Topic: to block outgoing traffic (http + https) for specific IPs on local network

[mdo]

We would like to block outgoing traffic on port 80 (http) and 443 (https) for specific IPs on the local network.

I don't believe that there is neither a contrib to allow to do that nor a db configuration to achieve this easily (or am I wrong here?). I searched but it seems the discussions in the past were to block outgoing traffic on specific ports for the whole local network, not to select by IP.

Is there any know solution to this available? any pointers?

Thanks,
Michael

[byte]

Is there any know solution to this available? any pointers?

I do this using squid ACL's very successfully, have a look here:

http://www.squid-cache.org/Versions/v2/2.6/cfgman/

Key thing to remember is to make sure you have your ACL's in the right order otherwise they won't work how you think they should.

[mdo]

Thank you for your answer.

We have tested with squid ACLs on SME 7.3 and there was no problem to achieve our blocking for specific IPs for http (port 80) but squid (version 2.5-stable14.xxx) on SME 7.3 does NOT take care about https traffic at all and that was the shortcoming.

Your link points to a squid version 2.6 configuration file which mentions an "https_port" and the requirement to "--enable-ssl". I searched for https_port on squid-2.5 and it looks like this would be possible to enable - and I am surprised.

I thought squid and https together (for whatever reasons) would not be possible and that would be the reason why SME in its standard configuration never uses to proxy https traffic. Maybe it is easier then I thought and I just have to look to enable https proxying and do my testing with ACLs then again?

Thanks again for the pointer. I will do some testing and report back here. If someone else knows the answer to my new question (why does SME in its standard configuration does NOT use squid for https tarffic proxying where it does it so nicely for http traffic?) I would be very curious.

Thanks,
Michael

[arne]

For Squid proxy off:

iptables -I FORWARD -i eth0 -s 192.168.10.10 -p tcp --dport 80 -j DROP
iptables -I FORWARD -i eth0 -s 192.168.10.10 -p tcp --dport 443 -j DROP

For Squid proxy on:

iptables -I INPUT -i eth0 -s 192.168.10.10 -p tcp --dport 80 -j DROP
iptables -I INPUT -i eth0 -s 192.168.10.10 -p tcp --dport 443 -j DROP

(Allmost. There could be some issues about the sqid proxy on and 443.)

[CharlieBrady]

Thanks again for the pointer. I will do some testing and report back here. If someone else knows the answer to my new question (why does SME in its standard configuration does NOT use squid for https tarffic proxying where it does it so nicely for http traffic?)

SME doesn't do anything unless someone at some stage cared enough about the issue to "make it so". So that's the most general answer to your question.

AFAIK, squid in SME has always been able to proxy https connections via the CONNECT method. Just configure your browser, and it will use the proxy.

squid cannot, however, do transparent proxy for https traffic. If you think about it, I'm sure you'll see why that is the case.

[cactus]

squid cannot, however, do transparent proxy for https traffic. If you think about it, I'm sure you'll see why that is the case.

Otherwise here is a clue: http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#ss2.3

[mmccarn]

Here's a bug entry with some code that can be used to block outgoing traffic: http://bugs.contribs.org/show_bug.cgi?id=2977

[raem]

mmccarn

Here's a bug entry with some code that can be used to block outgoing traffic: http://bugs.contribs.org/show_bug.cgi?id=2977

Which is more neatly documented here
http://wiki.contribs.org/Firewall#Block_outgoing_ports

[mdo]

Thank you for all the hints and suggestions which challenged me to try to understand better how squid as a proxy works in an SME server environment. I must have taken for 'granted' the transparent proxy feature without understanding this properly.

What I wanted to achieve (to block web access completely for specific IPs on the local network) I would like to do via squid ACLs.
For this to work flexible, I now want to "enforce" a proxy setup on each PC on the LAN rather then using the transparent proxy at all, I am even thinking of disabling the transparent proxy (on port 80) and to enforce web access through port 3128 only.

The 'wpad.dat' feature, built into DHCP looks promising for this (http://bugs.contribs.org/show_bug.cgi?id=3512) which I will try (and report back to the bug if I figure it out how it exactly should work).