Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: IPCop and GREEN http deny

IPCop and GREEN http deny 10 years 9 months ago #13388

  • Alexey
  • Alexey's Avatar
  • Offline
  • New Member
  • Posts: 11
  • Karma: 0
Good day everyone.

I have an IPCop box in default configuration.

Is it possible to deny access to some services from green network?

For example, i would like to deny http access to green ip address 192.168.100.1?
The administrator has disabled public write access.

Re: IPCop and GREEN http deny 10 years 9 months ago #13389

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
If you want to prevent outgoing http access from green ip address 192.168.100.1, you will need to do it in both Squid and iptables.

SQUID
You will need to add the following command to the following file: /var/ipcop/proxy/acl. This command will need to be inserted in the right place in order to have the desired effect. You may need to post your acl file.
[code:1]http_access deny 192.168.100.1[/code:1]Afterwards, you will need to restart the Proxy service from the Web GUI as this copies the commands in the acl file into your squid.conf file.

IPTABLES
You will need to add the following line to your /etc/rc.d/rc.local file:
[code:1]/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.100.1 -o $RED_DEV -p tcp --dport 80 -j DROP[/code:1]
The administrator has disabled public write access.

Didn't help 10 years 9 months ago #13427

  • Alexey
  • Alexey's Avatar
  • Offline
  • New Member
  • Posts: 11
  • Karma: 0
I added the lines, even restarted the box, but it didn't help.
I have copfilter installed and enabled in transparent mode for green network. Maybe, this is the question?

The main idea is to disallow a number of IP addresses on the green network to use any services except pop3 and smtp.
The administrator has disabled public write access.

Re: Didn't help 10 years 9 months ago #13429

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
I have copfilter installed and enabled in transparent mode for green network. Maybe, this is the question?
Copfilter has two built-in HTTP proxy servers (Privoxy and HAVP). HAVP's main purpose is to perform virus scanning of HTTP data while Privoxy does a similar job to Squid. Copfilter causes all three proxies to work in a chain so that user HTTP requests first of all go to SQUID, then PRIVOXY and finally to HAVP.
Since Squid is the first proxy in the chain, the instructions I gave you should have worked if you put them in the right place in your /var/ipcop/proxy/acl file. You will need to look for the following line in your /var/ipcop/proxy/acl file. [code:1]http_access allow IPCop_networks[/code:1]
Then make sure you insert the deny rule I gave you before this line like this:
[code:1]http_access deny 192.168.100.1
http_access allow IPCop_networks[/code:1]
In addition, you don't need the iptables rule I gave you because you are running the proxies in transparent mode. You could replace it with this rule instead, [code:1]/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.100.1 -o $RED_DEV -j DROP[/code:1]
which blocks all IP access for the IP address in question. POP3 and SMTP will still work as long as the appropriate proxies for these protocols in Copfilter are enabled.
The administrator has disabled public write access.

Works, thank you 10 years 9 months ago #13509

  • Alexey
  • Alexey's Avatar
  • Offline
  • New Member
  • Posts: 11
  • Karma: 0
It works. Thank you very much.
The administrator has disabled public write access.
Time to create page: 0.077 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup