# Preventing web browser access the proxy directly

## Joseph_sys

I'm setting dansguardian+squid+iptable.

http://www.linux.com/archive/articles/113733

I've tried to follow the recommendation to prevent web browser to bypass the filter and access the proxy directly using iptable rule:

```
iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080
```

though, when I setup this rule I cannot access the internet at all, it just times out.

Another thing is when a user start Winodws in VirtualBox and network is setup as "bridge" Windows gets IP address directly from via DHCPD and "dansguardian+squid+iptable" setup have no effect. 

How to solve this problem?  I don't think "machine setting" can be lock on the password in VirtualBox.

----------

## Hu

Could you provide a diagram of where the different pieces are located?  We need to know how many machines are involved, how they are connected to one another, and what software is present on each one.  For example, is the confined web browser on the same machine as Squid, or are they separate?  Is the Squid machine inline between the web browser and the Internet?

----------

## Joseph_sys

 *Hu wrote:*   

> Could you provide a diagram of where the different pieces are located?  We need to know how many machines are involved, how they are connected to one another, and what software is present on each one.  For example, is the confined web browser on the same machine as Squid, or are they separate?  Is the Squid machine inline between the web browser and the Internet?

 

dansguardian+squid+iptable are running on Gentoo Quad core, it is a server, IP address 10.0.0.152; 

VirtualBox run Windows XP on the same machine.  But now it depends how the Vritualbox Windows XP Network Setting are set, it could be:

- NAT: in this case the connection is a subnetwork of Gentoo server, it gets an IP: 10.0.2.15; so in this case the network traffic goes through Gentoo server and gets filtered by squid and Dansguardian

- Bridged: in this case the Windows XP gets an IP directly from the gateway via DHCP and gets IP: 10.0.0.167; this traffic does not go through the Gentoo server, it get directed directly out via gateway so Gentoo squid and Dansguardian are bypassed.  

The is no point of blocking IP address on the Gateway (a separate box running DHCPD) as the user can change MAC address of the Windows XP client inside VirtualBox Network setting and XP machine will get a different IP address.  There is no way of setting password for Windows XP client "Setting" in VirtualBox as there is no such options.

Via "dansguardian+squid+iptable" I can lock down Gentoo server so user can not by-pass the network setting but this does not effect VitrualBox - Windows XP machine as user can change setting to Bridged network and this by-passes Linux Server.

I'm trying to bock all Internet traffic to Windows XP machine (running on VituralBox) and allow only connection to one domain.address; that is why I setup Dansguardian + squid + iptable

----------

## Hu

You are making this unnecessarily difficult by running the guest on the same system as Squid.  If Squid and friends are run on the gateway, you can achieve a true lockdown that prevents any unwanted access because it will be impossible to get any traffic to the gateway that is not seen by Squid.

I am not familiar with how VirtualBox handles its networking, so I am not sure how to resolve this.  If VirtualBox uses standard Linux bridging to connect the guest to a bridge to the outside world, you might be able to trap the traffic.

Alternately, you could configure the gateway not to serve any system other than the Gentoo host, and to disallow all traffic not originating from Gentoo.  That would cause any attempt to use the VirtualBox bridge to result in a system that cannot pass the gateway.

----------

## Joseph_sys

 *Hu wrote:*   

> You are making this unnecessarily difficult by running the guest on the same system as Squid.  If Squid and friends are run on the gateway, you can achieve a true lockdown that prevents any unwanted access because it will be impossible to get any traffic to the gateway that is not seen by Squid.
> 
> I am not familiar with how VirtualBox handles its networking, so I am not sure how to resolve this.  If VirtualBox uses standard Linux bridging to connect the guest to a bridge to the outside world, you might be able to trap the traffic.
> 
> Alternately, you could configure the gateway not to serve any system other than the Gentoo host, and to disallow all traffic not originating from Gentoo.  That would cause any attempt to use the VirtualBox bridge to result in a system that cannot pass the gateway.

 

This is a good suggestion; if I can only install squid on the gateway router; it is openwrt router running "white russian"

----------

