Topic: Forcing proxy use

[Jim Bradley]

What ipchains statement do I need to make to block the network machines from a direct internet connection and forcing them to use the proxy server (squid)?

I would think that
/sbin/ipchains -A input -p tcp --destination-port 80 -j DENY -l -i ppp0
would work (as well as statements to block shttp, ftp, etc.) but I'm not sure where to put it (them) in the templates.

I'm using squid with squidGuard, and I'd like to prohibit my kids from gaining straight through access by just changing the proxy setting on the browser. I've found an iptables method with the 2.4.x kernel to setup a transparent proxy, but I don't care if it's transparent or not. And, upgrading to a 2.4.x kernel might knock a bunch of other things out of whack.

Thanks for your help.

[Darrell May]

Jim Bradley wrote:
>
> What ipchains statement do I need to make to block the
> network machines from a direct internet connection and
> forcing them to use the proxy server (squid)?
>


All you need is to install 'e-smith-transproxy-0.3-1.noarch.rpm' found at ftp.e-smith.org under CharlieBrady's area.  Or visit this link

http://netsourced.com/e-smith/howto/howto-squidguard.html

Darrell

[Jim Bradley]

Thanks!! I knew that it could somehow be done. Figuring out where everything is with a new (to me) version takes a bit of time.

Jim

[OSD]

This topic is really interesting to me as I am looking into installing ESmith as a webserver in a secondary school.  I'm sorry if I'm being a bit thick but ......
I understand that Squid is used for access control lists where you can say which users can gain access to the proxy and at what times etc.  I also thought that Squid would allow lists of words in urls or the text of sites to lead to the sites being blocked?
So why use Squidguard?  Having looked at the link for the squidguard how-to it talks of databases of unacceptable categories of sites.  Are these site databases regularly updated and easy to get hold of /install?  Is it easy to set Squid to use Squidguard for the blocking of sites?
I'm sorry to ask so many questions that are probably annoying but would be very grateful of any clarification as to the difference between squid and squidguard etc.

Thanks a lot!

[Charlie Brady]

OSD wrote:
 
> I understand that Squid is used for access control lists
> where you can say which users can gain access to the proxy
> and at what times etc.

That's an option, yes, but it's not currently supported by the standard e-smith configuration.

> I also thought that Squid would allow
> lists of words in urls or the text of sites to lead to the
> sites being blocked?

No, squid is a caching proxy that helps make web access faster, and perhaps a little more secure. However, it does have hooks which allow another program to remap URLs, and this can be used to convert accesses to "forbidden" sites to be sent to a "you can't go here" page. Or you can convert accesses to banner ads to accesses to small white graphics instead.

> So why use Squidguard?

Squidguard is one of many possible URL remappers which you can have co-operating with squid.

Charlie

[OSD]

Thanks a lot for clearing up my confusion.

 I think I understand now.  I've been reading about setting up squid from the how-to on the squid-cache.org site as I will need (in a month or so - as our school is buying a new server and we are going to try using e-smith before having to buy NT) to set up a proxy as we have a slow internet link.  

Once I have set up the templates/etc/squid.conf file to insist on proxy authentificion, times of access etc., how do I set e-smith 4.1.1 to automatically start squid?

Thanks again.

[Jim Bradley]

> Once I have set up the templates/etc/squid.conf file to
> insist on proxy authentificion, times of access etc., how do
> I set e-smith 4.1.1 to automatically start squid?

Squid is automatically installed with e-smith, and automatically started at bootup.

[Dan Thomas]

Hello, I'm using e-smith 4.1.2 and have set up squid to use the pam authentication so that access to the proxy is dependent on a username and password.  I've also set squidguard to block unacceptable sites.  I need to force users' browsers to use the proxy rather than accessing the internet directly.  I've read somewhere that using  transproxy.noarch.rpm (to force connection through proxy) doesn't work when pam_auth is used.  Is this true?  If it is, is there another way of forcing proxy use?  Thanks in advance.