In
office like Software House, they can’t ban the facebook because many of
the web application using facebook login to register an account and has
been used many FB api for showing FB updates in their platform. But
sometimes,they are worry about the bandwidth that their users waste in
watching videos on facebook. So, this is a solution for those people (With this they can block about 95% videos)
Scenario:
In this scenario, Mikrotik will work as dhcp, dns, and default gateway for local network. Ubuntu 12.04 with 2 NICs installed (eth0, eth1). We’ll assume eth0 will be the connected to the gateway, and eth1 will be connected to the switch.Install the squid3, ebtables and bridge-utils with the following command:
sudo apt-get install squid3 ebtables bridge-utils
Edit the /etc/network/interfaces file:
sudo nano /etc/network/interfaces
Delete all the settings for eth0 and eth1:
Edit the /etc/rc.local file:
sudo nano /etc/rc.local
Add following to the rc.local before “exit 0“:
#!/bin/sh -e ###############Bridge Interface################### brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig eth0 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisc up ifconfig br0 10.10.10.250 netmask 255.255.255.0 up route add default gw 10.10.10.1 dev br0 ################################################## ##########################################Proxy Rule####################################### ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128 ########################################################################################### exit 0
Note: eth0 and eth1 doesn’t have ip address, instead br0 has an ip address 10.10.10.250/24 for remotely management purpose.
To enable ip forwarding, edit /etc/sysctl.conf file:
sudo nano /etc/sysctl.conf
Uncomment the following lines:
net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
Reboot the system or restart networking service:
sudo /etc/init.d/networking restart
Note: If you are facing a problem then reboot the system once!
Make a backup of original squid.conf file:
sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original
Edit the squid.conf file:
sudo nano /etc/squid3/squid.conf
Delete everything and add these lines:
######General Settings############## http_port 3128 transparent acl LAN src 10.10.10.0/24 acl localnet src 127.0.0.1/255.255.255.255 ####This client is allowed to access the restricted website#### acl special_client arp "/etc/squid3/spclients" ######Block Video Streaming############## acl media rep_mime_type video/flv video/x-flv acl media rep_mime_type -i ^video/ acl media rep_mime_type -i ^video\/ #acl media rep_mime_type ^application/x-shockwave-flash acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1 acl media rep_mime_type ^application/x-fcs acl media rep_mime_type ^application/x-mms-framed acl media rep_mime_type ^video/x-ms-asf acl media rep_mime_type ^audio/mpeg acl media rep_mime_type ^audio/x-scpls acl media rep_mime_type ^video/x-flv acl media rep_mime_type ^video/mpeg4 acl media rep_mime_type ms-hdr acl media rep_mime_type x-fcs acl mediapr urlpath_regex \.flv(\?.*)?$ acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$ acl mediapr urlpath_regex -i \.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb)(\?.*)?$ ##########Access Lists######### http_access allow mediapr special_client http_reply_access allow media special_client http_access deny mediapr http_reply_access deny media http_access allow LAN http_access allow localnet ########Log File########## access_log /var/log/squid3/access.log ###### No cache anything### no_cache deny all
Note: If you enable the blue line by removing the # sign in front of it then squid will block all the flash enable websites even if they are not video streaming sites.
Restart the squid3 service:
sudo service squid3 restart
Check the youtube.com from the client machine:
Squid will even block the HD videos:
Check the videos on facebook.com:
Check the squid3 log for verification, that it’s really block the video streaming:
sudo tail -f /var/log/squid3/access.log
Suppose we want to give access to one of
our developer to the video streaming sites for testing purpose, create a
file and add the mac address of this developer’s machine in this
file(in my case this file is named as spclients and it located at /etc/squid3/).
The reason to add the mac address instead of ip address is that, here
squid is working as a transparent bridge on layer 2 and mac address is
working on layer 2 not an ip address.
Find the mac address of developer’s machine by using this command:ipconfig /all
Create a file that we discuss above:
sudo nano /etc/squid3/spclients
Add the mac address here:
Restart the squid3 service:
sudo service squid3 restart
Now check the youtube.com from the developer’s machine that we added as an exception:
Also check the facebook.com videos:
Yes, it’s working……..
More Details click Here
author by:-rbgeek.wordpress
0 comments:
Post a Comment