networking - How to allow access to web only through proxy?

07
2014-07
  • user4035

    I have a Linux machine kernel 3.7.0 with Squid proxy server and a direct Internet connection. Browsers and Squid reside on the same machine. Is it possible to allow access to web only through Squid? Maybe use SELinux?

    • Answers
  • Jeff Ferland

    You can use the owner module in iptables (-m owner --uid-owner $SQUID_UID) to setup allow rules for Squid and then deny other traffic.

  • aus

    Maybe something like this?

    # Your debian machine (gateway)
LAN_IP="192.168.0.1"

# Your network
LAN_IP_RANGE="192.168.0.0/24"                                                               

# Your squid machine
PROXY_IP="192.168.0.254"                                                                   
PROXY_PORT="3128"

iptables -t mangle -A PREROUTING -s $LAN_IP_RANGE ! -d $LAN_IP_RANGE -p TCP --destination-port 80 -j MARK --set-mark 11                                     
iptables -t nat -A PREROUTING -m mark --mark 11 -p TCP -j DNAT --to-destination ${PROXY_IP}:${PROXY_PORT}                                                          
iptables -t nat -A POSTROUTING -m mark --mark 11 -p TCP -j SNAT --to-source $LAN_IP

    Source

  • user4035

    Here is the code:

    iptables -P INPUT DROP
iptables -P FORWARD DROP
#loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
#http,https traffic only through Squid - nobody user
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m state -m owner --uid-owner nobody --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports 80,443 -m state  --state ESTABLISHED -j ACCEPT

    • Related Question

    windows 7 - How to allow to access only a list of certain sites in IE
  • Burjua

    Possible Duplicate:
    How do I restrict certains sites in IE ?

    I have a few tens of laptops and I need to restrict the Internet access on those laptops and allow only a few certain sites. I know I can do it using Content advisor in IE but manually it will take a lot of time.

    Is there any way to do it using some script or something else to speed up the process?


    • Related Answers
  • music2myear

    Can you set up Content Advisor in the IE Admin Kit, lockdown all settings, and then just run the created installer package on each computer?

    UPDATE (from comment below): Download the IE Admin Kit here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=eb407001-7f6e-4ca1-8583-e91e69e872dd

    It's pretty easy to use. Just download and install it and it'll walk you through all the various possible customizations for IE8. If you have IE8 installed on your computer already, you can even import the settings (such as the Content Advisor settings) you've already set there.

    With this kit you can create either a full install of IE8 or just a setting patch installer that contains only the changes you've made, depending on whether or not IE is already installed on each target computer.

    The kit is used by IT departments and anybody else who needs to create a standardized installation of Internet Explorer.