====== Limit internet access on OpenSuse ====== ===== Summary ===== This article is about limiting internet access for users of one computer (not router) running OpenSuse using squid, squidguard and SuSEfirewall. It will show you how to configure squid for authentication using PAM (using system username and password). How to setup transparent proxy for http and https together with normal proxy with authentication. How to use squidguard and finaly how to set up SuSEfirewall rules (iptables). What is what: * [[http://www.squid-cache.org/|squid]] - a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more * [[http://www.squidguard.org/|squidguard]] - a combined filter, redirector and access controller plugin for Squid * SuSEFirewall2 - default OpenSuse firewall ===== Installation ===== If you already do not have installed squid and squidguard you should install them with YAST (or any other way you prefer). ===== squid PAM authentication ===== Setting squid to use PAM for authentication enable users who have shell access to use same username and password for squid. You should edit /etc/squid/squid.conf : Find auth_param TAG and uncomment or add following lines: auth_param basic program /usr/sbin/pam_auth auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Next find acl TAG and uncomment or add following line: acl password proxy_auth REQUIRED Next find http_access TAG there should be 2 lines that look like below: http_access allow localnet http_access allow localhost Change them to look like: http_access allow localnet password http_access allow localhost password Restart squid and you will have squid using PAM for authentication. ===== Force users to use proxy (no transparent proxy) ===== As you have PAM authentication your proxy can not be transparent (below is procedure how to add transparent proxy). So there is no use of redirecting local traffic to proxy (as with transparent proxy - see bellow). Thing you can do is to block direct outgoing access to 80 and 443 ports. As you do not want to get in conflict with YAST firewall configuration you should edit /etc/sysconfig/SuSEfirewall2 file. Find FW_CUSTOMRULES option and set it like this: FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" Then edit /etc/sysconfig/scripts/SuSEfirewall2-custom so that function fw_custom_before_denyall() look like: fw_custom_before_denyall() { iptables -A OUTPUT -p tcp -m owner --uid-owner root -j ACCEPT iptables -A OUTPUT -p tcp -m owner --uid-owner squid -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -j DROP iptables -A OUTPUT -p tcp --dport 443 -j DROP true } This has one drawback. User will not be aware that he should use proxy as his request are blocked. He will think that there is no internet connection. ===== Transparent proxy ===== FIXME work in progress