[squid-users] Squid + Iptables + MSN/Jabber problem

From: digitalfx <tinchole@dont-contact.us>
Date: Fri, 26 Nov 2004 09:31:46 -0300

Im having a big problems to deny/allow traffic, (i mean traffic, not just
web
filtering) perhaps someone could clarify me some things...

Squid as it says in its guides is an http proxy, so all other kind of
traffic goes trought the firewall/iptables/nat.. ? Only http/ftp is
"intercepted" by squid?

I have supervisor users who can use msn/jabber, and operators who shouldn't
use.

I tried some acls from this mailing list like
 acl msnmessenger url_regex -i gateway.dll
 http_access deny msnmessenger
but didnt work 100%

Also tried with the acls listed in
http://www.squid-cache.org/mail-archive/squid-users/200407/0210.html

The main problem is that pcs with jabber can connect without any problem (it
bypass squid)
and msn windows pcs are blocked ONLY if the proxy settings is configured in
the
browser. If not, the browser can't navigate, but msn goes online.

Im not using transparent cause i need auth_program line to validate users.
The firewall nat im using is monmothas script, but if i block msn using
iptables, ill block all my users and thats is not the idea.

Other thing i dont known what im doing wrong, is i cant connect to ftps
using the proxy.

Thnxs, in adv. for any help.

<Partial squid.conf>

acl msnmessenger url_regex -i gateway.dll

http_access deny msnmessenger

acl msnlogin dstdomain nexus.passport.com

http_access deny msnlogin

deny_info TCP_RESET msnlogin

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squidpasswd

acl user_passwords proxy_auth REQUIRED

acl avanzados proxy_auth "/etc/squid/squidpasswd"

http_access deny !localnetwork

http_access deny !safe_ports

http_access deny prohibidos

http_access allow localnetwork user_passwords !prohibidos

http_access allow localhost

http_access deny all

<End Partial squid.conf>

<Partial MonMontha script>

# Main Options

/sbin/depmod -a

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe iptable_nat

/sbin/modprobe ip_nat_ftp

IPTABLES="/sbin/iptables"

TCP_ALLOW="22 20 21 25 110 443 80"

UDP_ALLOW="68 6112 6119 4000"

INET_IFACE="eth0"

LAN_IFACE="eth1"

INTERNAL_LAN="10.0.0.0/16"

MASQ_LAN="10.0.0.0/16"

SNAT_LAN=""

DROP="TREJECT"

DENY_ALL=""

DENY_HOSTWISE_TCP=""

DENY_HOSTWISE_UDP=""

BLACKHOLE=""

BLACKHOLE_DROP="DROP"

ALLOW_HOSTWISE_TCP=""

ALLOW_HOSTWISE_UDP=""

TCP_FW=""

UDP_FW=""

MANGLE_TOS_OPTIMIZE="FALSE"

DHCP_SERVER="TRUE"

BAD_ICMP="5 9 10 15 16 17 18"

ENABLE="Y"

PROXY="10.0.0.1:8080"

MY_IP="10.0.0.1

<END Partial MonMontha script>
Received on Fri Nov 26 2004 - 05:24:51 MST

This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:02 MST