Topic: Blocking or Redirecting Internal Traffic on Certain Ports

[Walter Padgett]

Good Evening,

I've been all over this phorum trying everything that has been mentioned concerning blocking port 80 and/or 3128. I am currently working with dungog.net's great rpm's that deal with Dansguardian. I'm trying to keep folks from going around the filter. I understand that anyone can download the IEAK and setup IE with anything they want as well as restrict about anything they want including the proxy settings. This would be great if I didn't have to deal with IE6 which interferes with educational software that is installed at the school in question. I've looked for something concerning iptables but didn't really find anything. The server is running on v5.5. I'm flexible on upgrading to the latest 5.6u4+ if needed. Here are the command lines that I have put in the
/etc/e-smith/templates/etc/rc.d/init.d/masq/36masqLAN file:

ipchains -A forward -s 192.168.0.0/24 -p tcp -d 0.0.0.0/0 80 -j DENY
ipchains -A forward -s 192.168.0.0/24 -p tcp -d 0.0.0.0/0 3128 -j DENY
ipchains -I input -y -p tcp -s 0/0 --dport 80 -j DENY\n
ipchains -I input -y -p tcp -s 0/0 --dport 3128 -j DENY\n

I did the appropriate expanding of the templates after this. I'm not exactly sure that I have these commands correct because they are evidently not working. I added the 3128 port command experimenting with ipchains.

I'm also wondering if I'm missing something. I would like a separate list of users that only have access through the proxy. I don't want to setup users in the system so that they also have access to email and other services provided by sme. I'm using the pam_auth feature of the dungog.net/dansguardian contrib to control access to the web.

I have about a month to deal with these issues and would welcome any suggestions. I truly appreciate the assistance that has been provided to me even with my "flame" tendencies. I'm trying to keep myself in check. These tendencies, I believe, stem from my past religious debating on the IRC chat channels. My apologies if I have offended anyone.

Have a great day!

Walter "Wally" Padgett

[Cyrus Bharda]

Wally,

I myself use 5.5u6 and not one person can get around what I have setup.

Basically I used Vincents rpm plus an additional fragment to modify it to be able to specify IP's that do not need authentication to get access, but you dont really need that, all of which can be found in http://mirror.contribs.org/smeserver/contribs/cbharda/contrib/squid-auth/

Basically this adds a panel into your server-manager where you specify which users can get access and those who cannot.

The only major drawback is that you then have to go to all computers and specify the proxy, well only on those who will get net access, if you do not have a proxy specified then it just gives you a not authenticated message, does not prompt for username/password.

Easy peasy, works with IE 5.5 and 6.

Cyrus Bharda

[Cyrus Bharda]

Wally,

Also I dont know how your users are getting around Dan's Guardian, but I use squidGuard and my users have tried to get around it but so far have failed, not that they have not given up yet though, but it's been 6 mths, so I am pretty happy with it.

I thought Dan's Guardian was better as it blocks via scoring, and squidGuard does not do that!

Cyrus Bharda

[Graeme Fleming]

If you setup the proxy setting on once each OS (Windows I guess) and then search the registry for the instance of this info you can extract this info into a .reg file to suit each OS.  Apply this .reg file to the workstation via a logon script and the w/s setup is done.

HTH

[Walter Padgett]

Good Morning,

I do use the registry hacks that are available from many places on the web. I mainly use the ones that I have gotten from www.winguides.com with great success. I have various *.reg files that are applied based upon usernames.

The box that I'm testing the blocking/redirecting of ports is running on v5.5. Concerning your first post Cyrus, how are they not getting a prompt for a username and/or how are you blocking port 80 access? In the past I've setup a squid-auth complete with the ACL's to filter. It works fine but only blocks based on the url.

Does the pam_auth method in dungog.net's contrib use squidguard or is Dansguardian a standalone program?

I guess I can set squidguard's default port to some astronomical figure and hope that the users don't find it. Then the question arises, when IE automatically searches for a proxy, will it find Dansguardian first or squidguard?

A penny for your thoughts,

Walter "Wally" Padgett

[Cyrus Bharda]

Wally,

I had a freind of a freind figure out how to allow access to squid without authentication and then make custom templates for me, I really honestly do not know how they work, they just do.

Basically I installed Vincent's squid-auth rpm, changed the port to 8080 and set the proxy to be protected, in the "Proxy Users" panel. then I setup those users who would need net access now and again by setting them to have access and set thier password in the same panel.

Then I applied my custom templates and reloaded the panel, you will find that there is now an area to specify source IP's and Destination IP's that get access without authentication, basically I only set the source IP's that I want to have access without authentication, which coincides with the static IP's I have set the manager's computers to.

Then I have gone around and setup each computer's proxy settings to match what I have configured, and that's it.

If my users change the proxy settings they do not get authenticated and do not get past squid so they do not get anything but an authentication error. I have setup a policy so that my users cannot get access to changing any of thier network settings, which include proxy settings and IP addresses so they are not able to change these settings unless they logon as administrator. I have also set my DHCP to give out the static IP's only to specified MAC addresses, so they are not really static, but they will always get the same IP from DHCP, so users will not be able to change thier IP's to those allowed.

Whew, so you see squidGuard has nothing to do with blocking or not, squidGuard comes into effect after the client is authenticated with squid, so if they do not get authenticated, then they do not get access, simple.

I think you are getting confused, Vincent's rpm does allow destination url's you can view without authentication, that is why you need to apply my custom templates and then you can specify source IP's that get access without authentication.

Cyrus Bharda

[stephen noble]

walter,
the pam_auth is unrelated to squidguard or dansguardian
it's a setting in squid.conf
to block access to port 80 and 3128 and force users to use 8080
i add the following and remove the transproxy lines from masq
5.5 uses ipchains so is different
dungog-dansguardian has been updated

stephen noble
dungog.net/sme

   $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 80 -j DROP\n";
   $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 80 -j DROP\n";
   $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --destination-port 80 -j DROP\n";
   $OUT .= "    /sbin/iptables --append Forward$AllowLocals -s $local -p tcp --destination-port 3128 -j DROP\n";
   $OUT .= "    /sbin/iptables --append Forward$AllowLocals -d $local -p tcp --destination-port 3128 -j DROP\n";
   $OUT .= "    /sbin/iptables --append Input$AllowLocals   -s $local -p tcp --destination-port 3128 -j DROP\n";