Configuration: ClearOS Community 6.6.0 Final (and latest updates) in Gateway mode with Transparent Web Proxy.
I have two physical LANs: 192.168.10.* on eth1 and 192.168.20.* on eth2. Both are configured to use gateway web proxy. I want all traffic blocked between these two LANs. I have tried various custom firewall rules and, though they appear to block pings and traffic on some other ports, they do not block HTTP traffic between the two LANs. As an example, from a browser on an eth1 device I can access web pages on a eth2 device. My guess is that the actual routing as seen by IP Tables on the clearos server for HTTP requests is from the eth1 device to the clearos web proxy with a completely separate request from the web proxy to the eth2 device, thus rendering my IP Table rules irrelevant. Here are the current custom firewall rules I am currently using though I have tried many variations found in the forums with the same results:
iptables -I FORWARD -i eth2 -o eth1 -j REJECT
iptables -I FORWARD -i eth1 -o eth2 -j REJECT
When the rules are enabled I can see that ping requests are blocked between the LANs (destination port unreachable) but HTTP requests are not.
But with the rules enabled and web proxy stopped, even HTTP traffic between the LANs is blocked (as expected).
So... What is the proper method of blocking HTTP traffic between two physical LANs behind clearos when both are using web proxy?
I do not want to use HotLAN as both LANs require proxy services.
Regards,
Peter
I have two physical LANs: 192.168.10.* on eth1 and 192.168.20.* on eth2. Both are configured to use gateway web proxy. I want all traffic blocked between these two LANs. I have tried various custom firewall rules and, though they appear to block pings and traffic on some other ports, they do not block HTTP traffic between the two LANs. As an example, from a browser on an eth1 device I can access web pages on a eth2 device. My guess is that the actual routing as seen by IP Tables on the clearos server for HTTP requests is from the eth1 device to the clearos web proxy with a completely separate request from the web proxy to the eth2 device, thus rendering my IP Table rules irrelevant. Here are the current custom firewall rules I am currently using though I have tried many variations found in the forums with the same results:
iptables -I FORWARD -i eth2 -o eth1 -j REJECT
iptables -I FORWARD -i eth1 -o eth2 -j REJECT
When the rules are enabled I can see that ping requests are blocked between the LANs (destination port unreachable) but HTTP requests are not.
But with the rules enabled and web proxy stopped, even HTTP traffic between the LANs is blocked (as expected).
So... What is the proper method of blocking HTTP traffic between two physical LANs behind clearos when both are using web proxy?
I do not want to use HotLAN as both LANs require proxy services.
Regards,
Peter
In Firewall
Share this post:
Responses (1)
-
Accepted Answer
When using a web proxy, you need to think of the traffic as not originating from one network and flowing to another but rather as originating from the ClearOS server itself. In this regard, firewalling won't help you. To block the http traffic, you need to look at it as a mechanism of the proxy and what you do or do not allow via the proxy.
As a high level approach, you will create an 'acl' group for each site and then in the proxy prohibit the one site from accessing the other site via a proxy deny.
http://wiki.squid-cache.org/SquidFaq/SquidAcl
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »