* Rules for Blocking Proxies...
@ 2004-04-20 16:44 Harry
2004-04-20 5:50 ` Rio Martin
` (2 more replies)
0 siblings, 3 replies; 12+ messages in thread
From: Harry @ 2004-04-20 16:44 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 563 bytes --]
Hi All,
I am running Fedora and Redhat 9 on two servers at my Cybercafe, connected on two Hi speed Lines, I have a decent firewall script, but these days I am facing issues about people changing the Proxy settings in order to get thru porn sites, can anybody suggest some rules which I can implement in the script that avoids connection to these servers? Suggestions are welcome.
Regards
Harry
"In all this world, there is only you
When all else ceases, there is only you"
-- to my MASTER!
Harish
harish@sabnanis.com
harish.sabnani@cyberhutoman.com
[-- Attachment #2: Type: text/html, Size: 1483 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: Rules for Blocking Proxies... 2004-04-20 16:44 Rules for Blocking Proxies Harry @ 2004-04-20 5:50 ` Rio Martin 2004-04-20 7:35 ` Antony Stone 2004-04-20 13:35 ` Alexis 2 siblings, 0 replies; 12+ messages in thread From: Rio Martin @ 2004-04-20 5:50 UTC (permalink / raw) To: Harry, netfilter On Tuesday 20 April 2004 23:44, Harry wrote: > Hi All, > I am running Fedora and Redhat 9 on two servers at my Cybercafe, connected > on two Hi speed Lines, I have a decent firewall script, but these days I am > facing issues about people changing the Proxy settings in order to get thru > porn sites, can anybody suggest some rules which I can implement in the > script that avoids connection to these servers? Suggestions are welcome. > Regards > Harry Transparent proxy and firewall port blocking would be usefull to reject your users changing the proxy. - Rio.Martin - ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Rules for Blocking Proxies... 2004-04-20 16:44 Rules for Blocking Proxies Harry 2004-04-20 5:50 ` Rio Martin @ 2004-04-20 7:35 ` Antony Stone 2004-04-20 13:35 ` Alexis 2 siblings, 0 replies; 12+ messages in thread From: Antony Stone @ 2004-04-20 7:35 UTC (permalink / raw) To: netfilter On Tuesday 20 April 2004 5:44 pm, Harry wrote: > Hi All, > I am running Fedora and Redhat 9 on two servers at my Cybercafe, connected > on two Hi speed Lines, I have a decent firewall script, but these days I am > facing issues about people changing the Proxy settings in order to get thru > porn sites, can anybody suggest some rules which I can implement in the > script that avoids connection to these servers? Suggestions are welcome. The firewall should allow connections to remote web servers (ie TCP --dport 80, 8080 etc) from the proxy server's IP only. Don't allow any other IP address in your network to connect to an external address on dport 80. Regards, Antony. -- "The problem with television is that the people must sit and keep their eyes glued on a screen; the average American family hasn't time for it." - Report in the New York Times, following a demonstration at the 1939 World's Fair. Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Rules for Blocking Proxies... 2004-04-20 16:44 Rules for Blocking Proxies Harry 2004-04-20 5:50 ` Rio Martin 2004-04-20 7:35 ` Antony Stone @ 2004-04-20 13:35 ` Alexis 2004-04-20 13:47 ` Ray Leach 2004-04-20 13:53 ` Antony Stone 2 siblings, 2 replies; 12+ messages in thread From: Alexis @ 2004-04-20 13:35 UTC (permalink / raw) To: Harry; +Cc: Netfilter [-- Attachment #1: Type: text/plain, Size: 848 bytes --] set up your own proxy server and only permit connections to this box :) ----- Original Message ----- From: Harry To: netfilter@lists.netfilter.org Sent: Tuesday, April 20, 2004 1:44 PM Subject: Rules for Blocking Proxies... Hi All, I am running Fedora and Redhat 9 on two servers at my Cybercafe, connected on two Hi speed Lines, I have a decent firewall script, but these days I am facing issues about people changing the Proxy settings in order to get thru porn sites, can anybody suggest some rules which I can implement in the script that avoids connection to these servers? Suggestions are welcome. Regards Harry "In all this world, there is only you When all else ceases, there is only you" -- to my MASTER! Harish harish@sabnanis.com harish.sabnani@cyberhutoman.com [-- Attachment #2: Type: text/html, Size: 2519 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Rules for Blocking Proxies... 2004-04-20 13:35 ` Alexis @ 2004-04-20 13:47 ` Ray Leach 2004-04-20 13:53 ` Antony Stone 1 sibling, 0 replies; 12+ messages in thread From: Ray Leach @ 2004-04-20 13:47 UTC (permalink / raw) To: Netfilter Mailing List [-- Attachment #1: Type: text/plain, Size: 1162 bytes --] On Tue, 2004-04-20 at 15:35, Alexis wrote: > set up your own proxy server and only permit connections to this box > :) > > > ----- Original Message ----- > From: Harry > To: netfilter@lists.netfilter.org > Sent: Tuesday, April 20, 2004 1:44 PM > Subject: Rules for Blocking Proxies... > > Hi All, > I am running Fedora and Redhat 9 on two servers at my > Cybercafe, connected on two Hi speed Lines, I have a decent > firewall script, but these days I am facing issues about > people changing the Proxy settings in order to get thru porn > sites, can anybody suggest some rules which I can implement in > the script that avoids connection to these servers? > Suggestions are welcome. <snip> Or use a ban list to DROP packets destined for the public proxies ... -- -- Raymond Leach <raymondl@knowledgefactory.co.za> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 -- [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Rules for Blocking Proxies... 2004-04-20 13:35 ` Alexis 2004-04-20 13:47 ` Ray Leach @ 2004-04-20 13:53 ` Antony Stone 2004-04-20 14:23 ` Alexis 2004-04-20 14:27 ` Alexis 1 sibling, 2 replies; 12+ messages in thread From: Antony Stone @ 2004-04-20 13:53 UTC (permalink / raw) To: Netfilter On Tuesday 20 April 2004 2:35 pm, Alexis wrote: > set up your own proxy server and only permit connections to this box :) I must admit I had assumed, when answering this previously, that Harry was already running his own proxy, but wanted to stop clients reconfiguring their browsers to go direct instead. If the proxy server is instead on the outside of the network, then the answer to the question "how do I stop people changing the browser settings to bypass the proxy?" is to allow connections on TCP port 80 to the proxy server only, and block all other destination addresses for that port. Remember of course that you can always do a DNAT rule to send people to the proxy address anyway, even if they did decide to go direct - then instead of getting a "connection timeout" message they find themselves using the proxy even after reconfiguring their browser settings :) iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to IP.of.pro.xy Regards, Antony. > Hi All, > I am running Fedora and Redhat 9 on two servers at my Cybercafe, > connected on two Hi speed Lines, I have a decent firewall script, but these > days I am facing issues about people changing the Proxy settings in order > to get thru porn sites, can anybody suggest some rules which I can > implement in the script that avoids connection to these servers? > Suggestions are welcome. > > Regards > > Harry -- The difference between theory and practice is that in theory there is no difference, whereas in practice there is. Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Rules for Blocking Proxies... 2004-04-20 13:53 ` Antony Stone @ 2004-04-20 14:23 ` Alexis 2004-04-20 14:27 ` Alexis 1 sibling, 0 replies; 12+ messages in thread From: Alexis @ 2004-04-20 14:23 UTC (permalink / raw) To: Netfilter beside this. You could remove privileges from the clients, even with an active directory implementation (ajjjj) or i think i saw cybercafe software that block any settings change on the client box. ----- Original Message ----- From: "Antony Stone" <Antony@Soft-Solutions.co.uk> To: "Netfilter" <netfilter@lists.netfilter.org> Sent: Tuesday, April 20, 2004 10:53 AM Subject: Re: Rules for Blocking Proxies... > On Tuesday 20 April 2004 2:35 pm, Alexis wrote: > > > set up your own proxy server and only permit connections to this box :) > > I must admit I had assumed, when answering this previously, that Harry was > already running his own proxy, but wanted to stop clients reconfiguring their > browsers to go direct instead. > > If the proxy server is instead on the outside of the network, then the answer > to the question "how do I stop people changing the browser settings to bypass > the proxy?" is to allow connections on TCP port 80 to the proxy server only, > and block all other destination addresses for that port. > > Remember of course that you can always do a DNAT rule to send people to the > proxy address anyway, even if they did decide to go direct - then instead of > getting a "connection timeout" message they find themselves using the proxy > even after reconfiguring their browser settings :) > > iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to IP.of.pro.xy > > Regards, > > Antony. > > > Hi All, > > I am running Fedora and Redhat 9 on two servers at my Cybercafe, > > connected on two Hi speed Lines, I have a decent firewall script, but these > > days I am facing issues about people changing the Proxy settings in order > > to get thru porn sites, can anybody suggest some rules which I can > > implement in the script that avoids connection to these servers? > > Suggestions are welcome. > > > > Regards > > > > Harry > > -- > The difference between theory and practice is that in theory there is no > difference, whereas in practice there is. > > Please reply to the list; > please don't CC me. > > > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Rules for Blocking Proxies... 2004-04-20 13:53 ` Antony Stone 2004-04-20 14:23 ` Alexis @ 2004-04-20 14:27 ` Alexis 2004-04-20 14:37 ` Antony Stone 1 sibling, 1 reply; 12+ messages in thread From: Alexis @ 2004-04-20 14:27 UTC (permalink / raw) To: Netfilter beside this. You could remove privileges from the clients, even with an active directory implementation (ajjjj) or i think i saw cybercafe software that block any settings change on the client box. ----- Original Message ----- From: "Antony Stone" <Antony@Soft-Solutions.co.uk> To: "Netfilter" <netfilter@lists.netfilter.org> Sent: Tuesday, April 20, 2004 10:53 AM Subject: Re: Rules for Blocking Proxies... > On Tuesday 20 April 2004 2:35 pm, Alexis wrote: > > > set up your own proxy server and only permit connections to this box :) > > I must admit I had assumed, when answering this previously, that Harry was > already running his own proxy, but wanted to stop clients reconfiguring their > browsers to go direct instead. > > If the proxy server is instead on the outside of the network, then the answer > to the question "how do I stop people changing the browser settings to bypass > the proxy?" is to allow connections on TCP port 80 to the proxy server only, > and block all other destination addresses for that port. > > Remember of course that you can always do a DNAT rule to send people to the > proxy address anyway, even if they did decide to go direct - then instead of > getting a "connection timeout" message they find themselves using the proxy > even after reconfiguring their browser settings :) > > iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to IP.of.pro.xy > > Regards, > > Antony. > > > Hi All, > > I am running Fedora and Redhat 9 on two servers at my Cybercafe, > > connected on two Hi speed Lines, I have a decent firewall script, but these > > days I am facing issues about people changing the Proxy settings in order > > to get thru porn sites, can anybody suggest some rules which I can > > implement in the script that avoids connection to these servers? > > Suggestions are welcome. > > > > Regards > > > > Harry > > -- > The difference between theory and practice is that in theory there is no > difference, whereas in practice there is. > > Please reply to the list; > please don't CC me. > > > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Rules for Blocking Proxies... 2004-04-20 14:27 ` Alexis @ 2004-04-20 14:37 ` Antony Stone 2004-04-21 23:39 ` Harry 2004-04-28 17:34 ` Rules for Blocking Proxies...THANKS !! Harry 0 siblings, 2 replies; 12+ messages in thread From: Antony Stone @ 2004-04-20 14:37 UTC (permalink / raw) To: Netfilter On Tuesday 20 April 2004 3:27 pm, Alexis wrote: > beside this. > You could remove privileges from the clients, even with an active directory > implementation (ajjjj) or i think i saw cybercafe software that block any > settings change on the client box. That is making some very big assumptions about what Operating System/s are running on the clients.... Regards, Antony. -- The truth is rarely pure, and never simple. - Oscar Wilde Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Rules for Blocking Proxies... 2004-04-20 14:37 ` Antony Stone @ 2004-04-21 23:39 ` Harry 2004-04-28 17:34 ` Rules for Blocking Proxies...THANKS !! Harry 1 sibling, 0 replies; 12+ messages in thread From: Harry @ 2004-04-21 23:39 UTC (permalink / raw) To: Netfilter [-- Attachment #1: Type: text/plain, Size: 1397 bytes --] Hey All, These are loads of recommendations, well I am using Windows 2000 Clients, what i think should be best for my level of understanding is a simple set of rules that can be added to my firewall script that will STOP all other connections except the INTIF connection on which squid and Iptables listens. I have attached my script, Pls suggest any modifications.... Regards Harry "In all this world, there is only you When all else ceases, there is only you" -- to my MASTER! Harish harish@sabnanis.com harish.sabnani@cyberhutoman.com ----- Original Message ----- From: "Antony Stone" <Antony@Soft-Solutions.co.uk> To: "Netfilter" <netfilter@lists.netfilter.org> Sent: Tuesday, April 20, 2004 7:37 AM Subject: Re: Rules for Blocking Proxies... > On Tuesday 20 April 2004 3:27 pm, Alexis wrote: > > > beside this. > > You could remove privileges from the clients, even with an active directory > > implementation (ajjjj) or i think i saw cybercafe software that block any > > settings change on the client box. > > That is making some very big assumptions about what Operating System/s are > running on the clients.... > > Regards, > > Antony. > > -- > The truth is rarely pure, and never simple. > > - Oscar Wilde > > Please reply to the list; > please don't CC me. > > [-- Attachment #2: rc.firewall-2.4 --] [-- Type: application/octet-stream, Size: 12137 bytes --] #!/bin/sh # # rc.firewall-2.4 FWVER=0.74 # # Initial SIMPLE IP Masquerade test for 2.4.x kernels # using IPTABLES. # # Once IP Masquerading has been tested, with this simple # ruleset, it is highly recommended to use a stronger # IPTABLES ruleset either given later in this HOWTO or # from another reputable resource. # # # # Log: # 0.74 - the ruleset now uses modprobe vs. insmod # 0.73 - REJECT is not a legal policy yet; back to DROP # 0.72 - Changed the default block behavior to REJECT not DROP # 0.71 - Added clarification that PPPoE users need to use # "ppp0" instead of "eth0" for their external interface # 0.70 - Added commented option for IRC nat module # - Added additional use of environment variables # - Added additional formatting # 0.63 - Added support for the IRC IPTABLES module # 0.62 - Fixed a typo on the MASQ enable line that used eth0 # instead of $EXTIF # 0.61 - Changed the firewall to use variables for the internal # and external interfaces. # 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP # all forwarded packets but it didn't have a rule to ACCEPT # any packets to be forwarded either # - Load the ip_nat_ftp and ip_conntrack_ftp modules by default # 0.50 - Initial draft # echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" # The location of the iptables and kernel module programs # # If your Linux distribution came with a copy of iptables, # most likely all the programs will be located in /sbin. If # you manually compiled iptables, the default location will # be in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPTABLES=/sbin/iptables #IPTABLES=/usr/local/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the natting will occur and the internal network # should preferably be addressed with a RFC1918 private address # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # If you are a PPPoE or analog modem user: # # EXTIF="ppp0" # # EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" #====================================================================== #== No editing beyond this line is required for initial MASQ testing == echo -en " loading modules: " # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" $DEPMOD -a # With the new IPTABLES code, the core MASQ functionality is now either # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES # options as MODULES. If your kernel is compiled correctly, there is # NO need to load the kernel modules manually. # # NOTE: The following items are listed ONLY for informational reasons. # There is no reason to manual load these modules unless your # kernel is either mis-configured or you intentionally disabled # the kernel module autoloader. # # Upon the commands of starting up IP Masq on the server, the # following kernel modules will be automatically loaded: # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ # modules are shown below but are commented out from loading. # =============================================================== echo "----------------------------------------------------------------------" #Load the main body of the IPTABLES module - "iptable" # - Loaded automatically when the "iptables" command is invoked # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_tables, " $MODPROBE ip_tables #Load the IPTABLES filtering module - "iptable_filter" # - Loaded automatically when filter policies are activated #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_conntrack, " $MODPROBE ip_conntrack #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_ftp, " $MODPROBE ip_conntrack_ftp #Load the IRC tracking mechanism for full IRC tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "iptable_nat, " $MODPROBE iptable_nat #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_nat_ftp, " $MODPROBE ip_nat_ftp #Loads the IRC NAT functionality into the core IPTABLES code # Require to support NAT of IRC DCC requests # # Disabled by default -- remove the "#" on the next line to activate # #echo -e "ip_nat_irc" #$MODPROBE ip_nat_irc echo "----------------------------------------------------------------------" # Just to be complete, here is a list of the remaining kernel modules # and their function. Please note that several modules should be only # loaded by the correct master kernel module for proper operation. # -------------------------------------------------------------------- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. # # iptable_mangle - this target allows for packets to be manipulated # for things like the TCPMSS option, etc. echo -e " Done loading modules.\n" #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable this following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. # #echo " Enabling DynamicAddr.." #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable simple IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on external interface "eth0". This # example will MASQ internal traffic out to the Internet but not # allow non-initiated traffic into your internal network. # # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is DROP (REJECT is not a valid policy) # echo " Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # DROP BROADCAST TRAFFIC $IPTABLES -A FORWARD -d 255.255.255.0/24 -j DROP # DROP WINDOWS NETBIOS TRAFFIC $IPTABLES -A FORWARD -p tcp --dport 135:139 -j DROP $IPTABLES -A FORWARD -p udp --dport 135:139 -j DROP $IPTABLES -A FORWARD -p tcp --dport 445 -j DROP $IPTABLES -A FORWARD -p udp --dport 445 -j DROP # DROP UNIX TRAFFIC $IPTABLES -A FORWARD -p tcp --dport 111 -j DROP $IPTABLES -A FORWARD -p udp --dport 111 -j DROP $IPTABLES -A FORWARD -p tcp --dport 113 -j DROP $IPTABLES -A FORWARD -p udp --dport 113 -j DROP $IPTABLES -A FORWARD -p tcp --dport 513:515 -j DROP $IPTABLES -A FORWARD -p udp --dport 513:515 -j DROP # DROP LDAP $IPTABLES -A FORWARD -p tcp --dport 389 -j DROP $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE $IPTABLES -A INPUT -i lo -p all -j ACCEPT $IPTABLES -A OUTPUT -o lo -p all -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $INTIF -s 10.10.10.0/24 -j ACCEPT $IPTABLES -P INPUT DROP # IGNORE TCP SYN COOKIES (NOT WEB SITE COOKIES) echo 1 > /proc/sys/net/ipv4/tcp_syncookies # IGNORE ICMP BROADCASTS echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # IGNORE SPOOFED PACKETS echo 1 >/proc/sys/net/ipv4/conf/$EXTIF/rp_filter echo 1 >/proc/sys/net/ipv4/conf/$INTIF/rp_filter # IGNORE SOURCE-ROUTED PACKETS (WILL NOT HURT ROUTING) echo 0 > /proc/sys/net/ipv4/conf/$EXTIF/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/$INTIF/accept_source_route # IGNORE ICMP REDIRECTS echo 0 > /proc/sys/net/ipv4/conf/$EXTIF/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/$INTIF/accept_redirects # DISABLE REDIRECT MESSAGES echo 0 > /proc/sys/net/ipv4/conf/$INTIF/send_redirects echo 0 > /proc/sys/net/ipv4/conf/$EXTIF/send_redirects echo -e "\nDone.\n" ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Rules for Blocking Proxies...THANKS !! 2004-04-20 14:37 ` Antony Stone 2004-04-21 23:39 ` Harry @ 2004-04-28 17:34 ` Harry 2004-04-28 6:53 ` Rio Martin 1 sibling, 1 reply; 12+ messages in thread From: Harry @ 2004-04-28 17:34 UTC (permalink / raw) To: Netfilter Hi All, Many thanks Mr.Antony, Alexix and the rest who helped me with the rule, the DNAT rule works great!! Was just going thru a website http://www.antiproxy.com wow...they have loads of ports thru which proxies can be bypassed?So does that mean I have to write rules for each of the relavent ports?at the moment I have just done for port 3128, and blocked the site antiproxy.com thru squid. Suggestions are welcome... Regards Harry "In all this world, there is only you When all else ceases, there is only you" -- to my MASTER! Harish harish@sabnanis.com harish.sabnani@cyberhutoman.com ----- Original Message ----- From: "Antony Stone" <Antony@Soft-Solutions.co.uk> To: "Netfilter" <netfilter@lists.netfilter.org> Sent: Tuesday, April 20, 2004 7:37 AM Subject: Re: Rules for Blocking Proxies... > On Tuesday 20 April 2004 3:27 pm, Alexis wrote: > > > beside this. > > You could remove privileges from the clients, even with an active directory > > implementation (ajjjj) or i think i saw cybercafe software that block any > > settings change on the client box. > > That is making some very big assumptions about what Operating System/s are > running on the clients.... > > Regards, > > Antony. > > -- > The truth is rarely pure, and never simple. > > - Oscar Wilde > > Please reply to the list; > please don't CC me. > > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Rules for Blocking Proxies...THANKS !! 2004-04-28 17:34 ` Rules for Blocking Proxies...THANKS !! Harry @ 2004-04-28 6:53 ` Rio Martin 0 siblings, 0 replies; 12+ messages in thread From: Rio Martin @ 2004-04-28 6:53 UTC (permalink / raw) To: Netfilter On Thursday 29 April 2004 00:34, Harry wrote: > Hi All, > Many thanks Mr.Antony, Alexix and the rest who helped me with the rule, the > DNAT rule works great!! Was just going thru a website > http://www.antiproxy.com > wow...they have loads of ports thru which proxies can be bypassed?So does > that mean I have to write rules for each of the relavent ports?at the > moment I have just done for port 3128, and blocked the site antiproxy.com > thru squid. > Suggestions are welcome... > Regards > Harry Maybe you should change Policy for FORWARD chain into Default DENY. After that, you can add your allowed connection port list to be allowed. Like port 80,25,53,110,8080,etc.. - Rio.Martin - ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2004-04-28 17:34 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-04-20 16:44 Rules for Blocking Proxies Harry 2004-04-20 5:50 ` Rio Martin 2004-04-20 7:35 ` Antony Stone 2004-04-20 13:35 ` Alexis 2004-04-20 13:47 ` Ray Leach 2004-04-20 13:53 ` Antony Stone 2004-04-20 14:23 ` Alexis 2004-04-20 14:27 ` Alexis 2004-04-20 14:37 ` Antony Stone 2004-04-21 23:39 ` Harry 2004-04-28 17:34 ` Rules for Blocking Proxies...THANKS !! Harry 2004-04-28 6:53 ` Rio Martin
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox