|
Home > Archive > Squid > June 2004 > How to Stop bypassing Proxy server
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to Stop bypassing Proxy server
|
|
| ssp2000 2004-06-26, 2:57 pm |
| Some of the users at my location are accessing the Internet by
bypassing the in-house proxy server. They are just typing the upstream
proxy server IP address and port number in browser and accessing the
Internet. How can I prohibit such activities? My network is on
192.168.7.0 and IP address of upstream proxy server is 195.2.104.7
(take these IP addresses as an example). I can access 195.2.104.0
network from my location. I am using Squid Proxy server on Linux RH8.
| |
| Lars M. Hansen 2004-06-26, 2:57 pm |
| On 28 May 2004 02:47:35 -0700, ssp2000 spoketh
>Some of the users at my location are accessing the Internet by
>bypassing the in-house proxy server. They are just typing the upstream
>proxy server IP address and port number in browser and accessing the
>Internet. How can I prohibit such activities? My network is on
>192.168.7.0 and IP address of upstream proxy server is 195.2.104.7
>(take these IP addresses as an example). I can access 195.2.104.0
>network from my location. I am using Squid Proxy server on Linux RH8.
On Windows computers, you can use Group Policies to block access to any
and all of the settings for Internet Explorer, including the proxy
settings.
Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
| |
| Wolfgang Kueter 2004-06-26, 2:57 pm |
| ssp2000 wrote:
> Some of the users at my location are accessing the Internet by
> bypassing the in-house proxy server.[...]
Configure packet filtering, allow outgoing http only from the proxy, block
the rest of the network.
iptables -A FORWARD -s $PROXY -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s $LAN -j REJECT
should do.
Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
| |
| Homer Simpson 2004-06-26, 2:57 pm |
| ssp2000 wrote:
> Some of the users at my location are accessing the Internet by
> bypassing the in-house proxy server. They are just typing the upstream
> proxy server IP address and port number in browser and accessing the
> Internet. How can I prohibit such activities? My network is on
> 192.168.7.0 and IP address of upstream proxy server is 195.2.104.7
> (take these IP addresses as an example). I can access 195.2.104.0
> network from my location. I am using Squid Proxy server on Linux RH8.
I use transparent proxying which works like a charm. Something like:
$IPTABLES -t nat -A PREROUTING -i $INTERNAL_NIC -p tcp --dport 80 -j
REDIRECT --to-port 3128
Which hijacks port 80 requests and forces them through squid. You'll also
want to block people from using another proxy server, like so:
$IPTABLES -A FORWARD -s 192.168.7.0/24 -p tcp --dport $ISP_PROXY_PORT -j
DROP
Then, in squid.conf, I set:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Which enables transparent proxying.
I tell my users not to use any proxy settings. Everything goes through
squid. If someone tries to be "smart" by putting your ISP as the proxy, it
simply won't work. In fact, they must either use your squid server as the
proxy, or not put in any settings at all if they want web access.
|
|
|
|
|