Hi All, Can i somehow detect traffic which is coming from a proxy/masquerading server in my lan to my linux gateway server. I wish to block requests coming from a proxy server in my network ie. no body should be able to use a proxy server in my network. Thanxs Deepak Singhal
On Tue, Mar 05, 2002 at 11:40:53AM +0530, Deepak Singhal wrote:> Hi All, > > Can i somehow detect traffic which is coming from a proxy/masquerading > server in my lan to my linux gateway server.Up to a point. Proxy servers typically include an ''X-Forwarded-For'' header. With the right iptables tricky (the ''string match'') woul would be able to block such traffic. Masqueraded traffic can *sometimes* be recognized by the port number, but not always, and such numbers van be changed. In my experience it almost never helps to try to enforce your policy electronically. You may be better of telling people not to use proxy servers. Regards, bert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
Certainly you can, but you should be more specific about the topology (IP addresses) of your network... And what do you want to do with proxy server in your LAN that is forbidden to use for everyone. Maybe you need some kind of (proxy) authorization? Deepak Singhal wrote:> Hi All, > > > > Can i somehow detect traffic which is coming from a proxy/masquerading > server in my lan to my linux gateway server. > > > > I wish to block requests coming from a proxy server in my network ie. > no body should be able to use a proxy server in my network. > > > > > > Thanxs > > > > Deepak Singhal >
A "good" proxy server is usually configurable to look just like an original requestor. On Tue, Mar 05, 2002 at 11:40:53AM +0530, Deepak Singhal wrote:> Can i somehow detect traffic which is coming from a > proxy/masquerading server in my lan to my linux gateway server.Masquerading can be detected by source port unless the user has reconfigured their machine (and only if the machine is Linux).> I wish to block requests coming from a proxy server in my network ie. > no body should be able to use a proxy server in my network.May I ask why? -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/
Message: 4 Date: Tue, 5 Mar 2002 09:12:39 -0500 From: "Michael T. Babcock" <mbabcock@fibrespeed.net> To: LARTC List <lartc@mailman.ds9a.nl> Subject: Re: [LARTC] Detecting Request from a proxy server A "good" proxy server is usually configurable to look just like an original requestor. On Tue, Mar 05, 2002 at 11:40:53AM +0530, Deepak Singhal wrote: > Can i somehow detect traffic which is coming from a > proxy/masquerading server in my lan to my linux gateway server. Masquerading can be detected by source port unless the user has reconfigured their machine (and only if the machine is Linux). > I wish to block requests coming from a proxy server in my network ie. > no body should be able to use a proxy server in my network. May I ask why? -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ havent used anytime but iplimit might help ???
> A "good" proxy server is usually configurable to look just like anoriginal requestor.> > On Tue, Mar 05, 2002 at 11:40:53AM +0530, Deepak Singhal wrote: > > Can i somehow detect traffic which is coming from a > > proxy/masquerading server in my lan to my linux gateway server. > > Masquerading can be detected by source port unless the user has > reconfigured their machine (and only if the machine is Linux). > > > I wish to block requests coming from a proxy server in my network ie. > > no body should be able to use a proxy server in my network. > > May I ask why?I want to implement this so that only one machine should be able to use internet (the machine which I hv configured to use internet ) and not others which may be behind it. With the implementaion of iptables/ipchains policy on my gateway i am able to define that only that machine can use internet and not others but the user on that m/c can load some proxy on his machine and allow other also to use internet, which i want to block . Regards Deepak Singhal