Friday, April 30, 2010

How to block Skype with Squid -- Update

This post will explain a quick and dirt method to block Skype for some user, but avoid to block access to https urls not defined as FQDN.
This post assume that your client have non direct Internet access and must pass trough your Squid Proxy Server to have an external connection.
This Post assume your local network is 192.168.1.0/24
This post assume you want to give SKYPE access to IPs from 192.168.1.100 to 192.168.1.200 and you want to give internet access to all your network.

Obviously you MUST change the IPs based on your REAL network configuration.
In the following configuration, I’m going to create some ACL to define my networks, the skype connection method, skype connections destinations and create a sort of WhiteList that could fill in with some exceptions to avoid https connection problems.
The WhiteList file is /etc/squid/https_url_allowed and you can fill in with a single ip address for line, example :
proxy:~ # cat /etc/squid/https_url_allowed
aaa.bbb.ccc.ddd
eee.fff.ggg.hhh
iii.jjj.kkk.lll
mmm.nnn.ooo.ppp
qqq.rrr.sss.ttt
uuu.vvv.www.xxx

All the following lines is in the main SquidProxy Configuration file, usually /etc/squid/squid.conf

# Declare an ACL to catch ALL
acl all src 0.0.0.0/0.0.0.0
# Define an ACL to define my local network
acl mynetworks src 192.168.1.0/24
# Define an ACL to have some IPs that can connect to SKYPE
acl skype_users src 192.168.1.100-192.168.1.200
# Define a CONNECT acl for the CONNECT method
acl CONNECT method CONNECT
# Define an ACL for the URLs composed only of numbers, not FQDN
acl skype_url url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+
# Define an ACL for use URLs composed only of numbers, not FQDN
acl https_url_allowed url_regex -i “/etc/squid/https_url_allowed”
# Allow SKYPE access for the group “skype_users”
http_access allow CONNECT skype_url skype_users
# Allow https access for IP Addresses defined in “/etc/squid/https_url_allowed”
http_access allow CONNECT https_url_allowed
# Deny Access to SKYPE and all other
http_access deny CONNECT skype_url
# Allow Internet access to all “mynetworks”
http_access allow mynetworks
# And finally deny all other access from this proxy
http_access deny all
If  you  have complete all preview steps reload or restart squid.

6 comments :