How can I block external proxys ?

KgAutobahn · n00b Joined: 27 Feb 2003 Posts: 45 Location: Sweden

How do I block external proxys in my firewall ?
I work at a school and I have blocked certain sites from my user during class, but they have started to use external proxys to get by this. How can I stop them from doing that?

fleed · l33t Joined: 28 Aug 2002 Posts: 756 Location: London

Do you know what ports the proxys are using? You could block those ports.

KgAutobahn · n00b Joined: 27 Feb 2003 Posts: 45 Location: Sweden

Some of the proxys are using port 80. That make things a little more difficult.

fleed · l33t Joined: 28 Aug 2002 Posts: 756 Location: London

That means you'll have to inspect every packet going through to see if it's a proxy request. Not an easy task! I don't know if there's a module for iptables that does that, you could try googling for it. Or maybe have a look at the p2p netfilter block that was referred to in another discussion, that might have something like what you're looking for.

fleed · l33t Joined: 28 Aug 2002 Posts: 756 Location: London

One idea might be to setup your own proxy and force everyone to go through that otherwise they don't even get a connection. Or you could set the proxy up as a transparent proxy. That way you have much better control of which sites users can go to, including blocking the external proxy sites.

KgAutobahn · n00b Joined: 27 Feb 2003 Posts: 45 Location: Sweden

Thanks for your answers.
But the best thing would be if I could do it with iptables. Since I use cron to block/open sites at different times. But maybe I can do it with squid and make a script that changes configfile at different times.

fleed · l33t Joined: 28 Aug 2002 Posts: 756 Location: London

I just did a bit more searching and have another idea. Maybe you could use the string extension to netfilter to block strings which are specific to proxy requests.

For example, you could filter for the CONNECT string in the first packet of a new connection to port 80 or whatever port the proxys are running on.

KgAutobahn · n00b Joined: 27 Feb 2003 Posts: 45 Location: Sweden

Thanks!

KgAutobahn · n00b Joined: 27 Feb 2003 Posts: 45 Location: Sweden

I solved it by myself. Sniffed my traffic and checked the packages. Found that they contained the string "Proxy-Connection". Then I blocked that string with netfilters help.

fleed · l33t Joined: 28 Aug 2002 Posts: 756 Location: London

And hopefully your users won't be too upset. If you have problems with all four tires of your car at the same time you know that netfilter is to blame!

On a side note, how much of an impact on your overall natting performance does using the string extension have?

KgAutobahn · n00b Joined: 27 Feb 2003 Posts: 45 Location: Sweden

everything is working perfect so far.

U have bad experience with netfilter? For me netfilter have been working fine so far. Use it to stop p2p and now proxys.

KgAutobahn · n00b Joined: 27 Feb 2003 Posts: 45 Location: Sweden

but I guess for performence it could be a good idea to just apply it to the proxyports

fleed · l33t Joined: 28 Aug 2002 Posts: 756 Location: London

On the other hand, netfilter has been pretty good to me! The thing is I only have rules that look at the packet header and not at the contents (AFAICT.) I was just wondering what impact the extension I suggested would have since it has to look through packet contents.

Yes, for performance reasons I think it would. You could have a look at your cpu usage now with the open wide rule, plus your ping times and throughput, then limit it to a few ports and do the same test again. And it's also a good idea to check that other ports are not being used for proxying once in a while.

KgAutobahn · n00b Joined: 27 Feb 2003 Posts: 45 Location: Sweden

Right now everything looks fine, but alot of the students have left for today. It will be interesting to check the performance tomorrow when everyone is here..

KgAutobahn · n00b Joined: 27 Feb 2003 Posts: 45 Location: Sweden

Upgraded the firewall to 2.6 kernel and the --string extension does´nt work with it. Don´t want to change back to 2.4 since I liked the perfomance of the 2.6 kernel. Anyone with a good idea in how to stop proxys (again) ?

fleed · l33t Joined: 28 Aug 2002 Posts: 756 Location: London

You could try patching your kernel. BTW, where did you see performance improvements? I am thinking of switching a few machines to 2.6 but don't know what impact that would have performance-wise.

KgAutobahn · n00b Joined: 27 Feb 2003 Posts: 45 Location: Sweden

Well, here´s a good exampel of good performance. Someone hacked my router and started a fork loop. I did´nt notice it in several days, until I logged in and checked the running processes. My cpu was working 99% and just a couple of MB memory available.
Did´nt notice it in my netperfomance before that. That´s impressive I think. The computer should have gone down long before that.

I tried patching the kernel. Did´nt work...

fleed · l33t Joined: 28 Aug 2002 Posts: 756 Location: London

Excellent! I think I'll try a machine at a time so I don't have any nasty surprises as far as compatibility issues, etc.

damien2929 · n00b Joined: 17 Feb 2004 Posts: 9

how about using squid in transparent proxy mode on the router ?

this way all connections to port 80 are sent to squid for handling.

then you need to look down the browsers with some policy if on windows,

else somebody else can tell you how to lock down linux browsers! ?

I use squid here like that just so there are logs, cos I have a open wireless connection.