Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Allow Msn Messenger through squid proxy

Status
Not open for further replies.
sdabreo

sdabreo

IS-IT--Management
Oct 3, 2002
50
0
0
IN
Dear All

I Have Redhat linux 9 and transparent squid proxy is enabled in that. My clients machines Windows XP, I have two groups in my network, Group A have all access and group B have only restricted access URLs.

My Group A people are able to login into MSN messenger , but my Group B people are not able to login, I have created separeate ACL for the MSN users also

acl msn_hosts src 192.168.1.2 192.168.1.3
acl msn dst 207.46.104.20 207.46.110.0/24
http_access allow msn_hosts msn
http_access deny all

but still i am unable to login ,

Can anyone tell me how to solve this..

Regards
Sakthi
 
Sort by date Sort by votes
Sorry here is my exact Squid conf

acl lan2_blr src 192.168.100.0/255.255.255.0
acl msn_hosts src 192.168.1.65 192.168.1.66 192.168.1.56 192.168.1.4
acl allowed_machines src "/etc/squid/allowed_machines"
acl support_staff src "/etc/squid/support_staff"
acl callcenter src "/etc/squid/callcenter"

acl rejected_urls url_regex "/etc/squid/rejected_urls"
acl allowed_urls dstdomain "/etc/squid/allowed_urls"
acl msn dstdomain 64.4.13.0/24 152.163.241.0/24 64.12.163.0/24 207.46.110.0/24 207.46.1.0/24 65.54.0.0/16 207.46.104.20 207.46.110.0

http_access deny rejected_urls
http_access deny !allowed_machines
http_access deny !lan1_blr !lan2_blr
http_access allow msn_hosts msn
http_access allow callcenter allowed_urls allowed_machines
http_access allow support_staff !callcenter
http_access allow all
 
Upvote 0 Downvote
I normally use IPtables to block messenger's port for the whole notwork or one only subnet.

QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!
 
Upvote 0 Downvote
Hi

I might be wrong, but i don't think squid would not handle msn. Squid is a http proxy and caching server, not a firewall. You would have to setup iptables and allow the msn port and also forwarding on your linux box if you use it as a router. Then you can only point your web browsers to the squid server port. I know this because i wanted squid to proxy my pop and smtp data. Hope this helps.

ekke85
 
Upvote 0 Downvote

I am not using iptables even my other firewalls are not blocking any messengers. I need to get it done desperately. Can some one help me out
 
Upvote 0 Downvote
MSN should not go trough Squid and it would not. Are you using your linux box as a router? How did you tell the terminals to connect to the internet, where did u set this settings? Normaly you would only set your proxy settings in the browser settings, can u specify it in MSN? If you can specify it in MSN, disable the proxy in MSN.

ekke85
 
Upvote 0 Downvote
MSN should not go trough Squid and it would not. Are you using your linux box as a router? How did you tell the terminals to connect to the internet, where did u set this settings? Normally you would only set your proxy settings in the browser settings, can u specify it in MSN? If you can specify it in MSN, disable the proxy in MSN.

ekke85
 
Upvote 0 Downvote
I am not using IPTABLES at all in my linux box....

My client PC's are connecting to internet by proxy server.

My proxy server is connecting to internet through my CISCO firewall, in proxy server my details are given like this

IP : 192.168.1.6 -- Linux squid Proxy server ip
GW : 192.168.1.5 -- MY CISCO Firewall IP
DNS : xx.xx.xx.xx

My client machines also having the same GW AND DNS
my client machines browser is pointing to 192.168.1.6(Linux Squid Proxy server)

My questions is very simple,

My Group A people are able to login to MSN through PRoxy
Only my Group B people are not able to login to MSN

I doubt my ACL is blocking..!!!

Even I tried to place
http_access allow msn_hosts msn
before any deny statment...
Nothing is working out.

Enclosed the access.log file for your reference

207.46.104.201175083489.222 1 192.168.1.65 TCP_DENIED/403 1407 POST - NONE/- text/html

ED/403 1329 CONNECT login.live.com:443 - NONE/- text/html
1175083462.022 66 192.168.1.4 TCP_DENIED/403 1407 POST - NONE/- text/html
1175083464.350 2397 192.168.1.41 TCP_MISS/200 20728 GET - DIRECT/72.14.205.17 text/javascript
1175083472.619 226 192.168.1.4 TCP_DENIED/403 1343 POST - NONE/- text/html
1175083476.472 760 192.168.1.39 TCP_MISS/200 353 POST - DIRECT/216.155.194.239 text/plain
1175083481.835 302 192.168.1.4 TCP_DENIED/403 1407 POST - NONE/- text/html
1175083489.106 272 192.168.1.4 TCP_DENIED/403 1329 CONNECT login.live.com:443 - NONE/- text/html
1175083489.222 1 192.168.1.65 TCP_DENIED/403 1407 POST - NONE/- text/html
1175083489.798 576 192.168.1.4 TCP_DENIED/403 1407 POST - NONE/- text/html
1175083489.798 576 192.168.1.4 TCP_DENIED/403 1407 POST - NONE/- text/html
~


Desperately need to get it down.... Apprasial TIME???!!!!
 
Upvote 0 Downvote
well you should instead be using iiptables.


If I understand correclty you need to give access to MSN to 192.168.100. network.


start iptables on the proxy machine.

make sure you have necessary kernel modules

modprobe -l | grep iptables

will give you the list of modules that are loaded concerning iptables.

assuming that your internal interface is eth0 and your external is eth1

Code: 
echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -t nat -F

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 6891:6900 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 5004:65535 -j ACCEPT
I have just done a brief search on the ports and protocols that MSN uses. There may be more.
This configuration is not recommended. Rather learn iptables properly and couple squid and iptables on the same machine; at that point change the default policies to DROP and start from scratch with a proper configuration.

Squid itself is enough to protect your network. Neither is your cisco router; you seriously need a firewall.

You will find help on this forum concerning iptables.

QatQat




If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!
 
Upvote 0 Downvote
If that's the case how come my Group A people are able to aceess MSN without IPTABLES?

Here I am not talking abt my 192.168.100.0 network..

I think my ACL is blocking...... i need to enable msn related ip or url in my allowed url list.

Can someone help me out in this reg...
 
Upvote 0 Downvote
Group A network may be accessing the router directly.
If yo read my answer to your other post, routing issues may be playing a role here.


QaTQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!
 
Upvote 0 Downvote
Hi all,

I am facing a problem in Squid 2.5 STABLE3, It does not support Transfer Encoding : chunked, squid 2.5 converts the request with
HTTP version 1.1 to HTTP version 1.0. Still some sites return Transfer Encoding : chunked in response Ex. ( and so the browser remains blank for these sites.

Can you suggest me any work around solution for this problem, So that I can access these sites also through my squid.

Thanks
Nilesh Gupta
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

KannaChan
  • Locked
  • Question
TLS1.2 and TLS1.0 proxy in same Virtualhost
Replies
1
Views
68
ChrisHirst
ChrisHirst
harro1968
  • Locked
  • Question
Help with ProxyPass
Replies
0
Views
47
harro1968
harro1968
nynin9
  • Locked
  • Question
Download the files from website and put in to unix server through the shell script 1
Replies
6
Views
59
ChrisHirst
ChrisHirst
balaji484
  • Locked
  • Question
Apache 2.4 Forward Proxy Issue
Replies
0
Views
25
balaji484
balaji484
balvey27
  • Locked
  • Question
apache 2.2 redirect & proxypass
Replies
0
Views
28
balvey27
balvey27

Part and Inventory Search

Sponsor

Back
Top