[KLUG Members] Squid

[Bruce Smith]

At work I only allow access to the internet through our proxy, but I do
the rules differently.

If the proxy is inside of the firewall, only allow access to the
internet from the proxy's IP address.  (only allow it to NAT)

If the proxy is outside of the firewall, then only allow access to it's
destination IP.

You may want to make some exceptions for some ports that don't proxy
(IM, etc.).

You also may need to configure squid to allow more ports than the
default, since some web servers use ports other than 80 & 443.

 - BS


> My parents recently got high speed internet access, and I set them up with a
> RHEL4 box for a gateway and a proxy server.  My dad wants to make it so you
> have to go through the proxy if you want to get out for the internet, so I did
> this by putting the following iptables rules to block normal forwarding of the
> 80/443 ports
> 
> iptables -A FORWARD -p tcp --dport 80 -j DROP
> iptables -A FORWARD -p udp --dport 80 -j DROP
> iptables -A FORWARD -p tcp --dport 443 -j DROP
> iptables -A FORWARD -p udp --dport 443 -j DROP
> 
> This works well, except when they go to access their webmail with earthlink, and
> then they get connection refused problems.  As soon as I take those rules out
> it works fine.  Is there a better way to force all internet traffic to go
> through the proxy?  Also, my brothers and sisters cannot access their webmail
> at their high school when they go through the proxy server.  When they go to
> click on the signon button, they get this error complaining about there is an
> ACL blocking their access.  Its not the proxy, but the actual webserver from
> the school (MS IIS, figures).  As soon as they go to the site normally,
> bypassing the proxy it works fine.  Is there a problem with squid and MS IIS's
> http auth implementation?  Any suggestions are welcome.