Re: Host blocking - Taylor, Grant

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: Host blocking
Date: Tue, 17 May 2005 11:06:28 -0500	[thread overview]
Message-ID: <428A1684.2040804@riverviewtech.net> (raw)
In-Reply-To: <003b01c55acb$841114a0$f00aa9c0@winxp>

> Our ISP's Proxy server is proxy.ISP.net , our company's own proxy server 
> is proxy.ourcompany.net. Our own proxy server has delay_pool but our ISP 
> proxy server dont have. I want to control our client to use only our 
> company proxy server. how can I block the proxy.ISP.net using IP tables 
> so that every body can be force to use our compnay proxy server. (note 
> that our company proxy server is connected to our ISP proxy server as 
> cache_peer parent)

If you want to block just proxy.ISP.net you could do a simple filter in the filter table FORWARD chain.  However I think you are really asking for a solution that will prevent your users from using ANY proxy other than your companies proxy.  As such I have included what I am using here at my office:

# I am creating a new (sub)chain so that I have to do fewer comparisons and thus speeding things up.
iptables -t nat -N Proxy_Bypass_Attempt
iptables -t nat -A Proxy_Bypass_Attempt -j LOG --log-prefix "Proxy Bypass Atempt:  "
iptables -t nat -A Proxy_Bypass_Attempt -p tcp -j DNAT --to-destination ${My_Proxy_Server_IP}:${My_Proxy_Server_Port}
# We will need to SNAT any traffic that attempted to bypass the proxy so that it will get back to the client correctly.
iptables -t nat -A POSTROUTING -o ${LAN} -s ${LAN_Subnet} -d ${My_Proxy_Server_IP} -p tcp --dport ${My_Proxy_Server_Port} -j SNAT --to-source ${My_Firewall_IP}
# Let's jump to the Proxy_Bypass_Attempt chain if this looks like web traffic.
iptables -t nat -A PREROUTING -i ${LAN} -s ! ${My_Proxy_Server_IP} -p tcp --dport 80 -j Proxy_Bypass_Attempt
# We will need to allow traffic to froward from our LAN back out to it's self as any proxy bypass attempt traffic will fall in to this catigory.
iptables -t filter -A FORWARD -i ${LAN} -o ${LAN} -j ACCEPT

Note:  I am presently not blocking port 443 but I think it would be easy to do such with this example.  You could probibly just use the -m mport match by replacing the rule in the PREROUTING chain that jumps to the Proxy_Bypass_Attempt chain as such:

# Let's jump to the Proxy_Bypass_Attempt chain if this looks like web traffic.
iptables -t nat -A PREROUTING -i ${LAN} -s ! ${My_Proxy_Server_IP} -p tcp -m mport --source-ports 80,443 -j Proxy_Bypass_Attempt

- Or (if you do not have mport match extension support) -

# Let's jump to the Proxy_Bypass_Attempt chain if this looks like web traffic.
iptables -t nat -A PREROUTING -i ${LAN} -s ! ${My_Proxy_Server_IP} -p tcp --dport 80 -j Proxy_Bypass_Attempt
iptables -t nat -A PREROUTING -i ${LAN} -s ! ${My_Proxy_Server_IP} -p tcp --dport 443 -j Proxy_Bypass_Attempt

Grant. . . .

     prev parent reply	other threads:[~2005-05-17 16:06 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-05-17 10:30 Host blocking Wennie V. Lagmay
2005-05-17 11:12 ` Jörg Harmuth
2005-05-17 13:09 ` Askar
2005-05-17 13:17   ` wlagmay
2005-05-17 13:14 ` Jason Opperisano
2005-05-17 13:39   ` Wennie V. Lagmay
2005-05-17 13:44     ` Jason Opperisano
2005-05-17 13:50       ` Wennie V. Lagmay
2005-05-18  7:09   ` Wennie V. Lagmay
2005-05-18 15:08     ` Jason Opperisano
2005-05-19  4:10       ` Wennie V. Lagmay
2005-05-19 18:38         ` Jason Opperisano
2005-05-17 16:06 ` Taylor, Grant [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=428A1684.2040804@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.