Firewall Wizards mailing list archives
Re: can iptables block incoming http connections from open proxy servers?
From: John Mason Jr <john.mason.jr () cox net>
Date: Fri, 25 May 2007 11:21:51 -0400
You might look at <http://www.projecthoneypot.org/httpbl.php> John White Hat wrote:
Hi List, How can I block people from making http connections to an internal webserver when they are using open http proxies? While I think that open http proxies are an excellent tool for surfing the web anonymously and I often use them, they also present me with a big problem. I run a small forum, and don't have a good way of keeping users who are banned for flaming, not following the rules, and other bad conduct on the forums from returning and re-registering new accounts when using open http proxies. The web server is a Gentoo linux box and has packet filtering (netfilter code), etc built into the kernel. I have the iptables userspace ebuild installed. At the moment, I've added rules to the proxies chain which is checked by the input chain to stop inbound connections from proxy servers based on the source ports being used by the remote proxy server. However, this does not seem to be working at the moment. For example. iptables -N proxies iptables -A INPUT -j proxies iptables -I proxies -p tcp -i eth0 --sport 3128 -j DROP I also have rules for all of the other common proxy server ports in place in the proxies chain. I'm guessing that this does not work because the source port is randomized. To test this I configured firefox to use an open http proxy running squid on port 3128 and then connected to the remote site with wireshark running on the web server. In the packet dump, the http traffic does not come from or go to port 3128. It seems that this port is never used for incoming our outgoing source or destination ports. My next thought is to use the excellent linblock perl script to just load lists of IP's of known proxy servers into iptables, and then setup a cron job to automate the whole thing every so often, but after thinking about this for a bit, I'm wondering how I'm going to keep up with the changes. Often times a proxy will be there one day and gone the next and another system will replace it. The web server has limited amounts of ram, and it would be exhausted after trying to load x amount of addresses. Can snort be used to detect incoming connections from open http proxy servers? Is there a pre-processor that can be turned on to kick off an alert to the alert file? I'm also having trouble finding an updated proxy list that I can use with linblock. One of my favorite sites, bluetack, no longer has anyone maintaining the proxy list. I'm wondering, what's the best way to keep people using proxy servers from connecting to the site. Is there a good way to do this with out having to load thousands of rules to block each particular proxy? I would greatly appreciate advice on how to handle this situation, especially from forum admin types who have experience with this problem. WhiteHat237 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- can iptables block incoming http connections from open proxy servers? White Hat (May 25)
- Re: can iptables block incoming http connections from open proxy servers? John Mason Jr (May 25)