From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Blocking web-based proxy traffic
Date: Wed, 28 Nov 2007 14:35:38 -0600 [thread overview]
Message-ID: <474DD11A.4020209@riverviewtech.net> (raw)
In-Reply-To: <C3731AB4.2210%jlay@slave-tothe-box.net>
On 11/28/07 14:16, James Lay wrote:
> The latter ;) Keeping the people on the inside from being naughty.
> One of my clients doesn't want a proxy server installed....I would
> normally just use squid and squidguard and be done with it, but
> that's not an option. So baring using Snort to do it (somehow) I was
> thinking netfilter/iptables to match strings on port 80 for "http".
> Hope that explains it better.
Ok. Aside from needing to use a Clue-by-4 on your client, you are
headed down an ok track.
Be aware that you are looking for ASCII text that is recognizable as a
prohibited site. If you do use IPTables to do your matches, you will
either be able to DROP, REJECT, or DNAT (redirect) the traffic. The
first option is not graceful at all as it will leave clients in a time
out condition while the second option will probably more gracefully
fail. The preferred option would be to DNAT (redirect) the traffic to a
mini web server that will serve up a generic web page indicating that
the access has been blocked.
I suppose that you can use layer 7 string matching to look for the
prohibited URL in the the real get string. However if there is any
obfuscation being used, even simple URL encoding using %## the chances
of detecting the traffic is slim. This is why you should really look in
to some sort of content filtering solution.
Would you be able to install something like DansGuardian and tell your
client that it is a filter not a proxy and use that? Of course to use
DansGuardian, you do have to have a proxy for DG to talk to.
Grant. . . .
next prev parent reply other threads:[~2007-11-28 20:35 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-28 16:09 Forwarding traffic from public IP to public IP Jason Hawthorne
2007-11-28 16:38 ` Grant Taylor
2007-11-28 17:45 ` Jason Hawthorne
2007-11-28 17:56 ` Blocking web-based proxy traffic James Lay
2007-11-28 19:20 ` Grant Taylor
2007-11-28 20:01 ` James Lay
2007-11-28 20:07 ` Grant Taylor
2007-11-28 20:16 ` James Lay
2007-11-28 20:35 ` Grant Taylor [this message]
2007-11-29 10:55 ` Benny Amorsen
2007-11-29 14:24 ` James Lay
2007-11-29 19:21 ` Grant Taylor
2007-11-28 21:41 ` Tagg McDonald
2007-11-29 1:53 ` dhottinger
2007-11-28 19:17 ` Forwarding traffic from public IP to public IP Grant Taylor
2007-11-28 20:11 ` Jason Hawthorne
2007-11-28 20:42 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=474DD11A.4020209@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox