Operating Systems > Linux and UNIX
Networking Help!
Master of Reality:
i couldnt get the transparent proxy working yet, but i use the ipchains to block doubleclick.net and microsoft.com. I believe you did this using the proxy to block them.
I found out that to do the proper forwrding using iptables all i would have to do is:
--- Code: ---
--- End code ---
i am considering using iptables instead of chains, but i would have to recompile the kernel on a different computer due to lack of space for kernel source. Can i recompile the kernel on another (this) computer then burn it onto a CD and install it on my server?
I found this howto on setting up a transparent proxy using squid and iptables: http://www.tldp.org/HOWTO/mini/TransparentProxy.html
[ April 18, 2002: Message edited by: Master of Reality ]
[ April 18, 2002: Message edited by: Master of Reality ]
voidmain:
Actually it's difficult to block *.microsoft.com, *.msn.com, *.doubleclick.net, *.hitbox.com, etc at the firewall because you have to use IP address/ranges. Doubleclick is always on the move and they have servers on *many* networks so there are two ways I do blocking to entire domains. For microsoft I create my own .microsoft.com DNS zone on my DNS server but I don't add any records in the zone. As far as my computers can tell, there *is* no microsoft.com. For the rest (doubleclick, hitbox, etc) I use Squid. Why do I do it two different ways you ask? Well if you do it in Squid, it's only effective for "http" traffic. Doing it in your DNS server it effects *all* TCP/IP ports. No phone home programs can work, unless they have IP addresses hard coded into the software, which they never do. They can't use a hard coded IP address because then they can never change their network around..
Of course if you do have a reliable list of IP ranges, it would be good to use ipchains as well. There is nothing stopping them from using alternate domain names to point to their servers..
Yes you can compile the kernel on a different box, but don't forget to copy the modules and you may have to create a new "initrd.img" if you have any required modules that need to be loaded prior to mounting the filesystem. I guess after compiling you could copy the entire kernel source tree to CD and just do a "make install;make modules_install; (etc)" from the CD. But I'm not sure if there is enough room on a CD to hold an entire compiled kernel source tree. After compile just "cd /usr/src/linux", then "du -sk ." to see how much space would be required (assuming your source tree is in "/usr/src/linux".
You would also have to take care to preserve the modification date/times on everything when copying to CD if you want to be able to "make install". If it detects that the object files are older than the source or Makefiles it would try and recompile. That certainly wouldn't be fun on a CD. Not to mention the read only problem.
[ April 18, 2002: Message edited by: VoidMain ]
Master of Reality:
i believe to setup a transparent proxy with chains it is something like:
--- Code: ---
--- End code ---
i will try this.
to block microsoft and other places cant i block my network from asking information from the domain name (ie. microsoft.com)
i put down:
# ipchains -A output -d microsoft.com -j REJECT
that should prevent my network from trying to initiate a tcp connection with microsoft.com even if they change their IP address.
[ April 19, 2002: Message edited by: Master of Reality ]
Master of Reality:
i did those chain commands. I configured the proxy just like the howto told me to. Now when i tried to start squid, its says: fatal: cannot determine fully qualified hostname. Please set visible_host.
So i set the visible hostname in the squid.conf file to "server" and it still gives me the same message. I cant figure out how to fix this. got any ideas?
my computer hostname is set to server too.
[ April 18, 2002: Message edited by: Master of Reality ]
voidmain:
I actually got it to work! I used your chain rules and uncommented the http_accel* stuff in chapter 4 of the howto (and set the host name) and it worked. But I still can't use it. I lost my authentication when using transparent proxying. I guess I could still use it but restrict where you are allowed to go when not authenticated. I can't do an "allow all" because that would defeat the purpose of what I need it for at home. If you find anything that would allow authentication+transparency let me know.
I also added "-i eth1" (my inside interface) to each of the IP chains rules you gave me so that it would only redirect inside machines. I have a web site on my outside interface on port 80 and without adding the "-i" I would lose that web site.
Also, you can not use domains in ipchains rules. You *can* use hostnames, but not entire domains. I'll let you know if I can get the authentication part to work with transparent proxy.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version