Community Forum

alahwany
alahwany
Offline
Resolved
0 votes
Hello

please i need your help to tell me what is this mean

when going to squid access report via log viewer i saw this
1484398636.413 120077 192.168.1.253 TCP_MISS/000 0 GET http://192.168.1.253:8080/ - DIRECT/192.168.1.253 -


my Eth1 for my lan network and it's 192.168.1.253

how the report show the 192.168.1.253 to 192.168.1.253 ?

other lines show the computer ip to my proxy server 192.168.1.253 that's is normal
but this line from report show the proxy server ip access to proxy server ip too !!!!

is that someone hacked system and open sites without any polices ?
my server using proxy with none transparent with user authentication

thanks and i hope to see anyone can tell me what is that?
Saturday, January 14 2017, 01:25 PM
Share this post:
Responses (35)
  • Accepted Answer

    Friday, September 15 2017, 04:40 AM - #Permalink
    Resolved
    0 votes
    I am new at ClearOS mosthly using Zen, i also encountered this problem, and i found out someone using KMS windows activator which divert and bypass proxy firewall, try looking if someone using that application also UltraSurf.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, September 15 2017, 04:36 AM - #Permalink
    Resolved
    0 votes
    someone is using KMS Windows/office Activator :D
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, September 13 2017, 03:25 PM - #Permalink
    Resolved
    0 votes
    If use PuTTy, you can just scroll up and select the text. Selecting it copies it to the clipboard and you can then paste it into the forum (between code tags, please). Alternatively do:
    iptables -nvL > somefile.txt
    iptables -nvL -t nat >> somefile.txt
    The second command will append to the file from the first command. You will find the file in your current folder (probably root, also displayed as ~)
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Wednesday, September 13 2017, 01:18 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    I'm trying to research this online. Please can you past the output to:
    iptables -nvL
    iptables -nvL -t nat
    and put the result between code tags (the piece pf paper icon with a <> on it)


    thanks Nick for your help,

    i saw many lines in ssh for result is there any way to save result as a txt or log file ?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, September 12 2017, 05:04 PM - #Permalink
    Resolved
    0 votes
    I'm trying to research this online. Please can you past the output to:
    iptables -nvL
    iptables -nvL -t nat
    and put the result between code tags (the piece pf paper icon with a <> on it)
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Tuesday, September 12 2017, 10:28 AM - #Permalink
    Resolved
    0 votes
    now i have new loop with browser

    2017/09/12 10:46:34| WARNING: Forwarding loop detected for:
    GET /favicon.ico HTTP/1.0
    Host: 192.168.1.253:8080
    Authorization: Basic bS5hYm9zbzNvb2Q6bWlkb2Fib3NvM29vZA==
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    Accept: image/webp,image/apng,image/*,*/*;q=0.8
    Referer: http://192.168.1.253:8080/approot/content_filter/htdocs/warning.php?DENIEDURL=52525252525252526REASON%25252525252525253dBanned%25252525252525252520site%2525252525252525253a%25252525252525252520Blanket%252525252525
    Accept-Encoding: identity,gzip,deflate
    Accept-Language: en-US,ar;q=0.8,en;q=0.6,en-GB;q=0.4
    Via: 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0 fw1.medcom.local (squid/3.1.23), 1.0
    Cache-Control: max-age=259200
    Connection: keep-alive
    X-Forwarded-For: 192.168.1.253
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Sunday, September 10 2017, 11:59 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Not really my thread, but does it not tell you the user agents:
    User-Agent: Microsoft Office  2014
    and
    User-Agent: Microsoft Office/16.0 (HubTaskHost.exe 16.0.7608; Pro)
    So, perhaps a line like:
    User-Agent: Microsoft Office.*
    in /etc/dansguardian-av/lists/bannedregexpheaderlist will cover both and more.


    thank you very much
    but after make that i am still see same result for forward loop for microsoft office and i don'y know how to know this device make this loop the cash.log and access.log not show any ip for device it's only show clearos LAN Ip 192.168.1.253

    unbelievable i can'y know the device make this!! please if there anything can stop this loop forward for micosoft
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, August 30 2017, 07:29 PM - #Permalink
    Resolved
    0 votes
    The top log entry of the recursive loop shows the culprit. You can also sometimes find the machine that is causing this on your LAN with the following:

    grep "http://192.168.1.253:8080"; [^] /var/log/squid/access.log | grep -v "DIRECT/192.168.1.253 "

    (Notice the space at the end of the "DIRECT/192.168.1.253 " portion)
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, August 30 2017, 05:06 PM - #Permalink
    Resolved
    0 votes
    Not really my thread, but does it not tell you the user agents:
    User-Agent: Microsoft Office  2014
    and
    User-Agent: Microsoft Office/16.0 (HubTaskHost.exe 16.0.7608; Pro)
    So, perhaps a line like:
    User-Agent: Microsoft Office.*
    in /etc/dansguardian-av/lists/bannedregexpheaderlist will cover both and more.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Wednesday, August 30 2017, 10:40 AM - #Permalink
    Resolved
    0 votes
    Hello,

    i have another type of forward loop too :(
    i have blocked the avast via user-agent but i don't know how to make this blocked because i don't know the user agent for Microsoft.

    also is there any way to find this device ?
    2017/08/30 12:17:33| WARNING: Forwarding loop detected for:
    GET / HTTP/1.0
    Accept: */*
    User-Agent: Microsoft Office 2014
    X-MSEdge-IG: D635F83C-ADB8-46F8-93CF-5A5CBAD2B867
    X-MSEdge-AppID: officehub
    X-OCAS-Platform: winrt
    X-OCAS-Build: 16.0.7608
    Accept-Encoding: identity,gzip,deflate
    Host: 192.168.1.253:8080
    Via: 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.m
    Cache-Control: no-cache
    Connection: keep-alive
    X-Forwarded-For: 192.168.1.253

    2017/08/30 12:17:43| WARNING: Forwarding loop detected for:
    GET / HTTP/1.0
    Accept: */*
    User-Agent: Microsoft Office/16.0 (HubTaskHost.exe 16.0.7608; Pro)
    X-IDCRL_ACCEPTED: t
    X-Office-Version: 16.0.7608
    X-Office-Application: 29
    X-Office-Platform: Universal
    X-Office-SqmUserId: {5A1EC062-521F-4D45-B8E2-510611DAB32C}
    Accept-Encoding: identity,gzip,deflate
    Host: 192.168.1.253:8080
    Via: 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.m
    Cache-Control: no-cache
    Connection: keep-alive
    X-Forwarded-For: 192.168.1.253
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Monday, August 28 2017, 02:26 PM - #Permalink
    Resolved
    0 votes
    thank you Dave Loper for your answer.

    i am using proxy with none transparent with user authentication and i already have custom firewall to block some ports and IPs

    so i think the option no.1 must using with transparent mode.

    and second option no.2 if i changed the port 8080 i think this will solve this problem for some time but not always because the avast detect the proxy port from browser or another way like my case i don't know how the avast detect it 8080 !! but i must try first.

    i hope to find solution to make this forward blocked via iptable for all software like avast.

    based on your link i found way about user agent and i think this excellent if i added it correctly and i can with this block any application too by user agent is this true ??

    thank you very much
    The reply is currently minimized Show
  • Accepted Answer

    Monday, August 28 2017, 01:30 PM - #Permalink
    Resolved
    1 votes
    There are two different ways you can perform a workaround. For compatibility reasons between apps, I recommend the first one:

    OPTION 1
    Download the custom firewall from the ClearOS Marketplace. If you are using transparent mode you can use the custom firewall to block directed access to port 8080 on the LAN segment with a rule similar to:

    iptables -t mangle -I PREROUTING -i eth1 -p tcp --destination-port 8080 -s ! 192.168.1.253 -j DROP # Drop 8080 queries from external if 'eth1' is your network interface

    or something more general like this...

    iptables -t mangle -I PREROUTING -i eth1 -p tcp --dport 8080 -j DROP # If 'eth1' is your network interface

    Another way to handle this is....

    OPTION 2

    Alternative work around...move DG port to something other than 8080.

    For now, you need to edit two files:

    /etc/dansguardian-av/dansguardian.conf
    filterport = 8080

    and

    /usr/clearos/apps/firewall/deploy/firewall.lua
    local SQUID_FILTER_PORT = "8080"

    Change the 8080 references to an alt port...eg. 8081.

    Restart services:

    service dansguardian-av restart
    service firewall restart
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Sunday, August 27 2017, 06:20 PM - #Permalink
    Resolved
    0 votes
    Dave Loper wrote:

    This is a recursive lookup. You will see the event in your cache.log. It escalates quickly and can cause a disruption. Any chance you are running Avast?

    https://tracker.clearos.com/view.php?id=6791


    after checked the cash.log i saw this

    2017/08/27 12:04:46| WARNING: Forwarding loop detected for:
    GET / HTTP/1.0
    User-Agent: avast! Antivirus
    Host: 192.168.1.253:8080
    Accept: */*
    Via: 1.0 fw1.true.local (squid/3.1.23), 1.0 fw1.true.local (squid/3.1.23)
    Cache-Control: max-age=259200
    Connection: keep-alive
    X-Forwarded-For: 192.168.1.253


    now i think this is avast on some computers, is there any way to ignore this loop and fix this?

    thank you for your help
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, August 27 2017, 05:18 PM - #Permalink
    Resolved
    1 votes
    This is a recursive lookup. You will see the event in your cache.log. It escalates quickly and can cause a disruption. Any chance you are running Avast?

    https://tracker.clearos.com/view.php?id=6791
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Sunday, August 27 2017, 11:28 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    At a guess this is someone asking for something from your server. Do you bypass the proxy for LAN (or server) requests?
    Nick Howitt wrote:

    At a guess this is someone asking for something from your server. Do you bypass the proxy for LAN (or server) requests?


    i don't have any device using bypass the proxy in my LAN

    sorry for my late but really i don't know why when going to squid access report via log viewer i saw this
    1484398636.413 120077 192.168.1.253 TCP_MISS/000 0 GET http://192.168.1.253:8080/ - DIRECT/192.168.1.253 

    i have blocked all ports exception some ports to using proxy and mail via IPtables by adding rules in custom
    and still saw same line some times and i am sure about some of employees try to using browser like tor to open all sites and bypass the proxy. but i can't find this device :(

    the normal time i saw all device IPs to my LAN IP in clearOS like
    when going to squid access report via log viewer i saw this
    1484398636.413 120077 192.168.1.100 TCP_MISS/000 0 GET http://192.168.1.253:8080/ - DIRECT/192.168.1.253



    but some time i saw this
    1484398636.413 120077 192.168.1.253 TCP_MISS/000 0 GET http://192.168.1.253:8080/ - DIRECT/192.168.1.253


    and the 192.168.1.253 this is LAN IP of eth1 in clearos

    finally i don't know what can i do with this, i am tired because i can't know why this and can't find this device make this after 6 months.
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Sunday, January 15 2017, 02:14 PM - #Permalink
    Resolved
    0 votes
    Mr. NICK
    i have check on the IP in iptable and found all these IP blocked by Intrusion Prevention and it's added in iptable automatically by Intrusion Prevention
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Sunday, January 15 2017, 02:03 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    I was assuming all your many DROP rules were TOR rules. Is that correct? I've done a quick check and they are not TOR points which I can get from Emerging Threats.. Do you know what they are? If they are not TOR rules then it is a huge list for something else.

    With regards ipset, I was referring to this thread, although the first script needs to be reduced a bit to only handle TOR rules without the other Snort stuff.


    i think all these drop rule for TOR because i have blocked IP Domains in content filter also i have past alot of ip in banned ip in content filter but my banned ip in content filter not same in the iptable !!

    i think i must try your solution about TOR and make your script but i will need your help to do this because some steps i don't know how to make it from my post about TOR.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 15 2017, 01:52 PM - #Permalink
    Resolved
    0 votes
    Sarg by default formats the information solely from the proxy (squid) reports...

    It can also generate reports from DansGuardian logs, SquidGuard logs and web proxy redirector logs such as the ones created by squidGuard or Rejik. Never used these options so cannot comment further. See https://sourceforge.net/projects/sarg/support?source=navbar for more help and support for sarg...
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Sunday, January 15 2017, 01:30 PM - #Permalink
    Resolved
    0 votes
    today i found again this line again in proxy access


    1484485559.917 120023 192.168.1.253 TCP_MISS/000 0 GET http://192.168.1.253:8080/ - DIRECT/192.168.1.253 -


    but i know now why the proxy access show this line

    because i found computer in LAN network using TOR Browser and after running TOR the TOR try to connect the TOR Network
    so when the TOR try to connect to TOR network the proxy access show this line.

    my question now
    how to make the report show this PC and how to show type of browser when user start browsing ??
    also i want my users in LAN using only firefox, chrome, internet explorer is this possible? is there any solution for when any user start run another my legal browsers show it in report like pc name - MAC - and browser name to know it and make action with this user based on report.

    Unfortunately this line not show any info. for the pc or MAC or user name or browser name and i need it because based on this report i will take action with this user

    i don't know the SARG can help me to show it or not ? or any other report tool

    i hope to help me to make my report show everything in LAN network.

    thank you very much
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 15 2017, 01:28 PM - #Permalink
    Resolved
    1 votes
    I was assuming all your many DROP rules were TOR rules. Is that correct? I've done a quick check and they are not TOR points which I can get from Emerging Threats.. Do you know what they are? If they are not TOR rules then it is a huge list for something else.

    With regards ipset, I was referring to this thread, although the first script needs to be reduced a bit to only handle TOR rules without the other Snort stuff.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 15 2017, 12:52 PM - #Permalink
    Resolved
    1 votes
    I run sarg on both ClearOS 6.8 and 7.2 Community Edition - I don't have any professional editions so cannot comment regarding that platform...

    Instructions for Community Edition on these forums and on my site at http://danda.poweredbyclear.com/master-frame-sargv6.html.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Sunday, January 15 2017, 11:05 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    It sounds like you're getting there. For reports, search this site for Sarg.

    In your INPUT chain you have a number of rules with destination IP's. These are meaningless when you've specified the external interface and can be removed. The destination will always be your WAN IP.

    Does your firewall take an age to start with so many rules? You'll probably find using ipset (as in another of your threads) is way more efficient at loading and will give fewer delays for traffic passing through the firewall..


    i have searched about Sarg tool for proxy report is this safe and can be installed it on my last clearos6.8 professional ? i am using now filter and proxy report from clearos is this tool from Sarg better ?

    i have forward from firewall to some computers in my lan on port 3389 (remote desktop) and open mail ports.
    another rule in input chain marked drop and i don't know what is it? because it's show many IP's !!

    about the last part of your word about ipset and question i don't understand it can you please tell me more what do you mean

    thank you for your help
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 15 2017, 07:37 AM - #Permalink
    Resolved
    0 votes
    It sounds like you're getting there. For reports, search this site for Sarg.

    In your INPUT chain you have a number of rules with destination IP's. These are meaningless when you've specified the external interface and can be removed. The destination will always be your WAN IP.

    Does your firewall take an age to start with so many rules? You'll probably find using ipset (as in another of your threads) is way more efficient at loading and will give fewer delays for traffic passing through the firewall..
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Saturday, January 14 2017, 11:24 PM - #Permalink
    Resolved
    0 votes
    i have blocked all pots on eth1 by
    iptables -I INPUT -i eth1 -j DROP


    and added others open rule for any other ports.

    i think now the INPUT LAN interface eth1 in the clearos in safe and i will monitor the squid access log for 2 days and see will show same line or not. and back again to you

    if there anything can i do when i found it again in live traffic to know the MAC address for the client computer to catch him i will be very happy.

    thank you very much
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Saturday, January 14 2017, 10:09 PM - #Permalink
    Resolved
    0 votes
    see the iptable mr. nick.

    thank you very much and waiting your opinion and command for block ports on the eth1
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Saturday, January 14 2017, 09:55 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Rather than attach the file, copy and paste the contents between code tags.

    You do not want to block all incoming LAN traffic except proxy or you'll block DNS and DHCP as well as your mail and proxy. To block 80 and 443, try:
    iptables -I eth1 -p -tcp -m multiport --dports 80,443 -j DROP
    If you know what you want to allow, do a drop all rule (irrespective of protocol) and then specific UDP and TCP allow rules.


    how to block all ports on eth1 via custom firewall can you tell me the command to put it.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 14 2017, 09:36 PM - #Permalink
    Resolved
    1 votes
    Rather than attach the file, copy and paste the contents between code tags.

    You do not want to block all incoming LAN traffic except proxy or you'll block DNS and DHCP as well as your mail and proxy. To block 80 and 443, try:
    iptables -I eth1 -p -tcp -m multiport --dports 80,443 -j DROP
    If you know what you want to allow, do a drop all rule (irrespective of protocol) and then specific UDP and TCP allow rules.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Saturday, January 14 2017, 09:31 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    I don't understand how ClearOS can be standalone and a gateway at the same time. Please can you clarify your network set up?

    If it is gateway, you should be able to block Egress on 80 and 443 which blocks the FORWARD chain - if ClearOS has not done this for you. I think you can also block incoming traffic on 80 and 443 on interface eth1 (-i eth1)


    My Clearos work as gateway only sorry for my mistake i mean not synced or linked with domain controller it's for only for internet service in my network.

    my Egress block all ports and of course http & https and all ports except smtp and pop3 only in Egress accepted.
    and my users in lan using the ip 192.168.1.253 for browsing via proxy on port 8080 and in gateway to send and receive mails.

    but i like idea about block incoming traffic on 80 and 443 for eht1 or block all ports on eth1 except pop3 and smtp to make lan can send and receive mails.
    can you please tell me how that via custom firewall ?

    i can't upload the txt extension here to upload iptable results i will upload it on the any drive and past it the url.
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Saturday, January 14 2017, 09:28 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    I don't understand how ClearOS can be standalone and a gateway at the same time. Please can you clarify your network set up?

    If it is gateway, you should be able to block Egress on 80 and 443 which blocks the FORWARD chain - if ClearOS has not done this for you. I think you can also block incoming traffic on 80 and 443 on interface eth1 (-i eth1)


    My Clearos work as gateway only sorry for my mistake i mean not synced or linked with domain controller it's for only for internet service in my network.

    my Egress block all ports and of course http & https and all ports except smtp and pop3 only in Egress accepted.
    and my users in lan using the ip 192.168.1.253 for browsing and in gateway to send and receive mails.

    but i like idea about block incoming traffic on 80 and 443 for eht1 or block all ports on eth1 except pop3 and smtp to make lan can send and receive mails.
    can you please tell me how that via custom firewall ?

    i have attached the iptable.txt
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 14 2017, 08:34 PM - #Permalink
    Resolved
    0 votes
    alahwany wrote:
    i have run your command for iptabel and show many lines in ssh and can't copy result becasue i didn't saw the start results and it's many
    is there any way to see all results from start ? becasue i saw the end part and when up to top it's not go to start part. tell me how to see all results to send it to you.
    If you are using PuTTy, just scroll up or hold down the left mouse button and move the mouse to the top of the screen. Alternatively output the results to file ("iptables -nvL > iptables.txt") then view the file in WinSCP.

    I don't understand how ClearOS can be standalone and a gateway at the same time. Please can you clarify your network set up?

    If it is gateway, you should be able to block Egress on 80 and 443 which blocks the FORWARD chain - if ClearOS has not done this for you. I think you can also block incoming traffic on 80 and 443 on interface eth1 (-i eth1)
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Saturday, January 14 2017, 08:04 PM - #Permalink
    Resolved
    0 votes
    yes my clearos working as a standalone in my lan and i have configured all computers to using clearos as gateway & proxy server in internet browser.

    and i have blocked all ports in Egress Firewall except ports for mail pop3, smtp, smtps. and make only accept webconfig from external and ssh from specific ip from external and lan network

    i have run your command for iptabel and show many lines in ssh and can't copy result becasue i didn't saw the start results and it's many
    is there any way to see all results from start ? becasue i saw the end part and when up to top it's not go to start part. tell me how to see all results to send it to you.

    anyway the last part of results is: other lines above is drop
    10772 7597K ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    616 101K ACCEPT all -- * eth2 0.0.0.0/0 0.0.0.0/0
    35 1015 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
    0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
    99 49284 ACCEPT tcp -- * eth0 PUBLIC-IP 0.0.0.0/0 tcp spt:81
    7090 1148K ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0

    Chain DROP-lan (0 references)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0


    tell me what do you think? or if you need more tell me how to execute the command to see all results from start.
    i have changed the results and hide the public ip here.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 14 2017, 07:26 PM - #Permalink
    Resolved
    0 votes
    I'll start off by saying I don't really know the proxy and I don't use it.

    Is ClearOS your gateway as well as proxy with the domain controller as a standalone machine on your LAN.

    As a configuration, you must have configured all PC's to use the proxy? I suspect the standard configuration may be to bypass the proxy for all devices on your LAN?

    In your firewall you should be able to block just about everything in the Egress firewall if it is not done when you activate the proxy. What is the output of "iptables -nvL" (between code tags, please).
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Saturday, January 14 2017, 06:19 PM - #Permalink
    Resolved
    0 votes
    Hello Nick,

    my server using this settings in webproxy:

    user authentication + none transparent
    domain controller IP(192.168.1.1) in bypass in web proxy
    domain controller IP(192.168.1.1) in Exception IPs in content filter

    192.168.1.253 it's eth1 on my clearos
    eth0 with public IP on my clearos

    this is my settings and everything working fine but some times in work time i saw this and i think someone from employees try to open all sites
    because from a month ago i found someone using TOR browser and i have blocked it by adding tor sites in banned sites.

    so i think the employee try new way to open the sites again i don't know how to catch him ?

    can you help me to make my clearos in safe and can't anyone in the LAN bypass the proxy ?
    i think someone from my lan change computer IP to proxy IP and try to open sites or try any way to open sites.

    is there anyway to know which computer in lan make this line from report? or show MAC address for this line like
    MAC address computer lan to mac eth1 on clearos ?? to see the source and destination via MAC and see the computers and catch this person ?

    thanks
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 14 2017, 05:45 PM - #Permalink
    Resolved
    0 votes
    Nick thank you for dealing with these types of misconfigured assumptions. Will be interesting to see what this turns out to be. Appreciate you!
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 14 2017, 04:17 PM - #Permalink
    Resolved
    2 votes
    At a guess this is someone asking for something from your server. Do you bypass the proxy for LAN (or server) requests?
    Like
    3
    The reply is currently minimized Show
Your Reply