Topic: port 80?

[James]

Hi,

I've got e-smith working great.  followed how-to for squid's proxy authentication.  works fine.  set up squidGuard to filter web pag requests through the proxy.  works brilliantly.

All this works fine as long as the browsers on the client machines are set to use the server with port 3128 as its proxy.

My problem is that when users change their browsers NOT to have to use the proxy, they are able to access the internet through the e-smith server.  This means that they are able to avoid having to log in and can view unsuitable material.

I need to stop this as the users are children.  I'm thinking that the client browsers must send their web page requests to port 80 (?) of the e-smith box.  Is there a way (ipchains or something?) that I can block requests to destination port 80 from within the local network?

Desparately need help on this one as I've got this one chance to prove that when we buy our new server we shouldn't get NT.  Everything else about e-smith is superb but forcing browsers to use the proxy is essential!  Would be really grateful for any offers of guidance or advice.

Thanks again.

[Idris]

wild guess that is most probably wrong but i am in a similar situation and have just wondered whether it is possible to use port forwarding to forward requests to port80 to port 3128?
someone please please please say it can be done as i really need to force the browsers to use the proxy rather than directly to the internet.  (can't use transproxy because i have user authentication)
if someone could please explain how to stop client browsers bypassing my proxy (with its authentication and squidgaurd) then the world would be a wonderful place.

[Megan]

I have same problem
Have just been reading squidgaurd howo and it says that "if you're using this you'd better make sure you disable NAT (/etc/rc.d/init.d/masq) and/or use transparent proxying.  Otherwise clients will be able to bypass the proxy server and surf the web directly"

i thought that masquerading was what allowed me to run a number of machines between the server and all access the internet with only the one outside ip address?
surely if i disable NAT (however that's done) it'll stop people accessing the internet completelly?  or is this the answer.

answers from charlie on a postcard please!

[Nathan Fowler]

It's quite easy to block outgoing TCP 80 access.

/sbin/ipchains -N out
/sbin/ipchains -A out --proto tcp --source aaa.bbb.ccc.ddd/24 --destination-port 80 -j DENY
where aaa.bbb.ccc.ddd is the ip address of your E-Smith server's local interface.

This will force everyone to use the SQUID proxy.

You can add as many rules to the chain-rule OUT as you want.
You may want to block outgoing 443 too (SSL).

If you really want to be extreme you can deny all outgoing TCP access except for SQUID.

/sbin/ipchains -A out --proto tcp --source aaa.bbb.ccc.ddd/24 --destination-port ! 3128 -j DENY

I think 3128 is SQUID.

Hope this helped, be sure to check out the IPCHAINS howto on www.linux.org

Nathan Fowler

[Bas]

There is a e-smith-transproxy rpm somewhere on ftp.e-snith.org in the contrib section, works ok for me. I'm using it with squidguard, but haven't tried with user auth

[James]

excellent.
thanks very much for the reply
i will try it tomorrow.

[James]

tried your suggestion nathan.
it still let me access websites from a machine on the network without having to set the proxy to 3128
thanks for trying.

[James]

right,

seems that ipchains isn't what's required?

used ipchains to block port 80 on my server (192.168.0.1)

then on my client machine (192.168.0.4) browser found that i could still access the internet with mozilla set to direct connection.  it hadn't made any difference.

when i changed my browser to proxy to port 80 of 192.168.0.1, then whatever web address i typed in it gave me 192.168.0.1's website.  so ipchains just refers to tcpip requests intended for that particular machine (192.168.0.1)

i need to stop internet requests from the local network getting through my server (except for ones that go through port 3128)

it must be some sort of ip masquerading set up that i need.
i'm desperate to get this sorted otherwise i won't be able to use e-smith in work.  if anyone has any suggestions then please post.  i'm off to try and learn about masquerading.

[Megan]

Didn't work for me either even after a network-create.
I assume that we should just type the commands in and not add them to the rc.d/masq file?

[Simeon]

This is what I've done/found:

freshly installed 4.1.2
installed squidguard (incl. transproxy)
tested it.  it worked [transparently sent internet requests to squid]

installed pam_auth user authentication [see HOW-TOs]

Now i understand that transproxy is meant to be used so that client browsers don't have to have their proxy settings changed - and then their web page requests are transparently redirected by the e-smith box to the squid proxy.

I find that with pam user authentication set up as well as transproxy.rpm that client browsers that are set to proxy 3128 are asked for a username and password.  If its correct they're allowed through.  Clients browsers set to direct access to internet are asked for username/password but even when a correct username/password is typed in they continue to be asked for a username and password.

So in effect only browsers pointing to 3128 of the e-smith machine can get through.

This seems to be working and having the desired effect of forcing people to use  the proxy.  I hope nobody tells me otherwise, as having a username/password system for access to the internet and forcing internet access through the proxy is really important to my situation.  It seems to be working?

Regards,
Simeon.

PS.  After setting up the user authentication I found that the process of expanding th template stopped squidguard working and had to reinstall the rpms (not transproxy though).

There must be an easier way [a correct way] of doing this [forcing proxy use].

[enigma]

You could try locking down the setings that are available to the users if IE .

I have taken the following details from a V. GOOD resource if you are an M$ Admin - http://www.windows2000faq.com

Try this and modify fthe broswer to restrict user settings of necessary, it can be set by a logon script or by trawling round each machine,

Q. What restrictions are available with Internet Explorer 5.01 Service Pack 1 and above?

A. With Internet Explorer (IE) 5.x, you have many options for limiting the actions that users can perform. You can apply these restrictions either to one user by setting the HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions registry key or to all users by setting the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions registry key. If you set a restriction at both the user and the machine level, the machine level setting takes precedence. A value of 1 enables the restriction; a value of 0 disables the restriction.

To add a restriction, perform the following steps:
Start regedit.exe.
Go to either HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions (for a user) or HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions (for all users).
From the Edit menu, select New, DWORD value.
In the table, find the desired value, enter it for the Value name, and press Enter.
Double-click the new value and set it to 1 to enable the restriction. Click OK.
Close regedit.
 
NoSubscriptionPasswords       Prevents the entering and caching of passwords.
NoBrowserOptions              Tools/Internet options menu item (IE only).

Many thanks to John Savill of www.windows2000faq.com for the above quoted Options.

[Simeon]

right,
typed Nathan's commands:

ipchains -N out
ipchains -A out --proto tcp --source aaa.bbb.ccc.ddd/24 --destination-port 80 -j DENY

in my case the second line was:
ipchains -A out --proto tcp --source 192.168.0.0/24 --destination-port 80 -j DENY

then type this:
ipchains -I input -p tcp -j out

this works!

i now have pam_auth userauthentication on my squid proxy (with squidGuard).  users browsers set to proxy 3128 work fine.
if a user changes the browser to Direct connection the server denies the connection.  In fact to the user a message pops up saying its timed out.

This works for me. Hope it helps someone.  Btw, rebooting the machine cancels out these modifications.  I am looking into how to make this occur on reboot.   I think it'll be a matter of ipchains-save to save the configuration to a file and then set a start up script to use ipchains-restore to set it up again on reboot.  Not familiar with creating start up scripts in e-smith so may take a day or two to get back to you.

regards,
simeon.

[Simeon]

just found that when my modem connection dies and automatically restarts that blocking of port 80 ceases.
must be something to do with some sort of network create or something that occurs.
looking into it.
any help appreciated.

[Simeon]

hello again

when the modem dies then after/during reconnection examination of the var/log/messages shows that the firewall and masquerading rules are shut down.

which file should i append the ipchains statements to,  so that they are reinstated  as soon as the modem connection is remade?

tia.

[Dave D]

There's a thread regarding making ipchains additions permanent in the Experienced forum too.