Hi,
I am using this and it works fine.
acl IT src 10.1.1.0/255.255.255.224
acl MSN_Messenger dstdomain .msgr.hotmail.com
http_access allow IT MSN_Messenger
http_access deny MSN_Messenger
Hope it will help you.
Bye.
----- Original Message -----
From: "digitalfx" <tinchole@satlink.com>
To: <squid-users@squid-cache.org>
Sent: Friday, November 26, 2004 1:31 PM
Subject: [squid-users] Squid + Iptables + MSN/Jabber problem
Im having a big problems to deny/allow traffic, (i mean traffic, not just
web
filtering) perhaps someone could clarify me some things...
Squid as it says in its guides is an http proxy, so all other kind of
traffic goes trought the firewall/iptables/nat.. ? Only http/ftp is
"intercepted" by squid?
I have supervisor users who can use msn/jabber, and operators who shouldn't
use.
I tried some acls from this mailing list like
acl msnmessenger url_regex -i gateway.dll
http_access deny msnmessenger
but didnt work 100%
Also tried with the acls listed in
http://www.squid-cache.org/mail-archive/squid-users/200407/0210.html
The main problem is that pcs with jabber can connect without any problem (it
bypass squid)
and msn windows pcs are blocked ONLY if the proxy settings is configured in
the
browser. If not, the browser can't navigate, but msn goes online.
Im not using transparent cause i need auth_program line to validate users.
The firewall nat im using is monmothas script, but if i block msn using
iptables, ill block all my users and thats is not the idea.
Other thing i dont known what im doing wrong, is i cant connect to ftps
using the proxy.
Thnxs, in adv. for any help.
<Partial squid.conf>
acl msnmessenger url_regex -i gateway.dll
http_access deny msnmessenger
acl msnlogin dstdomain nexus.passport.com
http_access deny msnlogin
deny_info TCP_RESET msnlogin
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squidpasswd
acl user_passwords proxy_auth REQUIRED
acl avanzados proxy_auth "/etc/squid/squidpasswd"
http_access deny !localnetwork
http_access deny !safe_ports
http_access deny prohibidos
http_access allow localnetwork user_passwords !prohibidos
http_access allow localhost
http_access deny all
<End Partial squid.conf>
<Partial MonMontha script>
# Main Options
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
IPTABLES="/sbin/iptables"
TCP_ALLOW="22 20 21 25 110 443 80"
UDP_ALLOW="68 6112 6119 4000"
INET_IFACE="eth0"
LAN_IFACE="eth1"
INTERNAL_LAN="10.0.0.0/16"
MASQ_LAN="10.0.0.0/16"
SNAT_LAN=""
DROP="TREJECT"
DENY_ALL=""
DENY_HOSTWISE_TCP=""
DENY_HOSTWISE_UDP=""
BLACKHOLE=""
BLACKHOLE_DROP="DROP"
ALLOW_HOSTWISE_TCP=""
ALLOW_HOSTWISE_UDP=""
TCP_FW=""
UDP_FW=""
MANGLE_TOS_OPTIMIZE="FALSE"
DHCP_SERVER="TRUE"
BAD_ICMP="5 9 10 15 16 17 18"
ENABLE="Y"
PROXY="10.0.0.1:8080"
MY_IP="10.0.0.1
<END Partial MonMontha script>
****************************************************************************
This message contains privileged and confidential information and is
intended only for the individual named.
If you are not the intended recepient you should not disseminate,
distribute, store, print, copy or deliver this message.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake, and immediately delete this e-mail from your system
****************************************************************************
Received on Fri Nov 26 2004 - 05:46:59 MST
This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:02 MST