0

I have a use case where I want to control (and audit) all network access by applications run on a Ubuntu desktop PC. Squid looked a great start - I've installed and configured it. Where web browsers are configured to use the proxy on localhost:3128, I get the auditing and access control I'm looking for.

The snag is that any application that is not configured to exclusively use localhost:3128 as proxy can still communicate as normal with both my LAN and the internet.

I've found various 'how-to' documents detailing how to configure hosts with multiple Ethernet cards to act as gateways - and to use Squid as a mandatory proxy... but my configuration is subtly different. I want to be confident that squid is the only application that communicates over the network. Is there a straightforward way to block all network access (inbound, and outbound - even including DNS - etc.) except via squid, on a single host with one Ethernet connection?

aSteve
  • 459

1 Answers1

0

You can simply set rules with firewall to deny all outgoing ports except for 3128. Make sure, that you have ufw installed (sudo apt-get install ufw if it isn't), then:

sudo ufw deny out to any # deny all outgoing addresses
sudo ufw allow out from any to 127.0.0.1 port 3128 proto udp # allow the single outgoing port
sudo ufw allow out from any to 127.0.0.1 port 3128 proto tcp
sudo ufw allow out from any port 3128 to any # outgoing from any IP:3128 to any address (to allow packets of squid)

You can't be sure that all existing applications would use proxy for the simple reason that some of them may not even be written with proxy in mind (proxies can not be used transparently, apps have to take special care of a proxy), but the ufw rules would make sure that their packets wouldn't squeeze from other ports. And don't forget to set http(s)_proxy variables into /etc/environment.

Community
  • 1
Hi-Angel
  • 4,810