Re: Force using Squid

From: Rodney van den Oever <[email protected]>
Date: Thu, 2 Apr 1998 18:32:16 +0200

Use the following rules as a template:

interface Serial0
    ip access-group 100 in
    ip access-group 110 out

192.168.1.0 sample network-range
192.168.1.1 Squid-box:
192.168.1.2 Name/mailserver
192.168.1.254 ethernet interface router

! Incoming access-list:
no access-list 100
! Prevent IP-spoofing:
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
! Allow reply’s to Squid-box and mailserver:
access-list 100 permit tcp any 192.168.1.0 0.0.0.3 established
! Access to mailserver en nameserver:
access-list 100 permit tcp any host 192.168.1.2 eq smtp
access-list 100 permit udp any host 192.168.1.2 eq domain
! Allow ping to the external interface of your router:
access-list 100 permit icmp any host 192.168.1.254
! Log blocked packets:
access-list 100 deny ip any any
! EOF

! Outgoing access-list:
no access-list 110
! Block attempts to spoof from your own network:
access-list 110 permit ip 192.168.1.0 0.0.0.3 any
! Log blocked packets:
access-list 110 deny ip any any
! EOF

Together the in- and outgoing access-lists only allow hosts
192.168.1.1-192.168.3 access to the outside world. Just cut-and-paste them
to your cisco router.

>At 08:54 PM 4/2/98 +0700, Panjai Tantatsanawong wrote:
>>Dear Squid user
>> I would like to ask that is it possible to force
>>all users to use WWW via Squid proxy by block TCP port 80
>>of all clients in router and allow only proxy machine
>>to access outside?

>Block in your router outgoing traffic to TCP port 80 (with an exception for
>your proxy). This disables the users to request http. Refer to your router
>manuals on how to do so.

>! give your proxy access
>access-list 110 permit tcp host IP.of.you.proxy any eq www
>! exception for host to a specific site
>access-list 110 permit tcp host IP.of.exception.host domain.of.site.0
>0.0.0.255 eq www
>! deny other www users to go direct
>access-list 110 deny tcp any any eq www
>! allow the rest of TCP
>access-list 110 permit tcp any any
>! another block
>access-list 110 deny udp any any eq netbios-ns
>! permit rest of UDP
>access-list 110 permit udp any any
>! permit the rest of IP
>access-list 110 permit ip any any

--
Rodney van den Oever / 066 166 - 0318 623047 / PGP Key ID 0x0A6CCE53
'Ditch Windows, get Linux, ask someone to plug it and play.'
Received on Thu Apr 02 1998 - 08:43:42 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:33 MST