From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: Host blocking
Date: Tue, 17 May 2005 11:06:28 -0500 [thread overview]
Message-ID: <428A1684.2040804@riverviewtech.net> (raw)
In-Reply-To: <003b01c55acb$841114a0$f00aa9c0@winxp>
> Our ISP's Proxy server is proxy.ISP.net , our company's own proxy server
> is proxy.ourcompany.net. Our own proxy server has delay_pool but our ISP
> proxy server dont have. I want to control our client to use only our
> company proxy server. how can I block the proxy.ISP.net using IP tables
> so that every body can be force to use our compnay proxy server. (note
> that our company proxy server is connected to our ISP proxy server as
> cache_peer parent)
If you want to block just proxy.ISP.net you could do a simple filter in the filter table FORWARD chain. However I think you are really asking for a solution that will prevent your users from using ANY proxy other than your companies proxy. As such I have included what I am using here at my office:
# I am creating a new (sub)chain so that I have to do fewer comparisons and thus speeding things up.
iptables -t nat -N Proxy_Bypass_Attempt
iptables -t nat -A Proxy_Bypass_Attempt -j LOG --log-prefix "Proxy Bypass Atempt: "
iptables -t nat -A Proxy_Bypass_Attempt -p tcp -j DNAT --to-destination ${My_Proxy_Server_IP}:${My_Proxy_Server_Port}
# We will need to SNAT any traffic that attempted to bypass the proxy so that it will get back to the client correctly.
iptables -t nat -A POSTROUTING -o ${LAN} -s ${LAN_Subnet} -d ${My_Proxy_Server_IP} -p tcp --dport ${My_Proxy_Server_Port} -j SNAT --to-source ${My_Firewall_IP}
# Let's jump to the Proxy_Bypass_Attempt chain if this looks like web traffic.
iptables -t nat -A PREROUTING -i ${LAN} -s ! ${My_Proxy_Server_IP} -p tcp --dport 80 -j Proxy_Bypass_Attempt
# We will need to allow traffic to froward from our LAN back out to it's self as any proxy bypass attempt traffic will fall in to this catigory.
iptables -t filter -A FORWARD -i ${LAN} -o ${LAN} -j ACCEPT
Note: I am presently not blocking port 443 but I think it would be easy to do such with this example. You could probibly just use the -m mport match by replacing the rule in the PREROUTING chain that jumps to the Proxy_Bypass_Attempt chain as such:
# Let's jump to the Proxy_Bypass_Attempt chain if this looks like web traffic.
iptables -t nat -A PREROUTING -i ${LAN} -s ! ${My_Proxy_Server_IP} -p tcp -m mport --source-ports 80,443 -j Proxy_Bypass_Attempt
- Or (if you do not have mport match extension support) -
# Let's jump to the Proxy_Bypass_Attempt chain if this looks like web traffic.
iptables -t nat -A PREROUTING -i ${LAN} -s ! ${My_Proxy_Server_IP} -p tcp --dport 80 -j Proxy_Bypass_Attempt
iptables -t nat -A PREROUTING -i ${LAN} -s ! ${My_Proxy_Server_IP} -p tcp --dport 443 -j Proxy_Bypass_Attempt
Grant. . . .
prev parent reply other threads:[~2005-05-17 16:06 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-17 10:30 Host blocking Wennie V. Lagmay
2005-05-17 11:12 ` Jörg Harmuth
2005-05-17 13:09 ` Askar
2005-05-17 13:17 ` wlagmay
2005-05-17 13:14 ` Jason Opperisano
2005-05-17 13:39 ` Wennie V. Lagmay
2005-05-17 13:44 ` Jason Opperisano
2005-05-17 13:50 ` Wennie V. Lagmay
2005-05-18 7:09 ` Wennie V. Lagmay
2005-05-18 15:08 ` Jason Opperisano
2005-05-19 4:10 ` Wennie V. Lagmay
2005-05-19 18:38 ` Jason Opperisano
2005-05-17 16:06 ` Taylor, Grant [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=428A1684.2040804@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox