/bin/sh
# ------------------------------------------------------------------------------------
# See URL: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
# (c) 2006, nixCraft under GNU/GPL v2.0+
# -------------------------------------------------------------------------------------
# squid server IP
SQUID_SERVER="192.168.0.2"
# Interface connected to Internet
INTERNET="eth2"
# Interface connected to LAN
LAN_IN="eth0"
# Squid port
SQUID_PORT="80"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
When SQUID_PORT was 3128 , My server was NOT accessible but when I changed it to 80, it started working.
What could be the Reason ?
and After Changing it to 80 , whatever Site I type, It open my Server Default HTML page.
Content of Squid File :
- Code: Select all
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl my_network 192.168.0.0/24
acl banned_clients src 192.168.0.205
acl sucky_urls dstdomain .microsoft.com .sco.com .doubleclick.com
http_access deny banned_clients sucky_urls
http_access allow my_network
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440
refresh_pattern ^gopher: 1440 0%
refresh_pattern . 0
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid
squid.out shows :
*********************
- Code: Select all
2011/01/03 20:47:12| ACL name 'Safe_ports' not defined!
FATAL: Bungled squid.conf line 19: http_access deny !Safe_ports
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
2011/01/03 20:55:34| ACL name 'Safe_ports' not defined!
FATAL: Bungled squid.conf line 19: http_access deny !Safe_ports
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
2011/01/03 20:55:35| ACL name 'Safe_ports' not defined!
FATAL: Bungled squid.conf line 19: http_access deny !Safe_ports
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
2011/01/03 21:01:33| ACL name 'Safe_ports' not defined!
FATAL: Bungled squid.conf line 19: http_access deny !Safe_ports
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
2011/01/03 21:01:33| ACL name 'Safe_ports' not defined!
FATAL: Bungled squid.conf line 19: http_access deny !Safe_ports
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
2011/01/03 21:13:41| aclParseAclLine: Invalid ACL type '192.168.0.0/24'
FATAL: Bungled squid.conf line 635: acl my_network 192.168.0.0/24
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
2011/01/03 21:13:41| aclParseAclLine: Invalid ACL type '192.168.0.0/24'
FATAL: Bungled squid.conf line 635: acl my_network 192.168.0.0/24
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
-
gmcust3
-
- Posts: 1148
- Joined: Sat Oct 24, 2009 1:15 pm
by williamconley » Mon Jan 03, 2011 10:58 pm
- Code: Select all
iptables -L -v --line-numbers
and then compare it to the contents of your bash script.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
Return to General Discussion
Who is online
Users browsing this forum: No registered users and 85 guests