Re: [fw-wiz] can iptables block incoming http connections from open proxy servers?
- From: John Mason Jr <john.mason.jr@xxxxxxx>
- Date: Fri, 25 May 2007 11:21:51 -0400
You might look at <http://www.projecthoneypot.org/httpbl.php>
White Hat wrote:
How can I block people from making http connections to an internal
webserver when they are using open http proxies?
While I think that open http proxies are an excellent tool for surfing
the web anonymously and I often use them, they also present me with a
I run a small forum, and don't have a good way of keeping users who
are banned for flaming, not following the rules, and other bad conduct
on the forums from returning and re-registering new accounts when
using open http proxies.
The web server is a Gentoo linux box and has packet filtering
(netfilter code), etc built into the kernel. I have the iptables
userspace ebuild installed.
At the moment, I've added rules to the proxies chain which is checked
by the input chain to stop inbound connections from proxy servers
based on the source ports being used by the remote proxy server.
However, this does not seem to be working at the moment.
iptables -N proxies
iptables -A INPUT -j proxies
iptables -I proxies -p tcp -i eth0 --sport 3128 -j DROP
I also have rules for all of the other common proxy server ports in
place in the proxies chain.
I'm guessing that this does not work because the source port is randomized.
To test this I configured firefox to use an open http proxy running
squid on port 3128 and then connected to the remote site with
wireshark running on the web server.
In the packet dump, the http traffic does not come from or go to port
3128. It seems that this port is never used for incoming our outgoing
source or destination ports.
My next thought is to use the excellent linblock perl script to just
load lists of IP's of known proxy servers into iptables, and then
setup a cron job to automate the whole thing every so often, but after
thinking about this for a bit, I'm wondering how I'm going to keep up
with the changes. Often times a proxy will be there one day and gone
the next and another system will replace it. The web server has
limited amounts of ram, and it would be exhausted after trying to load
x amount of addresses. Can snort be used to detect incoming
connections from open http proxy servers? Is there a pre-processor
that can be turned on to kick off an alert to the alert file?
I'm also having trouble finding an updated proxy list that I can use
with linblock. One of my favorite sites, bluetack, no longer has
anyone maintaining the proxy list.
I'm wondering, what's the best way to keep people using proxy servers
from connecting to the site. Is there a good way to do this with out
having to load thousands of rules to block each particular proxy?
I would greatly appreciate advice on how to handle this situation,
especially from forum admin types who have experience with this
firewall-wizards mailing list
firewall-wizards mailing list
- Prev by Date: [fw-wiz] can iptables block incoming http connections from open proxy servers?
- Next by Date: Re: [fw-wiz] HIPS experience
- Previous by thread: [fw-wiz] can iptables block incoming http connections from open proxy servers?