Table of Contents

Limit internet access on OpenSuse

Summary

This article is about limiting internet access for users of one computer (not router) running OpenSuse using squid, squidguard and SuSEfirewall. It will show you how to configure squid for authentication using PAM (using system username and password). How to setup transparent proxy for http and https together with normal proxy with authentication. How to use squidguard and finaly how to set up SuSEfirewall rules (iptables).

What is what:

Installation

If you already do not have installed squid and squidguard you should install them with YAST (or any other way you prefer).

squid PAM authentication

Setting squid to use PAM for authentication enable users who have shell access to use same username and password for squid.

You should edit /etc/squid/squid.conf :

Find auth_param TAG and uncomment or add following lines:

auth_param basic program /usr/sbin/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Next find acl TAG and uncomment or add following line:

acl password proxy_auth REQUIRED

Next find http_access TAG there should be 2 lines that look like below:

http_access allow localnet
http_access allow localhost

Change them to look like:

http_access allow localnet password
http_access allow localhost password

Restart squid and you will have squid using PAM for authentication.

Force users to use proxy (no transparent proxy)

As you have PAM authentication your proxy can not be transparent (below is procedure how to add transparent proxy). So there is no use of redirecting local traffic to proxy (as with transparent proxy - see bellow). Thing you can do is to block direct outgoing access to 80 and 443 ports. As you do not want to get in conflict with YAST firewall configuration you should edit /etc/sysconfig/SuSEfirewall2 file. Find FW_CUSTOMRULES option and set it like this:

FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

Then edit /etc/sysconfig/scripts/SuSEfirewall2-custom so that function fw_custom_before_denyall() look like:

fw_custom_before_denyall() {
   iptables -A OUTPUT -p tcp -m owner --uid-owner root -j ACCEPT
   iptables -A OUTPUT -p tcp -m owner --uid-owner squid -j ACCEPT
   iptables -A OUTPUT -p tcp --dport 80 -j DROP
   iptables -A OUTPUT -p tcp --dport 443 -j DROP
   true
}

This has one drawback. User will not be aware that he should use proxy as his request are blocked. He will think that there is no internet connection.

Transparent proxy

FIXME work in progress