I have a linux box at work that acts as the gateway for several windows workstations. What I need to do is set something up that allows some of the workstations unlimited access to the Internet (which I am doing now with ipchains) while restricting the others to only 1 or 2 sites. It sounds like Squid will do the job, but I can not find a How-To or NHF on setting it up. Perhalps someone can point me in the right direction or suggest another means of doing this.

Visit www.squid-cache.org (http://www.squid-cache.org) for more info and check their mailing lists too.Hope this helps.

Craig just did a post on setting up a transparent proxy via Squid.
http://www.linuxnewbie.org/ubb/Forum12/HTML/000415.html

-r

Although you could do the same with a few more ipchains rules and not worry about squid.

Depends on how many 'others' there are and how much of a hassle that is.

-r

When you say you want a few machines to have unlimited access you the Internet -- you mean actual Internet access, not just web access, right?

For the rest of the machines, you only want them to have web access, and you want them to have to go through Squid to restrict them to a few sites?

Well, I'd use iptables to set up IP masquerading for ONLY the machines that you want to be unrestricted. The Linux box will act as a gateway for them, so they'll have a "real" Internet connection without going throug a proxy.

The rest of the machines... you should set up their web browsers configuration up to go through the Squid proxy, OR you could set up your firewall to redirect their web traffic to Squid (a transparent proxy setup like I wrote about recently).

As for limiting them to certain sites, see the link above to a piece I wrote that contains info about SquidGuard, that'll do exactly what you describe. In fact, you can use my example squidGuard.conf, if you set your domains blacklist to "*" and then add the sites you want to your whitelist.

You can have all machines go through the Squid proxy but be treated differently based on IP address by using Access Control Lists, but that's very complex stuff so you're on your own.

Good luck!

------------------
http://users.ipa.net/~cmcpher/paminv.gif DEBIAN (http://www.debian.org/) http://users.ipa.net/~cmcpher/paminv.gif
It turns girls into statues!

[This message has been edited by Craig McPherson (edited 19 January 2001).]

Squid will do this and speed up web-site access at the same time (depending how much disk you let it use).

You can define acls that distinguish between people by IP-address or require them to authenticate themselves.

You can define a list of blocked or allowed sites for a group of users. You only need an external filtering program if you have a large number of filtering rules.

See the squid FAQ that comes with squid and is available at the squid home page.

After reading Craig's post on setting up a tranparent proxy I was able to get squid and squidGuard up and running. (Thanks Craig) This will certainly make filtering web access alot easier.

I may be able to get away with running everything through squid. Most of the workstaions only need access to a couple of sites. There a few workstations I have to allow the users to surf the web but nothing else. I still need to be able to ftp and telnet from my machine as well as have web access(can't go with out LNO). I'm not sure what effect a transparent proxy would have on this.

I still need change the firewall rules to finish the set-up as a transparent proxy. I have a 2.2.x kernel (RedHat6.2) and use pmfirewall, I will have to look through the configuation files to see were to add the new rule.

Thanks ;-)

An after thought - Is it possible to get the error page that squid generates and still use squidGuard's filtering?

[This message has been edited by johnwebb (edited 20 January 2001).]

I wrote a php script to get the error page I wanted (cut and pasted most of it) as well as substituting a small transparent gif for any blocked request for gif images. And aside from all the empty space were those banners used to be you can't tell there gone :-)

squidGuard.conf



bhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log
dest good {
domainlist good
}
dest blocked {
expressionlist expressions
domainlist domains
urllist urls
}

acl {
default {
pass good !blocked all
redirect http://127.0.0.1/redirect.php?url=%u
}
}



redirect.php



<?php
if(preg_match("/.gif/i",$url)) {
header("Location: http://127.0.0.1/images/1x1.gif
exit;
}
else {
$time=gmdate("D, d M Y H:i:s");
print<<<HTML
<HTML><HEAD>
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR>
<P>
While trying to retrieve the URL:
<A HREF="$url">$url</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Access Denied.
</STRONG>
<P>
Access control configuration prevents your request from
being allowed at this time. Please contact your service provider if
you feel this is incorrect.
</UL>
<P>Your cache administrator is <A HREF="mailto:webmaster">webmaster</A>.


<br clear="all">
<hr noshade size=1>
Generated $time GMT by localhost.localdomain (Squid/2.3.STABLE4)
</BODY></HTML>
HTML;
}
?>

I like yours, but SquidGuard includes a couple example scripts for doing the same thing if anybody wants to take a look at them. They should be installed to /usr/doc/squidguard/examples. I fiddled with them a bit, but I've never played with CGI much before so after a few minutes I decided to just do a static page. A script is the fancy way to do things, though.

Here is another PHP script I wrote to use with squidGuard. It checks to see if the blocked request is for an image and will return a transparent gif if it is. Otherwise an error message will be displayed.



<?php
# Redirection script for use with squidGuard
# John Webb - January 20, 2001

if(preg_match("/\.(?i:gif|jpg|jpeg|mpg|mpeg|avi|mov)/",$url)) {
$isImage = 1;
}
else {
$fp= @fopen($url,"rb");
if($fp){
$fpData = fread($fp,512);
if(substr($fpData,0,3)=="\x47\x49\x46" ){
$isImage = 1;
} elseif(substr($fpData,0,3)=="\xff\xd8\xff" ){
$isImage = 1;
} elseif(substr($fpData,0,8)=="\x89\x50\x4e\x47\x0d\x0a\x1a\x0a" ) {
$isImage = 1;
}
fclose ($fp);
}
}

if(isset($isImage)) {
Header( "Content-Type: image/gif");

$id = ImageCreate("1","1"); # Starting with version 1.6 the GD library
$white = ImageColorAllocate($id,255,255,255); # no longer supports gif images. PHP needs
ImageFill($id,0,0,$white); # GD to create images on the fly. If your
ImageColorTransparent($id,$white); # system can not create gif images on the
ImageGIF($id); # fly comment out this section and ...

# readfile("/var/www/html/images/1x1.gif"); # uncomment this line to use a local file.
}
else {
$time=gmdate("D, d M Y H:i:s");
print<<<HTML
<HTML><HEAD>
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR>
<P>
While trying to retrieve the URL:
<A HREF="$url">$url</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Access Denied.
</STRONG>
<P>
Access control configuration prevents your request from
being allowed at this time. Please contact your service provider if
you feel this is incorrect.
</UL>
<P>Your cache administrator is <A HREF="mailto:webmaster">webmaster</A>.


<br clear="all">
<hr noshade size=1>
Generated $time GMT by localhost.localdomain (Squid/2.3.STABLE4)
</BODY></HTML>
HTML;
}
?>

Now THAT is a brilliant idea! Thank you! My users keep asking me why "all the Internet's banner ads got replaced with little Access Denied pages". So many sites now are using iframes for their ads rather than normal img's, so your "Access Denied" page can actually pop up in place of a banner ad, rather than a broken or invisible image. Your script is leet.

A little hint to PHP newbies like me... put that script somewhere OTHER than your CGI directory, and it'll work. Heh. Took me two hours to figure that one out.