If as the system administrator you are asked to block access to certain sites (such as chat, cricketing or gaming sites) on a private network, you can do
so easily by blocking access to all users at the proxy server.
But, if you need to block access to these sites only for a few users, what can you do? For example, your boss himself may be a die-hard cricket fan and may want access to cricketing sites limited only to himself.
You can do one of two things.
-
If the machines on your network have a static IP addresses, then you can allow or block access based on the IP address
-
You can set up the proxy server to prompt for a login and password when a user tries to access a restricted site. The login credentials will be known only to the privileged users
The first solution is not suitable if you are running a DHCP server, wherein each machine gets a dynamic IP. It may also not work if your network users share the machines. The second solution will work fine for dynamic IP networks and shared machines. In this article, we will implement the second solution on a Squid proxy server running on PCQLinux 8.0 (given with
PCQuest March 2003).
Basic setup
Consider a private network with IP addresses in the range of 192.168.1.1 to 192.168.1.254, where Web access to users is through a proxy server.
As a first step, check whether Squid is already installed on your Linux machine by issuing the following command.
#rpm -qa | grep squid
If you don't see any output, then install the RPM of Squid, named squid-2.4.STABLE7-4.i386.rpm found in the subdirectory PCQuest/RPMS on
PCQLinux 8.0 CD1. The command to install the RPM is as follows.
#rpm -ivh squid-2.4.STABLE7-4.i386.rpm
Once installed, use Webmin, a Web-based configuration tool, to configure Squid. Refer to the article Configuring your PCQLinux, page 78, in PCQuest March 2003, to install and set up Webmin on PCQLinux 8.0. Launch Webmin and click on Servers>Squid Proxy Server. Click on ‘Start Squid’ to start the HTTP proxy service. By default, Squid runs on port 3128. If you want to change this, to say 8000, click on 'Ports and Networking'. For 'Proxy addresses and ports', select the option 'Listed below' and type in 8000 for the Port. Click on Save. By default, Squid does not allow any machine on the network to access the Internet. We'll now set up Squid to allow the machines on the local network to access the Internet by using ACLs (Access Control Lists). To do this, click on 'Access Control'. Select 'Client Address' from the drop-down list next to the button labeled 'Create new ACL' and click the button. For the ACL name type in local_network. For 'From IP' type in 192.168.1.1 and for 'To IP' enter 192.168.1.254.
You may change these values according to the IP address range of your network. Click on Save. This will bring you back to the Access Control page. On this page, click on 'Add proxy restriction'. For Action, select Allow and select 'local_network' from the 'Match ACLs' list. Now, click on Save. On the Access Control page, click on the Up arrow against the 'local_network', so that the 'local_network' ACL comes at the second last position, above the 'Deny all'. Click on 'Apply Changes' at the top.
We have set up the proxy to accept connection from machines on your private network. Fill in the IP address of the Linux machine and the Squid port in the proxy setting of the Web browsers on the user machines. And try browsing the Net. You should be able to browse all the sites without any restrictions.
Restrict access
Suppose you want to block two sites, namely www.cricket.org
and www.cyberastro.com . Select 'Web Server Hostname' and click on 'Create new ACL'. For the ACL name type in 'denied_site_names'. For domains, type in
www.cricket.org and www.cyberastro.com
, separated by a space.
If you want to block more sites, append their names as well. Click on 'Add proxy restriction'. Click on Deny and select 'denied_site_names' from the Match ACLs list. Click on Save. Click on the Up arrow against the 'denied_site_names', and position it just above the 'local_network'. Click on Apply Changes. Henceforth, your network users should not be able to access the sites
www.cricket.org and www.cyberastro.com.
Privileged access
Finally, we will set up access to denied sites for privileged users, those having a valid login and password. Click on Module Index at the top and then on Authentication Programs. For 'Authentication program' select Webmin and click on Save.
Next, we will assign a login and password for privileged users. Click on Proxy Authentication. Click on Add a new proxy user. Enter a username, like 'privuser' and for password, key in your preferred password. For Enabled, select Yes and click on Create.
Next, click on Module Index>Access Control. Select External Auth and click on 'Create new ACL'. For ACL name, type in 'priv_auth' and select All users for 'External Auth Users'. Click on Save.
Now we will modify the Proxy restriction for denied sites such that access is allowed with authentication. Click on the Deny link corresponding to the denied_site_names. Select Allow for Action.
In the list of 'Don't Match ACLs' select priv_auth. In the Match ACLs list, ensure that the denied_site_names remains selected. Click on the Save button and then click on Apply Changes.
Henceforth, whenever a user tries to access www.cyberastro.com
or www.cricket.org , he will be presented with an authentication box. Unless he specifies the User name (privuser) and the
corresponding password, the proxy will deny access to the sites.
Shekhar Govindarajan