1
I have a Linux machine kernel 3.7.0 with Squid proxy server and a direct Internet connection. Browsers and Squid reside on the same machine. Is it possible to allow access to web only through Squid? Maybe use SELinux?
user4035
Posted 2013-03-15T20:06:27.720
Reputation: 821
7
You can use the owner module in iptables (-m owner --uid-owner $SQUID_UID) to setup allow rules for Squid and then deny other traffic.
Jeff Ferland
Posted 2013-03-15T20:06:27.720
Reputation: 823
1
Maybe something like this?
# Your debian machine (gateway)
LAN_IP="192.168.0.1"
# Your network
LAN_IP_RANGE="192.168.0.0/24"
# Your squid machine
PROXY_IP="192.168.0.254"
PROXY_PORT="3128"
iptables -t mangle -A PREROUTING -s $LAN_IP_RANGE ! -d $LAN_IP_RANGE -p TCP --destination-port 80 -j MARK --set-mark 11
iptables -t nat -A PREROUTING -m mark --mark 11 -p TCP -j DNAT --to-destination ${PROXY_IP}:${PROXY_PORT}
iptables -t nat -A POSTROUTING -m mark --mark 11 -p TCP -j SNAT --to-source $LAN_IP
aus
Posted 2013-03-15T20:06:27.720
Reputation: 241
0
Here is the code:
iptables -P INPUT DROP
iptables -P FORWARD DROP
#loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
#http,https traffic only through Squid - nobody user
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m state -m owner --uid-owner nobody --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT
user4035
Posted 2013-03-15T20:06:27.720
Reputation: 821