Nice init script for firewall to force users through squid
Hello,
I just made this init script which prevents non-root users from bypassing your squid proxy :
It is called SkoleFirewall and releases under a BSD-style licence :
It does the following:
a)Drops all outbound and forwarded traffic. Input cannot be filtered by user or group name so it is ignored. Most protocols require a "dialog" anyways:
b) Allows traffic to and from the SkoleLinux Subnets and local subnets
c) Allows root, the group admins, squid, bind and apache to communicate with the rest of the network.
Ideal with squidguard. Don't forget to run updaterc.d after that
Nice sunday,
Julian Bangert
The file:
#!/bin/sh
#/etc/init.d/skolefirewall
#just a little script to configure my firewall
# SkoleFirewall (c) 2008 Julian Bangert
# Permission is hereby granted, free of charge, to any person obtaining
#a copy of this software and associated documentation files (the
#"Software"), to deal in the Software without restriction, including
#without limitation the rights to use, copy, modify, merge, publish,
#distribute, sublicense, and/or sell copies of the Software, and to
#permit persons to whom the Software is furnished to do so, subject to
#the following conditions:
#
#The above copyright notice and this permission notice shall be included
#in all copies or substantial portions of the Software.
#
#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
#EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
#IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
#CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
#TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
#SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
modprobe ip_tables
modprobe iptable_filter
# start code
case "$1" in
start)
echo "Installing SkoleFirewall"
iptables -F #we are the only firewall that should be in operation ... add others after this - or modify it
#no traffic that is not allowed
iptables -P INPUT ACCEPT # INPUT CANNOT BE FILTERED BY OWNER ,
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#note the way these are ordered - the chains are processed the way we add them and we want them to be processed as fast as possible
# Most traffic is with workstations ( NFS ... and netapps-> has high priority ) > thin clients > localhost > proxy ( internet ) > DNS > other daemons > root user ( can wait for a few nanoseconds --- this might save a few precious CPU cycles ... but don't overdo it ;)
#Allow everything into the local network
iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
# Allow user root - proxy , daemons , DNS , etc on the network
iptables -A OUTPUT -m owner --gid-owner proxy -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner bind -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner www-data -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner daemon -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner root -j ACCEPT # needed for APT , etc ... + root should be able to do whatever he wants ...
iptables -A OUTPUT -m owner --gid-owner admins -j ACCEPT # might , in some configs - cause problems
echo "Installed SkoleFirewall"
;;
stop)
echo "Stopping SkoleFirewall..."
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
echo "Stopped SkoleFirewall"
;;
*)
echo "Usage: /etc/init.d/skolefirewall {start|stop}"
exit 1
;;
esac
exit 0
Reply to: