Re: [squid-users] Squid + Iptables + MSN/Jabber problem

From: Klodian Hima <khima@dont-contact.us>
Date: Fri, 26 Nov 2004 13:46:11 +0100

Hi,

I am using this and it works fine.

acl IT src 10.1.1.0/255.255.255.224
acl MSN_Messenger dstdomain .msgr.hotmail.com

http_access allow IT MSN_Messenger
http_access deny MSN_Messenger

Hope it will help you.
Bye.

----- Original Message -----
From: "digitalfx" <tinchole@satlink.com>
To: <squid-users@squid-cache.org>
Sent: Friday, November 26, 2004 1:31 PM
Subject: [squid-users] Squid + Iptables + MSN/Jabber problem

Im having a big problems to deny/allow traffic, (i mean traffic, not just
web
filtering) perhaps someone could clarify me some things...

Squid as it says in its guides is an http proxy, so all other kind of
traffic goes trought the firewall/iptables/nat.. ? Only http/ftp is
"intercepted" by squid?

I have supervisor users who can use msn/jabber, and operators who shouldn't
use.

I tried some acls from this mailing list like
 acl msnmessenger url_regex -i gateway.dll
 http_access deny msnmessenger
but didnt work 100%

Also tried with the acls listed in
http://www.squid-cache.org/mail-archive/squid-users/200407/0210.html

The main problem is that pcs with jabber can connect without any problem (it
bypass squid)
and msn windows pcs are blocked ONLY if the proxy settings is configured in
the
browser. If not, the browser can't navigate, but msn goes online.

Im not using transparent cause i need auth_program line to validate users.
The firewall nat im using is monmothas script, but if i block msn using
iptables, ill block all my users and thats is not the idea.

Other thing i dont known what im doing wrong, is i cant connect to ftps
using the proxy.

Thnxs, in adv. for any help.

<Partial squid.conf>

acl msnmessenger url_regex -i gateway.dll

http_access deny msnmessenger

acl msnlogin dstdomain nexus.passport.com

http_access deny msnlogin

deny_info TCP_RESET msnlogin

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squidpasswd

acl user_passwords proxy_auth REQUIRED

acl avanzados proxy_auth "/etc/squid/squidpasswd"

http_access deny !localnetwork

http_access deny !safe_ports

http_access deny prohibidos

http_access allow localnetwork user_passwords !prohibidos

http_access allow localhost

http_access deny all

<End Partial squid.conf>

<Partial MonMontha script>

# Main Options

/sbin/depmod -a

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe iptable_nat

/sbin/modprobe ip_nat_ftp

IPTABLES="/sbin/iptables"

TCP_ALLOW="22 20 21 25 110 443 80"

UDP_ALLOW="68 6112 6119 4000"

INET_IFACE="eth0"

LAN_IFACE="eth1"

INTERNAL_LAN="10.0.0.0/16"

MASQ_LAN="10.0.0.0/16"

SNAT_LAN=""

DROP="TREJECT"

DENY_ALL=""

DENY_HOSTWISE_TCP=""

DENY_HOSTWISE_UDP=""

BLACKHOLE=""

BLACKHOLE_DROP="DROP"

ALLOW_HOSTWISE_TCP=""

ALLOW_HOSTWISE_UDP=""

TCP_FW=""

UDP_FW=""

MANGLE_TOS_OPTIMIZE="FALSE"

DHCP_SERVER="TRUE"

BAD_ICMP="5 9 10 15 16 17 18"

ENABLE="Y"

PROXY="10.0.0.1:8080"

MY_IP="10.0.0.1

<END Partial MonMontha script>

****************************************************************************
This message contains privileged and confidential information and is
intended only for the individual named.
If you are not the intended recepient you should not disseminate,
distribute, store, print, copy or deliver this message.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake, and immediately delete this e-mail from your system
****************************************************************************
Received on Fri Nov 26 2004 - 05:46:59 MST

This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:02 MST