Squid Filter

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Squid Filter

Postby gmcust3 » Sun Dec 19, 2010 11:16 pm

I want to block Microsoft website from 192.168.0.205 IP.

I have written below code in squid.conf file.

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

acl banned_clients src 192.168.0.205-192.168.0.205
acl sucky_urls dstdomain .microsoft.com .sco.com .doubleclick.com
http_access deny banned_clients sucky_urls

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all



and then

/etc/rc.d/init.d/squid restart

But I can still open Microsoft site from 192.168.0.205 IP.

Please advice where I am wrong.

Note : I have followed Instructions from
http://www.linuxquestions.org/questions ... id-500476/
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
gmcust3
 
Posts: 1148
Joined: Sat Oct 24, 2009 1:15 pm

Postby boybawang » Mon Dec 20, 2010 1:55 am

put this banned_clients sucky_urls

before the http_access deny all

so it should be like this:


http_access deny banned_clients sucky_urls
http_access deny all

merry christmas
Vicidial Installation + Configuration + Support + Custom Development
Download my ebook on installing vicidial for free http://download.vicidial.com/ubuntu/VIC ... 100331.pdf
skype: deodax.cordova@gmail.com
m: +639172063730
boybawang
 
Posts: 989
Joined: Sat Nov 14, 2009 1:18 pm
Location: Dumaguete City, Negros Oriental, Philippines

Postby gmcust3 » Mon Dec 20, 2010 2:27 am

Merry Christmas !!


Here is now what I have :

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

acl banned_clients src 192.168.0.205-192.168.0.205

# And finally deny all other access to this proxy
http_access allow localhost
acl sucky_urls dstdomain .microsoft.com .sco.com .doubleclick.com
http_access deny banned_clients sucky_urls
http_access deny all

# TAG: http_access2



But Still the same !!!
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
gmcust3
 
Posts: 1148
Joined: Sat Oct 24, 2009 1:15 pm

Postby boybawang » Mon Dec 20, 2010 3:13 am

try putting

http_access deny all
http_access deny banned_clients sucky_urls
Vicidial Installation + Configuration + Support + Custom Development
Download my ebook on installing vicidial for free http://download.vicidial.com/ubuntu/VIC ... 100331.pdf
skype: deodax.cordova@gmail.com
m: +639172063730
boybawang
 
Posts: 989
Joined: Sat Nov 14, 2009 1:18 pm
Location: Dumaguete City, Negros Oriental, Philippines

Postby williamconley » Mon Dec 20, 2010 10:55 am

Interesting. A support question in the "General Discussion" section that's not even remotely related to Vicidial. LOL

Have you set up this squid server as your proxy server for your web browser? (had to ask!)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby gmcust3 » Tue Dec 21, 2010 6:55 am

My squid File :



acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl banned_clients src 192.168.0.205
http_access allow localhost
acl sucky_urls dstdomain .microsoft.com .sco.com .doubleclick.com
http_access deny banned_clients sucky_urls
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp:
refresh_pattern ^gopher:
refresh_pattern .
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid

GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
gmcust3
 
Posts: 1148
Joined: Sat Oct 24, 2009 1:15 pm

Postby boybawang » Wed Dec 22, 2010 11:39 am

are you trying to achieve transparent proxying + filtering?
Vicidial Installation + Configuration + Support + Custom Development
Download my ebook on installing vicidial for free http://download.vicidial.com/ubuntu/VIC ... 100331.pdf
skype: deodax.cordova@gmail.com
m: +639172063730
boybawang
 
Posts: 989
Joined: Sat Nov 14, 2009 1:18 pm
Location: Dumaguete City, Negros Oriental, Philippines

Postby gmcust3 » Wed Dec 22, 2010 2:25 pm

transparent proxyin means ?
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
gmcust3
 
Posts: 1148
Joined: Sat Oct 24, 2009 1:15 pm

Postby williamconley » Wed Dec 22, 2010 2:33 pm

transparent means the user does not change any settings on their pc
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby gmcust3 » Wed Dec 22, 2010 2:34 pm

Then Yes, I am NOT configuring anything on Agent PC.
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
gmcust3
 
Posts: 1148
Joined: Sat Oct 24, 2009 1:15 pm

Postby williamconley » Wed Dec 22, 2010 2:38 pm

you may want to read up on transparent proxy setup.

have you set up a proper dhcp server (giving the appropriate information to the client boxes so they use the proxy server)?
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby gmcust3 » Wed Dec 22, 2010 2:42 pm

:-) Will Do.

My Client Boxes are NOT on DHCP.

I have assigned them IP like 192.168.0.11,192.168.0.12 , etc with Gateway as IP of the Server where WAN is terminating on eth.
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
gmcust3
 
Posts: 1148
Joined: Sat Oct 24, 2009 1:15 pm

Postby williamconley » Wed Dec 22, 2010 2:48 pm

is that the proxy server? (if it's not ... how exactly do the client boxes know to get their internet content from the proxy server?)

a little reading may come in handy.

and also setting up DHCP can be helpful (you'd be amazed what you can do with a proper DHCP service ...) :)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby gmcust3 » Wed Dec 22, 2010 2:50 pm

I have Enabled IP Forwarding.
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
gmcust3
 
Posts: 1148
Joined: Sat Oct 24, 2009 1:15 pm

Postby williamconley » Wed Dec 22, 2010 4:04 pm

if i were you, i'd go through a step by step proxy setup tutorial.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby gmcust3 » Wed Dec 22, 2010 11:32 pm

Let me Disable IP forwarding and Study / Follow the Transparent Proxy set up :-)
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
gmcust3
 
Posts: 1148
Joined: Sat Oct 24, 2009 1:15 pm

Postby gmcust3 » Mon Jan 03, 2011 10:25 pm

This is what I tried :

Code: Select all
#!/bin/sh
# ------------------------------------------------------------------------------------
# See URL: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
# (c) 2006, nixCraft under GNU/GPL v2.0+
# -------------------------------------------------------------------------------------
# squid server IP
SQUID_SERVER="192.168.0.2"
# Interface connected to Internet
INTERNET="eth2"
# Interface connected to LAN
LAN_IN="eth0"
# Squid port
SQUID_PORT="80"

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP


When SQUID_PORT was 3128 , My server was NOT accessible but when I changed it to 80, it started working.

What could be the Reason ?

and After Changing it to 80 , whatever Site I type, It open my Server Default HTML page.

Content of Squid File :

Code: Select all
acl all src 0.0.0.0/0.0.0.0      
acl manager proto cache_object      
acl localhost src 127.0.0.1/255.255.255.255      
acl to_localhost dst 127.0.0.0/8      
acl SSL_ports port 443      
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443      # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210      # wais
acl Safe_ports port 1025-65535   # unregistered ports   
acl Safe_ports port 280      # http-mgmt
acl Safe_ports port 488      # gss-http
acl Safe_ports port 591      # filemaker
acl Safe_ports port 777      # multiling http
acl CONNECT method CONNECT      
http_access allow manager localhost      
http_access deny manager      
http_access deny !Safe_ports      
http_access deny CONNECT !SSL_ports      
acl my_network 192.168.0.0/24      
acl banned_clients src 192.168.0.205      
acl sucky_urls dstdomain .microsoft.com .sco.com .doubleclick.com      
http_access deny banned_clients sucky_urls      
http_access allow my_network      
http_access deny all      
icp_access allow all      
http_port 3128      
hierarchy_stoplist cgi-bin ?      
access_log /var/log/squid/access.log squid      
acl QUERY urlpath_regex cgi-bin \?      
cache deny QUERY      
refresh_pattern ^ftp:      1440
refresh_pattern ^gopher:   1440   0%
refresh_pattern .      0
acl apache rep_header Server ^Apache      
broken_vary_encoding allow apache      
coredump_dir /var/spool/squid   



squid.out shows :
*********************
Code: Select all
2011/01/03 20:47:12| ACL name 'Safe_ports' not defined!
FATAL: Bungled squid.conf line 19: http_access deny !Safe_ports
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
2011/01/03 20:55:34| ACL name 'Safe_ports' not defined!
FATAL: Bungled squid.conf line 19: http_access deny !Safe_ports
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
2011/01/03 20:55:35| ACL name 'Safe_ports' not defined!
FATAL: Bungled squid.conf line 19: http_access deny !Safe_ports
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
2011/01/03 21:01:33| ACL name 'Safe_ports' not defined!
FATAL: Bungled squid.conf line 19: http_access deny !Safe_ports
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
2011/01/03 21:01:33| ACL name 'Safe_ports' not defined!
FATAL: Bungled squid.conf line 19: http_access deny !Safe_ports
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
2011/01/03 21:13:41| aclParseAclLine: Invalid ACL type '192.168.0.0/24'
FATAL: Bungled squid.conf line 635: acl my_network 192.168.0.0/24
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
2011/01/03 21:13:41| aclParseAclLine: Invalid ACL type '192.168.0.0/24'
FATAL: Bungled squid.conf line 635: acl my_network 192.168.0.0/24
Squid Cache (Version 2.6.STABLE21): Terminated abnormally.
GoAutoDial CE
VERSION: 2.4-309a
BUILD: 110430-1642
No other software installed on the box.
I've read the manager manual.
gmcust3
 
Posts: 1148
Joined: Sat Oct 24, 2009 1:15 pm

Postby williamconley » Mon Jan 03, 2011 10:58 pm

Code: Select all
iptables -L -v --line-numbers
and then compare it to the contents of your bash script.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 89 guests