0

I have a use case where I want to control (and audit) all network access by applications run on a Ubuntu desktop PC. Squid looked a great start - I've installed and configured it. Where web browsers are configured to use the proxy on localhost:3128, I get the auditing and access control I'm looking for.

The snag is that any application that is not configured to exclusively use localhost:3128 as proxy can still communicate as normal with both my LAN and the internet.

I've found various 'how-to' documents detailing how to configure hosts with multiple Ethernet cards to act as gateways - and to use Squid as a mandatory proxy... but my configuration is subtly different. I want to be confident that squid is the only application that communicates over the network. Is there a straightforward way to block all network access (inbound, and outbound - even including DNS - etc.) except via squid, on a single host with one Ethernet connection?

aSteve
  • 449
  • 3
  • 6
  • 19
  • I think what you need is a firewall (iptables) no a proxy (squid) – kyodake Aug 07 '16 at 15:55
  • I definitely want to run Squid (detailed explanation of why omitted for brevity) - and believe that I need IPTables too. I can see how to do it with virtual machines - but, I hope, there's also a more straightforward approach. – aSteve Aug 07 '16 at 16:35

1 Answers1

0

You can simply set rules with firewall to deny all outgoing ports except for 3128. Make sure, that you have ufw installed (sudo apt-get install ufw if it isn't), then:

sudo ufw deny out to any # deny all outgoing addresses
sudo ufw allow out from any to 127.0.0.1 port 3128 proto udp # allow the single outgoing port
sudo ufw allow out from any to 127.0.0.1 port 3128 proto tcp
sudo ufw allow out from any port 3128 to any # outgoing from any IP:3128 to any address (to allow packets of squid)

You can't be sure that all existing applications would use proxy for the simple reason that some of them may not even be written with proxy in mind (proxies can not be used transparently, apps have to take special care of a proxy), but the ufw rules would make sure that their packets wouldn't squeeze from other ports. And don't forget to set http(s)_proxy variables into /etc/environment.

Community
  • 1
Hi-Angel
  • 3,702
  • 1
  • 29
  • 36
  • Those UFW rules don't cut it... "ufw deny out to any" makes sense - but "ufw allow out 3128/tcp" does not... Squid resides on localhost:3128 - not on some other host on port 3128. Those rules block squid traffic as well as traffic from end-user applications. – aSteve Aug 07 '16 at 16:32
  • @aSteve you're right, I modified accordingly. I didn't test though, but it should work. – Hi-Angel Aug 07 '16 at 16:56
  • That updated version doesn't work, either. I think the crux of the problem is that Squid accepts connections on 3128, but there is no such constraint on the source port Squid uses when making outgoing connections. Asking if there is a simple solution to allow IPTables to identify 'valid' Squid traffic (in order to allow it) was the crux of my original question. – aSteve Aug 07 '16 at 18:05
  • @aSteve oh, I didn't think about it, hm… Actually, in this case, I think, the simplest solution is to restrict squid to send packets only from certain port(s), then modify ufw rules accordingly. From a quick search I come up with nothing relevant about such restriction. Another way is, to use iptables directly (as opposed to indirectly via ufw); it have --cmd-owner argument which is what you need. But I've never work with it directly, so I can't say the right syntax. Anyway, here's a pretty similar example, but with UID. – Hi-Angel Aug 07 '16 at 18:21
  • Thanks - that example suggests that I can do what I need to do with iptables... and, now, I need to read some manuals. :) – aSteve Aug 07 '16 at 19:09