Host blocking

Host blocking

[Wennie V. Lagmay]

Our ISP's Proxy server is proxy.ISP.net , our company's own proxy server is 
proxy.ourcompany.net. Our own proxy server has delay_pool but our ISP proxy 
server dont have. I want to control our client to use only our company proxy 
server. how can I block the proxy.ISP.net using IP tables so that every body 
can be force to use our compnay proxy server. (note that our company proxy 
server is connected to our ISP proxy server as cache_peer parent)

thanks,

wennie 

Re: Host blocking

[Jörg Harmuth]

Wennie V. Lagmay schrieb:
> Our ISP's Proxy server is proxy.ISP.net , our company's own proxy server
> is proxy.ourcompany.net. Our own proxy server has delay_pool but our ISP
> proxy server dont have. I want to control our client to use only our
> company proxy server. how can I block the proxy.ISP.net using IP tables
> so that every body can be force to use our compnay proxy server. (note
> that our company proxy server is connected to our ISP proxy server as
> cache_peer parent)

iptables -P FORWARD DROP
# From now on your clients can't connect to your ISPs proxy.
# Is a good idea for INPUT and may be OUTPUT too, imho.
#
# If you set IN|OUTPUT policy to DROP you need to allow
# connections to proxy.ourcompany.net explicitly and
# you need to allow lo traffic. E.g.:
iptables -A INPUT -i lo -j ACCEPT

# Allow traffic, that is already initialized.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# You need to allow access to each service you offer like
# proxy, smtp, pop3,... e.g.
iptables -A INPUT -p tcp -s <netaddress/netmask> \
  -d <your_internal_proxy_ip> --dport <proxy_port> \
  --syn -j ACCEPT

[more services to allow]

# Only if OUTPUT policy is DROP or REJECT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Access to your ISPs proxy:
iptables -A OUTPUT -p tcp -d <ip_of_isp_proxy> \
  --dport <proxy_port> --syn -j ACCEPT

[more stuff to allow]

# If you need ICP, allow it too. You should also allow
# at least ICMP "Destination unreachable"

There are many ways to Rome - this is the basic approach. Note, that
here are probaly some side effects. E.g. if your clients contact the
ISPs DNS, you have to allow that too, or set up an own DNS and allow
client access to your DNS and access from your DNS to ISP DNS.

For more details see "man iptables" and the excellent tutorial at

http://iptables-tutorial.frozentux.net/chunkyhtml/index.html

which is - imho - a Must_To_Read :)

HTH and have a nice time,

Joerg

Re: Host blocking

[Askar]

hmm sound like you are running your proxy "squid" in non interception
mode, so why not give a kick to Interception "transparent" which mean
you don't have to configure each client to use your proxy i-e it will
be transparent to them.

http://www.tldp.org/HOWTO/TransparentProxy.html

regards

Askar

On 5/17/05, Wennie V. Lagmay <wlagmay@yanbulink.net> wrote:
> Our ISP's Proxy server is proxy.ISP.net , our company's own proxy server is
> proxy.ourcompany.net. Our own proxy server has delay_pool but our ISP proxy
> server dont have. I want to control our client to use only our company proxy
> server. how can I block the proxy.ISP.net using IP tables so that every body
> can be force to use our compnay proxy server. (note that our company proxy
> server is connected to our ISP proxy server as cache_peer parent)
> 
> thanks,
> 
> wennie
> 
> 


-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: Host blocking

[wlagmay]

well I know how to configure transparent proxy, but I realy dont dont know whats
will be the impact to my server and system. and number 2 even though I have a
transparent proxy clients can always define there pereffered proxy isn't it? so
the objective now is to block proxy.ISP.net including its corresponding IP
address. Am I doing the right way?

Thanks,

 wennie

Quoting Askar <askarali@gmail.com>:

> hmm sound like you are running your proxy "squid" in non interception
> mode, so why not give a kick to Interception "transparent" which mean
> you don't have to configure each client to use your proxy i-e it will
> be transparent to them.
>
> http://www.tldp.org/HOWTO/TransparentProxy.html
>
> regards
>
> Askar
>
> On 5/17/05, Wennie V. Lagmay <wlagmay@yanbulink.net> wrote:
> > Our ISP's Proxy server is proxy.ISP.net , our company's own proxy server is
> > proxy.ourcompany.net. Our own proxy server has delay_pool but our ISP proxy
> > server dont have. I want to control our client to use only our company
> proxy
> > server. how can I block the proxy.ISP.net using IP tables so that every
> body
> > can be force to use our compnay proxy server. (note that our company proxy
> > server is connected to our ISP proxy server as cache_peer parent)
> >
> > thanks,
> >
> > wennie
> >
> >
>
>
> --
> I love deadlines. I like the whooshing sound they make as they fly by.
> Douglas Adams
>

Re: Host blocking

[Jason Opperisano]

On Tue, May 17, 2005 at 01:30:58PM +0300, Wennie V. Lagmay wrote:
> Our ISP's Proxy server is proxy.ISP.net , our company's own proxy server is 
> proxy.ourcompany.net. Our own proxy server has delay_pool but our ISP proxy 
> server dont have. I want to control our client to use only our company 
> proxy server. how can I block the proxy.ISP.net using IP tables so that 
> every body can be force to use our compnay proxy server. (note that our 
> company proxy server is connected to our ISP proxy server as cache_peer 
> parent)

assuming your company proxy server is on a different machine than the
firewall:


  iptables -A FORWARD -p tcp --syn -s proxy.ourcompany.net \
    -d proxy.ISP.net --dport $PROXY_PORT -j ACCEPT

  # assuming your internal machines are allowed unfettered access
  # to the internet

  iptables -A FORWARD -p tcp --syn -d proxy.ISP.net -j DROP

-j

--
"Guy on Street #2: It's 3:00. Where the hell is Louie?
 Guy on Street #1: Well, you tell me. Louie left his house at 2:15 and
 had to travel a distance 6.2 miles traveling at a rate of five miles a
 hour. When will Louie get here? 
 Guy On Street #2: Depends if he stops to see his ho. 
 Guy on Street #1: That's what we call a "variable"."
        --Family Guy

Re: Host blocking

[Wennie V. Lagmay]

What if they define the ip address instead of domain name? How can I 
block/accept  both domain name and ip address?

Thank you,

Wennie
----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, May 17, 2005 4:14 PM
Subject: Re: Host blocking


> On Tue, May 17, 2005 at 01:30:58PM +0300, Wennie V. Lagmay wrote:
>> Our ISP's Proxy server is proxy.ISP.net , our company's own proxy server 
>> is
>> proxy.ourcompany.net. Our own proxy server has delay_pool but our ISP 
>> proxy
>> server dont have. I want to control our client to use only our company
>> proxy server. how can I block the proxy.ISP.net using IP tables so that
>> every body can be force to use our compnay proxy server. (note that our
>> company proxy server is connected to our ISP proxy server as cache_peer
>> parent)
>
> assuming your company proxy server is on a different machine than the
> firewall:
>
>
>  iptables -A FORWARD -p tcp --syn -s proxy.ourcompany.net \
>    -d proxy.ISP.net --dport $PROXY_PORT -j ACCEPT
>
>  # assuming your internal machines are allowed unfettered access
>  # to the internet
>
>  iptables -A FORWARD -p tcp --syn -d proxy.ISP.net -j DROP
>
> -j
>
> --
> "Guy on Street #2: It's 3:00. Where the hell is Louie?
> Guy on Street #1: Well, you tell me. Louie left his house at 2:15 and
> had to travel a distance 6.2 miles traveling at a rate of five miles a
> hour. When will Louie get here?
> Guy On Street #2: Depends if he stops to see his ho.
> Guy on Street #1: That's what we call a "variable"."
>        --Family Guy
> 

Re: Host blocking

[Jason Opperisano]

On Tue, May 17, 2005 at 04:39:14PM +0300, Wennie V. Lagmay wrote:
> What if they define the ip address instead of domain name? How can I 
> block/accept  both domain name and ip address?

iptables rules only contain IP addresses, not host names.  in my example
rules, proxy.ourcompany.net and proxy.ISP.net represent the IP addresses
for those hosts.  you can use an FQDN in an iptables rule, but the FQDN is
resolved to an IP address (or addresses) at the time the rule is loaded,
and the rule will only use that IP address (or addresses) going forward.

-j

--
"Chris: Dad, what's the blowhole for?
 Peter: I'll tell you what it's not for. And when I do, you'll understand
 why I can never go back to Sea World."
        --Family Guy

Re: Host blocking

[Wennie V. Lagmay]

Ok so this configuration will block the ISP proxy both ip address and domain 
name on the subscribers perspective. thank you very much Jason

Ragrds,

Wennie
----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, May 17, 2005 4:44 PM
Subject: Re: Host blocking


> On Tue, May 17, 2005 at 04:39:14PM +0300, Wennie V. Lagmay wrote:
>> What if they define the ip address instead of domain name? How can I
>> block/accept  both domain name and ip address?
>
> iptables rules only contain IP addresses, not host names.  in my example
> rules, proxy.ourcompany.net and proxy.ISP.net represent the IP addresses
> for those hosts.  you can use an FQDN in an iptables rule, but the FQDN is
> resolved to an IP address (or addresses) at the time the rule is loaded,
> and the rule will only use that IP address (or addresses) going forward.
>
> -j
>
> --
> "Chris: Dad, what's the blowhole for?
> Peter: I'll tell you what it's not for. And when I do, you'll understand
> why I can never go back to Sea World."
>        --Family Guy
> 

Re: Host blocking

[Wennie V. Lagmay]

Hi Jason,

I try the the configuration and it is not working the way I want, maybe I 
need to elaborate my config.

The 1st linux server is the firewall:  It do forwarding, firewalling and 
natting it has 2 NIC card. The 1st NIC card IP is 203.172.xxx.97 / 30 which 
is connected to the internet , The 2nd NIC card is 203.172.xxx.105 / 28 
connected to LAN. local IP block for the clients 192.168.10.0/24 which is 
NAtted to 203.172.xxx.112-114.

The second is a linux server is a proxy server: It also have 2 NIC card. 1st 
NIC card is 203.172.xxx.102 /30 which is connected to the internet, the 2nd 
NIC card is 203.172.xxx.106 / 28 connected to LAN.

The process work like this: a client with ip address 192.168.10.2 wants to 
connect to the internet it will pass through firewall, the firewall then 
forward it to proxy and the will get the page then return it back to the 
client. in this case no natting is involve. the proxy server gets the page 
by its ip address then return it to 192.168.10.2. On the other hand if the 
same client want to chat, it will go to firewall, the firewall then 
translate the ip 192.168.10.2 to 203.172.xxx.112 then the client can chat.

Our system work this way, As I mention they client can define our own proxy 
or our ISP's proxy, But I want every body to use our own proxy becaus we 
have dalay_pool.

the objective is to disable ISP proxy to the client so that they are force 
to use our own proxy server.

Thank you very much,

Wennie

----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, May 17, 2005 4:14 PM
Subject: Re: Host blocking


> On Tue, May 17, 2005 at 01:30:58PM +0300, Wennie V. Lagmay wrote:
>> Our ISP's Proxy server is proxy.ISP.net , our company's own proxy server 
>> is
>> proxy.ourcompany.net. Our own proxy server has delay_pool but our ISP 
>> proxy
>> server dont have. I want to control our client to use only our company
>> proxy server. how can I block the proxy.ISP.net using IP tables so that
>> every body can be force to use our compnay proxy server. (note that our
>> company proxy server is connected to our ISP proxy server as cache_peer
>> parent)
>
> assuming your company proxy server is on a different machine than the
> firewall:
>
>
>  iptables -A FORWARD -p tcp --syn -s proxy.ourcompany.net \
>    -d proxy.ISP.net --dport $PROXY_PORT -j ACCEPT
>
>  # assuming your internal machines are allowed unfettered access
>  # to the internet
>
>  iptables -A FORWARD -p tcp --syn -d proxy.ISP.net -j DROP
>
> -j
>
> --
> "Guy on Street #2: It's 3:00. Where the hell is Louie?
> Guy on Street #1: Well, you tell me. Louie left his house at 2:15 and
> had to travel a distance 6.2 miles traveling at a rate of five miles a
> hour. When will Louie get here?
> Guy On Street #2: Depends if he stops to see his ho.
> Guy on Street #1: That's what we call a "variable"."
>        --Family Guy
> 

Re: Host blocking

[Jason Opperisano]

On Wed, May 18, 2005 at 10:09:27AM +0300, Wennie V. Lagmay wrote:
> Hi Jason,
> 
> I try the the configuration and it is not working the way I want, maybe I 
> need to elaborate my config.
> 
> The 1st linux server is the firewall:  It do forwarding, firewalling and 
> natting it has 2 NIC card. The 1st NIC card IP is 203.172.xxx.97 / 30 which 
> is connected to the internet , The 2nd NIC card is 203.172.xxx.105 / 28 
> connected to LAN. local IP block for the clients 192.168.10.0/24 which is 
> NAtted to 203.172.xxx.112-114.
> 
> The second is a linux server is a proxy server: It also have 2 NIC card. 
> 1st NIC card is 203.172.xxx.102 /30 which is connected to the internet, the 
> 2nd NIC card is 203.172.xxx.106 / 28 connected to LAN.
> 
> The process work like this: a client with ip address 192.168.10.2 wants to 
> connect to the internet it will pass through firewall, the firewall then 
> forward it to proxy and the will get the page then return it back to the 
> client. in this case no natting is involve. the proxy server gets the page 
> by its ip address then return it to 192.168.10.2. On the other hand if the 
> same client want to chat, it will go to firewall, the firewall then 
> translate the ip 192.168.10.2 to 203.172.xxx.112 then the client can chat.
> 
> Our system work this way, As I mention they client can define our own proxy 
> or our ISP's proxy, But I want every body to use our own proxy becaus we 
> have dalay_pool.

k--slight modification of previous rules:

  # allow internal machines to connect to our proxy
  iptables -A FORWARD -p tcp --syn -s 192.168.10.0/24 \
    -d $OUR_PROXY_IP --dport $PROXY_PORT -j ACCEPT

  # drop packets from inside net to ISP Proxy
  iptables -A FORWARD -p tcp --syn -s 192.168.10.0/24 \
    -d $ISP_PROXY_IP -j DROP

if your FORWARD policy is set to DROP, and you only allow specific
services through the firewall from the internal network, keeping your
users from connecting to things they shouldn't connect to becomes much
easier.

-j

--
"Black Knight: You see kids? Your father's nothing but a fizzle!
 Peter: Hey, pal, nobody calls me a fizzle and gets away with it! Except
 for that one guy who called me a fizzle and then he ran off. But
 nobody else has ever called me a fizzle and got away with it! Actually
 though, he was the only one who ever called me a fizzle. But after
 today, only half the people who've called me a fizzle will have gotten
 away with it!"
        --Family Guy

Re: Host blocking

[Wennie V. Lagmay]

Hi Jason,

Thank you very much, I was able to block it but I do it this way:

iptables -A FORWARD -s 192.168.10.0/24  -d "ISP ISP ADDRESS" -j REJECT
iptables -A FORWARD -d 192.168.10.0/24  -s "ISP ISP ADDRESS" -j REJECT
iptables -A FORWARD -s 192.168.10.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.10.0/24  -j ACCEPT

Even though it is working, I want to know if I've done it right? and what is 
the --syn in your sysntax?




----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Wednesday, May 18, 2005 6:08 PM
Subject: Re: Host blocking


> On Wed, May 18, 2005 at 10:09:27AM +0300, Wennie V. Lagmay wrote:
>> Hi Jason,
>>
>> I try the the configuration and it is not working the way I want, maybe I
>> need to elaborate my config.
>>
>> The 1st linux server is the firewall:  It do forwarding, firewalling and
>> natting it has 2 NIC card. The 1st NIC card IP is 203.172.xxx.97 / 30 
>> which
>> is connected to the internet , The 2nd NIC card is 203.172.xxx.105 / 28
>> connected to LAN. local IP block for the clients 192.168.10.0/24 which is
>> NAtted to 203.172.xxx.112-114.
>>
>> The second is a linux server is a proxy server: It also have 2 NIC card.
>> 1st NIC card is 203.172.xxx.102 /30 which is connected to the internet, 
>> the
>> 2nd NIC card is 203.172.xxx.106 / 28 connected to LAN.
>>
>> The process work like this: a client with ip address 192.168.10.2 wants 
>> to
>> connect to the internet it will pass through firewall, the firewall then
>> forward it to proxy and the will get the page then return it back to the
>> client. in this case no natting is involve. the proxy server gets the 
>> page
>> by its ip address then return it to 192.168.10.2. On the other hand if 
>> the
>> same client want to chat, it will go to firewall, the firewall then
>> translate the ip 192.168.10.2 to 203.172.xxx.112 then the client can 
>> chat.
>>
>> Our system work this way, As I mention they client can define our own 
>> proxy
>> or our ISP's proxy, But I want every body to use our own proxy becaus we
>> have dalay_pool.
>
> k--slight modification of previous rules:
>
>  # allow internal machines to connect to our proxy
>  iptables -A FORWARD -p tcp --syn -s 192.168.10.0/24 \
>    -d $OUR_PROXY_IP --dport $PROXY_PORT -j ACCEPT
>
>  # drop packets from inside net to ISP Proxy
>  iptables -A FORWARD -p tcp --syn -s 192.168.10.0/24 \
>    -d $ISP_PROXY_IP -j DROP
>
> if your FORWARD policy is set to DROP, and you only allow specific
> services through the firewall from the internal network, keeping your
> users from connecting to things they shouldn't connect to becomes much
> easier.
>
> -j
>
> --
> "Black Knight: You see kids? Your father's nothing but a fizzle!
> Peter: Hey, pal, nobody calls me a fizzle and gets away with it! Except
> for that one guy who called me a fizzle and then he ran off. But
> nobody else has ever called me a fizzle and got away with it! Actually
> though, he was the only one who ever called me a fizzle. But after
> today, only half the people who've called me a fizzle will have gotten
> away with it!"
>        --Family Guy
> 

Re: Host blocking

[Jason Opperisano]

On Thu, May 19, 2005 at 07:10:56AM +0300, Wennie V. Lagmay wrote:
> Hi Jason,
> 
> Thank you very much, I was able to block it but I do it this way:
> 
> iptables -A FORWARD -s 192.168.10.0/24  -d "ISP ISP ADDRESS" -j REJECT
> iptables -A FORWARD -d 192.168.10.0/24  -s "ISP ISP ADDRESS" -j REJECT
> iptables -A FORWARD -s 192.168.10.0/24 -j ACCEPT
> iptables -A FORWARD -d 192.168.10.0/24  -j ACCEPT
> 
> Even though it is working, I want to know if I've done it right? and what 
> is the --syn in your sysntax?

i'm not so sure that rules 2 and 4 are really necessary, but i guess ya
never know...

--syn is an alias for:  --tcp-flags SYN,RST,ACK SYN

i.e. i write my rules such that i allow ESTABLISHED,RELATED packets
first, and then my rules only allow the TCP SYN to start new
connections.

-j

--
"Joe Swanson: Peter, it's over.
 Peter: Over? What are you talking about? What kind of talk is that? It's
 un-American. Did George W. Bush quit even after losing the popular
 vote? No! Did he quit after losing millions of dollars of his father's
 money in failed oil companies? No! Did he quit after knocking that girl
 up? No! Did he quit after he got that DUI? No! Did he quit after he
 got busted for drunk and disorderly conduct at a football game? No! Did
 he quit... 
 Joe Swanson: I get the message, Peter."
        --Family Guy

Re: Host blocking

[Taylor, Grant]

> Our ISP's Proxy server is proxy.ISP.net , our company's own proxy server 
> is proxy.ourcompany.net. Our own proxy server has delay_pool but our ISP 
> proxy server dont have. I want to control our client to use only our 
> company proxy server. how can I block the proxy.ISP.net using IP tables 
> so that every body can be force to use our compnay proxy server. (note 
> that our company proxy server is connected to our ISP proxy server as 
> cache_peer parent)

If you want to block just proxy.ISP.net you could do a simple filter in the filter table FORWARD chain.  However I think you are really asking for a solution that will prevent your users from using ANY proxy other than your companies proxy.  As such I have included what I am using here at my office:

# I am creating a new (sub)chain so that I have to do fewer comparisons and thus speeding things up.
iptables -t nat -N Proxy_Bypass_Attempt
iptables -t nat -A Proxy_Bypass_Attempt -j LOG --log-prefix "Proxy Bypass Atempt:  "
iptables -t nat -A Proxy_Bypass_Attempt -p tcp -j DNAT --to-destination ${My_Proxy_Server_IP}:${My_Proxy_Server_Port}
# We will need to SNAT any traffic that attempted to bypass the proxy so that it will get back to the client correctly.
iptables -t nat -A POSTROUTING -o ${LAN} -s ${LAN_Subnet} -d ${My_Proxy_Server_IP} -p tcp --dport ${My_Proxy_Server_Port} -j SNAT --to-source ${My_Firewall_IP}
# Let's jump to the Proxy_Bypass_Attempt chain if this looks like web traffic.
iptables -t nat -A PREROUTING -i ${LAN} -s ! ${My_Proxy_Server_IP} -p tcp --dport 80 -j Proxy_Bypass_Attempt
# We will need to allow traffic to froward from our LAN back out to it's self as any proxy bypass attempt traffic will fall in to this catigory.
iptables -t filter -A FORWARD -i ${LAN} -o ${LAN} -j ACCEPT

Note:  I am presently not blocking port 443 but I think it would be easy to do such with this example.  You could probibly just use the -m mport match by replacing the rule in the PREROUTING chain that jumps to the Proxy_Bypass_Attempt chain as such:

# Let's jump to the Proxy_Bypass_Attempt chain if this looks like web traffic.
iptables -t nat -A PREROUTING -i ${LAN} -s ! ${My_Proxy_Server_IP} -p tcp -m mport --source-ports 80,443 -j Proxy_Bypass_Attempt

- Or (if you do not have mport match extension support) -

# Let's jump to the Proxy_Bypass_Attempt chain if this looks like web traffic.
iptables -t nat -A PREROUTING -i ${LAN} -s ! ${My_Proxy_Server_IP} -p tcp --dport 80 -j Proxy_Bypass_Attempt
iptables -t nat -A PREROUTING -i ${LAN} -s ! ${My_Proxy_Server_IP} -p tcp --dport 443 -j Proxy_Bypass_Attempt



Grant. . . .