- Posts: 11
- Thank you received: 0
IPCop and GREEN http deny
18 years 8 months ago #13388
by Alexey
IPCop and GREEN http deny was created by Alexey
Good day everyone.
I have an IPCop box in default configuration.
Is it possible to deny access to some services from green network?
For example, i would like to deny http access to green ip address 192.168.100.1?
I have an IPCop box in default configuration.
Is it possible to deny access to some services from green network?
For example, i would like to deny http access to green ip address 192.168.100.1?
18 years 8 months ago #13389
by DaLight
Replied by DaLight on topic Re: IPCop and GREEN http deny
If you want to prevent outgoing http access from green ip address 192.168.100.1, you will need to do it in both Squid and iptables.
SQUID
You will need to add the following command to the following file: /var/ipcop/proxy/acl. This command will need to be inserted in the right place in order to have the desired effect. You may need to post your acl file.
[code:1]http_access deny 192.168.100.1[/code:1]Afterwards, you will need to restart the Proxy service from the Web GUI as this copies the commands in the acl file into your squid.conf file.
IPTABLES
You will need to add the following line to your /etc/rc.d/rc.local file:
[code:1]/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.100.1 -o $RED_DEV -p tcp --dport 80 -j DROP[/code:1]
SQUID
You will need to add the following command to the following file: /var/ipcop/proxy/acl. This command will need to be inserted in the right place in order to have the desired effect. You may need to post your acl file.
[code:1]http_access deny 192.168.100.1[/code:1]Afterwards, you will need to restart the Proxy service from the Web GUI as this copies the commands in the acl file into your squid.conf file.
IPTABLES
You will need to add the following line to your /etc/rc.d/rc.local file:
[code:1]/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.100.1 -o $RED_DEV -p tcp --dport 80 -j DROP[/code:1]
18 years 8 months ago #13427
by Alexey
Replied by Alexey on topic Didn't help
I added the lines, even restarted the box, but it didn't help.
I have copfilter installed and enabled in transparent mode for green network. Maybe, this is the question?
The main idea is to disallow a number of IP addresses on the green network to use any services except pop3 and smtp.
I have copfilter installed and enabled in transparent mode for green network. Maybe, this is the question?
The main idea is to disallow a number of IP addresses on the green network to use any services except pop3 and smtp.
18 years 8 months ago #13429
by DaLight
Since Squid is the first proxy in the chain, the instructions I gave you should have worked if you put them in the right place in your /var/ipcop/proxy/acl file. You will need to look for the following line in your /var/ipcop/proxy/acl file. [code:1]http_access allow IPCop_networks[/code:1]
Then make sure you insert the deny rule I gave you before this line like this:
[code:1]http_access deny 192.168.100.1
http_access allow IPCop_networks[/code:1]
In addition, you don't need the iptables rule I gave you because you are running the proxies in transparent mode. You could replace it with this rule instead, [code:1]/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.100.1 -o $RED_DEV -j DROP[/code:1]
which blocks all IP access for the IP address in question. POP3 and SMTP will still work as long as the appropriate proxies for these protocols in Copfilter are enabled.
Replied by DaLight on topic Re: Didn't help
Copfilter has two built-in HTTP proxy servers (Privoxy and HAVP). HAVP's main purpose is to perform virus scanning of HTTP data while Privoxy does a similar job to Squid. Copfilter causes all three proxies to work in a chain so that user HTTP requests first of all go to SQUID, then PRIVOXY and finally to HAVP.I have copfilter installed and enabled in transparent mode for green network. Maybe, this is the question?
Since Squid is the first proxy in the chain, the instructions I gave you should have worked if you put them in the right place in your /var/ipcop/proxy/acl file. You will need to look for the following line in your /var/ipcop/proxy/acl file. [code:1]http_access allow IPCop_networks[/code:1]
Then make sure you insert the deny rule I gave you before this line like this:
[code:1]http_access deny 192.168.100.1
http_access allow IPCop_networks[/code:1]
In addition, you don't need the iptables rule I gave you because you are running the proxies in transparent mode. You could replace it with this rule instead, [code:1]/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.100.1 -o $RED_DEV -j DROP[/code:1]
which blocks all IP access for the IP address in question. POP3 and SMTP will still work as long as the appropriate proxies for these protocols in Copfilter are enabled.
Time to create page: 0.126 seconds