I have configured my squid that have a limited access to websites but still some website were accessable vis https so I removed transparent from squid. Now what changes do I have to make in iptbles
View 1 Replies
I have been trying to get Squid to work so that I can restrict access to a particular web site during certain hours every night. I can't seem to get it working, however. I am still able to access the site. The following are the relevant lines from my squid.conf file:
acl restricted-domain dstdomain "/etc/squid/denied_domains.acl"
acl test time 19:00-20:00
acl bedtime time 22:00-23:59
[code]...
I've set up Ubuntu 9.04 (desktop) at home in a lab environment (workgroup rather than domain) and have configured Squid. Everything works fine but, when I took it to the next level and made the proxy transparent, my problems began. I can still access sites (having pointed the XP Pro client to the squid box as the DG) and the sites are logged in /var/log/squid/access.log but I am unable to use Outlook to access my SMTP and POP3. I guess that the setup is blocking ports 25 and 110 and I'll need to configure iptables to forward packets destined for these ports directly to the "real" DG, rather than the Squid box. Here's the set up:
A single NIC (eth0) on 172.19.0.250 / 16 (static) ADSL router ("real" DG) on 172.19.0.1 I executed iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 My squid.conf:
Code:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl mynet src 172.19.0.0/16
[Code]....
I have an old FC2 box running Squid version 2.5. It has been running since 2003 so I am in the process of replacing it. I have a new machine with FC11, iptables, and Squid 3.0 installed.
On the old machine I use iptables to intercept Port 80 traffic and send it to Squid. By default I block all internet access and allow only sites that are in an Allowed_Sites.txt file. Within Squid I also have statements to allow certain users to bypass Squid based on their IP address.
I have set up the same thing on the new box. I have iptables intercepting the Port 80 traffic and sending it to Squid. That is working because if I remove the redirect statement from iptables all internet access is blocked.
The problem I am having is that Squid is not blocking any websites. It acts like the ACL is set to http_access allow all. I have worked on this for several hours and am stumped.
These are my Squid rules:
acl allowed_sites url_regex "/etc/squid/Allowed_Sites.txt"
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow Bypass_Users
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.1.0/24
http_access allow allowed_sites
http_access allow our_networks
http_access deny all
icp_access deny all
htcp_access deny all
http_port 192.168.1.254:3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname FC11.proxybox
icp_port 3130
coredump_dir /var/spool/squid
I'm using a 3G modem whilst o2 transfer over adsl. trouble is no websites load but I can resolve domains. I enabled masquerade on the PPP0 ( modem) interface. added the server as default route for all workstations.
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
net.ipv4.ip_forward = 1″ to /etc/sysctl.conf
I am using squid to controlling access to the internet all is working fine expect one of the user who is using outside organization portal to connect internet. But whenever he tries to enter in the portal by typing (EXAMPLE)url. Permission denied error from squid occur.
How can i allow this portal in squid. So squid will allow this to access.
I just finished setup a proxy machine that runs in a separate box from gw.
I have the following iptables rule
on squid box
Code:
Code:
Here's an example
Code:
My question is how can i modify the iptables rules so it will forward the real ip's where the requests are originated from.
I am working in a office where only one internet connection available. I have configured 5 other client machines to use internet through squid proxy server. Now I want to restrict the total data usage/transfer (upload+download) to say 1 GB during a calender month. How can I achieve this setting.
View 1 Replies View RelatedI am working in a office where only one internet connection available. I have configured 5 other client machines to use internet through squid proxy server. Now I want to restrict the total data usage/transfer (upload+download) to say 1 GB during a calender month. How can I achieve this setting.
View 1 Replies View RelatedTake this scenario If I have rate limited the connections to 4.(i.e if you attempt 4th connection you wont be able to login for some time.) If in a minute I get disconnected 3 times while I was already logged in on the server with a screen session, will I be able to login or I need to keep quite for a minute?
Quote:
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
My internet connection used to be a direct LAN connection to my provider. Back then, everything would load fine on both Windows and Ubuntu (dual boot). However, a while ago they started needing me to dial using a username and password (over a PPPoE connection). But since then, I haven't been able to browse certain websites on Ubuntu, even though there have been no such issues on Windows. Some example websites are - Ovi's sign in page (although share.ovi.com loads fine, and nokia.com loads fine), Live Mail (works on Chrome(ium) and Opera but not on Firefox (both 3.6 and 4)) and other random websites.
Some of the websites that don't load show timeout messages on Chrome and for some websites, the browser will keep trying to load without an end (I've left it like that even for hours but not noticed anything different happen).
I have tried changing the DNS servers to the ones suggested in the comment. I have even tried booting from a Fedora LiveCD and then changing the DNS to those (and even to the ones of OpenDNS), but the exact same thing happens. Here's output of ipconfig on Windows: Opera error messages seem to be a little more informative and they have the following errors in turns:
Secure connection: fatal error (552)
Secure connection: fatal error (40)
Followed by: Opera was not able to connect to the server. The server may be using the unsupported SSL 2 protocol, which is not considered safe enough for secure communication. The site owner should upgrade to TLS 1.0 or newer. Does anyone know why this is happening and how it can be fixed?
Update: Just saw here [URL].. that someone else was having similar problem and solved it by putting a NetworkManager.conf file in /etc/NetworkManager. What needs to be in that file?
i have been looking up ways to block websites in linux but most all of the free ones only block the sites the software makers want to (or you can't block just the sites you enter without blocking the sites that it wants to)i need to know how to block only websites i enter with squid using webmin
View 3 Replies View Relatedi was tasked to setup a proxy server to block access to some websites. i'm using centOS 5 and Squid 7:2.6 STABLE21-6.e15...i appended the following and tested the configuration with the supposed server i am using and the it does seem to work but now i'm wondering how i can test it with a client computer..i have 2 LAN cards and i just connected the other to one PC (can a direct connection work or does it need to pass thru a switch or hub)...i just can't figure out how it should be... how do i configure the 2nd LAN card to use this computer as its proxy server?
View 8 Replies View RelatedWhen i was try to execute this command in my router device it will show error...
First execution:-
Second Execution:-
So I Need to block this kind of websites ...kindly tell me what i have to rectify & change..here i didnt execute this command...
I'm using squid for proxy server in FC6. I'm also using squidGuard for web-site access restriction. I want to do some exception now for website access. For example, squid user1 with ip 192.168.7.10/32 shoud not access facebook.com while all other squid users with ip 192.168.7.11/32, 192.168.7.9/32 and so on... can access facebook.com since facebook.com is not listed in squidGuard .db files
View 1 Replies View RelatedI want to create a limited user, such that the user should only have the access to usb drives, cd drives and internet. And also I want to restrict the user from deleting the files from the system. How to do it..?
View 5 Replies View RelatedI am facing problem to access my network PC's and even ping. My network scenario is as follows. I am using squid 2.6 stable 21 on RHEL5. all other PC's on network (OS is Windows XP Professional SP2) are connected to internet through squid, authentication is ON on squid. All PC's on network (Win XP Systems)are assigned IP statically and Default Gateway is set which is Squid's IP. I want to access these PC's (Win XP Systems) mean share data between them. The problem is that i am unable to access and even ping these PC's.
View 2 Replies View RelatedI am using internet web control through squid... All is working fine only some little bit issues.
(1) Sometime when i tried to open google.com or any site I got message (The requested URL could not be retrieved) Screen Shot Attached.) but again after sometimes same websites will open.
url
(2) I would like to block word 'sex'.. So I have edit squid.conf with the following acl
acl Blockword url_regex sex
http_access deny Blockword
but problem occur in some websites where 'sensex' word found in url. Then squid block 'sensex' url content website also..
in my office i have to block all messenger like yahoo messenger, windows live messenger, i have to block websites like www.yahoo.com, some more web sites. i need guidance through which i can accomplish this task through ip tables or through squid server. i can use squid but i had heard that squid blocks pop and smtp also. squid creates some problem in receiving and sending email. i am using red hat linux 4 box and installed squid having two ethernet card 1 is connected to adsl line and 2 is connected to switch. all clients will have proxy address of this linux box. guys need ur help ASAP.
View 2 Replies View Relatedis there any way to make user with command text, just with accessbility to change network IP Address ?
View 4 Replies View RelatedTrying to make a copy of my website to a local ubuntu server - I have very limited access ie: no shell access. What is the best way to make a copy of my site. have ftp cli, lftp, wget ... just not sure what to use and how.
View 3 Replies View RelatedI'm trying the tail -f 172.16.X.XX /var/log/squid/access.log to view the sites requested by the client ip 172.16.X.XX but the result is it still open all the ip's requesting for the internet access. is there any tail commands that can monitor only the specific IP address requesting for internet access.
View 2 Replies View RelatedHow to give full access for the particular ipaddess in squid. and how to give particular website access to the particular ipaddress.
View 4 Replies View RelatedI connect to the internet at work through an authenticating proxy, and to avoid having to enter the proxy info into every app I use (e.g. firefox, wget, kde, etc) I have set up squid as a local transparent proxy which authenticates and routes all traffic to the work proxy. It has been working fine, but lately I haven't been able to connect to any https sites. I don't think I have changed the configuration, so perhaps it is the result of an upgrade, or something badly configured on my system from the start. I have tried connecting to https sites without squid and iptables and it works fine. My system is Arch linux, and my squid.conf file is: Code:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
[Code]....
Does anybody know how to block HotSpotShield in squid or iptables?
View 2 Replies View Relatedi've got a software that uses a specific tcp port e.g 11111. i want to redirect all the traffic from 11111 to squid port 3128. i'm using the following commands to redirecting:
iptables -t nat -A PREROUTING -p tcp -m tcp -i eth0 --dport 11111 -j DNAT --to 192.168.0.1:3128
iptables -A FORWARD -p tcp -m tcp -i eth0 --dport 11111 -j ACCEPT
my ubuntu server has two interfaces. eth0 is for local network (dhcp assigns ips) and eth1 is for internet. my ubuntu server acts as a gateway and as an authentication server for users.
at squid also i have the following configuration regarding my port:
acl myport port 11111 http_access allow CONNECT myport. my squid installation is not transparent as users need to authenticate in order to access the web.
my application is a windows application and of course is not working. i examined the packets with wireshark and i noticed that when the program tries to access the internet, squid replies with err_invalid_request (the packet contains that data). the program is trying to send some plain text via port 11111 and as far as i can image, somehow squid declines the data. i cant get rid off squid as i want to pass the traffic from squid. what is the problem?
I have a server located remotely that I'd like to protect by allowing access to only my IP address (on any port). Currently anyone can access the server using ssh, http, and any other services that my server is running. (The reason I need to protect it for now is that it's a test/development server and really only needs to be accessed by me.)
The downside of doing this is every time my desktop IP address changes (from where I access the remote server), I would need to update the iptables configuration. (This could be a hassle, but based on my limited knowledge it seems to be the best way to allow access from only myself.)
Could anyone share how to allow access to my server using iptables from only my IP address and on any port?
I've been running Suse 11.2 KDE on a 64-bit Dell Studio 1535 since last week's release, and have had no trouble using Firefox. At some point today, however, it stopped accessing webpages -- or, when managing to grab a page, it would do so without full html rendering. 95% of the time I get an error splash, while the other 5% I get some sort of truncated page that looks nothing like it should. Konquer and Opera work fine, as does KMail.
I tried deleting the profile.int file (no luck), then uninstalled/re-installed (no luck), then uninstalled and deleted every Mozilla/Firefox file I could find in order for a fresh install -- but this has not worked after several attempts. I still cannot get Internet access. How to completely wipe-out Firefox in order to allow for a totally new installation?
I'd like to setup an Ubuntu LAMP server, and provide limited access to it for our in-house web developers/designers. I'm not quite sure how to go about the permissions side of things. Which user/group should "own" the /var/www directory? Is it www-data?
How do I create user accounts (for our developers) that have access to the /var/www directory - do I create accounts then add them to the www-data group? Or should I make a special 'webdev' group and give it access somehow?
I have SSH running on a computer I use as a server at home and login to it for my own purposes but am needing to share access to this server with someone else, and I'd like to do it in a way so that when they sign in all they see is the contents of one folder and nothing outside of it. So I'd like them to have full access to this folder and do anything they want with it, but not be able to browse outside of it at all via something like WinSCP (they're using Windows). I'm thinking I need to create a new account for them to sign in with but beyond that I'm not sure what I need to do. The only other special thing is that the folder I'd like them to be presented with is actually on an external hard drive. We're going to be doing a lot of online music collaboration and I need to give him lots of free space to drop files and the internal hard drive doesn't have a lot to spare right now.
View 6 Replies View Related
