this post was submitted on 31 Jan 2025
5 points (100.0% liked)

Programming

13473 readers
7 users here now

All things programming and coding related. Subcommunity of Technology.

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
5
Routing all network requests in proxy? Avoid use of the internet outside of proxy (feddit.it)
submitted 2 weeks ago by [email protected] to c/[email protected]
6 comments fedilink hide all child comments
 

Hi! I'm trying to achieve this configuration: essentially all the traffic in the network should pass the content filtering in the proxy, assume I have control over the clients. All not proxied traffic should be blocked by default.

I know not all network traffic can pass through proxy, but I'm not sure I understand how actually all of this work.

My UFW firewall configuration is the following:

To                         Action      From
--                         ------      ----
3128                       ALLOW OUT   Anywhere                  
53                         ALLOW OUT   Anywhere

53 is for DNS requests (that cannot pass through the proxy), even if I use DOH this port needs to be open for bootstrapping.

3128 is Squid proxy port.

I'm assuming the following:

client -> dns request (53) / cannot be handled by the proxy -> dns response client -> proxy (all ports that the proxy can handle) -> http/https/ftp response client -> blocked (all other ports)

But from UFW logs it looks like the client is trying to make requests (eg. https requests) directly through port 443, instead that passing from 3128.. Maybe I'm getting something wrong here on how Proxies work.

Do you have any suggestion?

top 6 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 2 weeks ago (1 children)

Is this on the same machine, or multiple machines?

The typical/easy design for an outgoing proxy, would be to set the proxy on one machine, configure the client on another machine to connect to the proxy, and drop any packets from the client that aren't targeted at the proxy.

For a transparent proxy, all connections coming from a client could be rewritten via NAT to go to the proxy, then the proxy can decide which ones it can handle or is willing to.

If you try to fold this up into a single machine, I'd suggest using containers to keep things organized.

[–] [email protected] 1 points 2 weeks ago* (last edited 2 weeks ago)

Didn't think about the 2 machines thing. But yeah it looks definitely easier than setting a transparent proxy.. But I guess all of this has to be on the same network, I cannot use an external server to which I connect to via wan because at that point the connections would be already need to be unproxied going out right?

But can't your setup be done on the same machine with a firewall?

[–] [email protected] 2 points 2 weeks ago (2 children)

If you simply want to block certain sites, why not use Pihole?

[–] [email protected] 2 points 2 weeks ago (1 children)

DNS over HTTPS bypasses pihole, and you have to do some effort to make it work. DNS in general is such a mess.

[–] [email protected] 1 points 2 weeks ago

Yes DNS and pihole were never thought as content filtering tools

[–] [email protected] 1 points 2 weeks ago* (last edited 2 weeks ago)

I need to block IPs and unauthorized connections that are not http/https as well, I know about DNS filtering but it's not what I am trying to achieve.