How to block video streaming with Squid

07:51    No comments


In office like Software House, they can’t ban the facebook because many of the web application using facebook login to register an account and has been used many FB api for showing FB updates in their platform. But sometimes,they are worry about the bandwidth that their users waste in watching videos on facebook. So, this is a solution for those people :-) (With this they can block about 95% videos)

Scenario:
In this scenario, Mikrotik will work as dhcp, dns, and default gateway for local network. Ubuntu 12.04 with 2 NICs installed (eth0, eth1). We’ll assume eth0 will be the connected to the gateway, and eth1 will be connected to the switch.
Install the squid3,  ebtables  and bridge-utils with the following command:
sudo apt-get install squid3 ebtables bridge-utils

Edit the /etc/network/interfaces file:
sudo nano /etc/network/interfaces

Delete all the settings for eth0 and eth1:

Edit the /etc/rc.local file:
sudo nano /etc/rc.local

Add following to the rc.local before “exit 0:
#!/bin/sh -e

###############Bridge Interface###################
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
ifconfig br0 10.10.10.250 netmask 255.255.255.0 up
route add default gw 10.10.10.1 dev br0
##################################################

##########################################Proxy Rule#######################################
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128
###########################################################################################

exit 0

Note: eth0 and eth1 doesn’t have ip address, instead br0 has an ip address 10.10.10.250/24 for remotely management purpose.
To enable ip forwarding, edit /etc/sysctl.conf file:
sudo nano /etc/sysctl.conf
Uncomment the following lines:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Reboot the system or restart networking service:
sudo /etc/init.d/networking restart

Note: If you are facing a problem then reboot the system once!
Make a backup of original squid.conf file:
sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original

Edit the squid.conf file:
sudo nano /etc/squid3/squid.conf

Delete everything and add these lines:
######General Settings##############

http_port 3128 transparent
acl LAN src 10.10.10.0/24
acl localnet src 127.0.0.1/255.255.255.255

####This client is allowed to access the restricted website####

acl special_client arp "/etc/squid3/spclients"

######Block Video Streaming##############

acl media rep_mime_type video/flv video/x-flv
acl media rep_mime_type -i ^video/
acl media rep_mime_type -i ^video\/
#acl media rep_mime_type ^application/x-shockwave-flash
acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1
acl media rep_mime_type ^application/x-fcs
acl media rep_mime_type ^application/x-mms-framed
acl media rep_mime_type ^video/x-ms-asf
acl media rep_mime_type ^audio/mpeg
acl media rep_mime_type ^audio/x-scpls
acl media rep_mime_type ^video/x-flv
acl media rep_mime_type ^video/mpeg4
acl media rep_mime_type ms-hdr
acl media rep_mime_type x-fcs
acl mediapr urlpath_regex \.flv(\?.*)?$
acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$
acl mediapr urlpath_regex -i \.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb)(\?.*)?$

##########Access Lists#########

http_access allow mediapr special_client
http_reply_access allow media special_client

http_access deny mediapr
http_reply_access deny media

http_access allow LAN
http_access allow localnet

########Log File##########

access_log /var/log/squid3/access.log

###### No cache anything###

no_cache deny all

Note: If you enable the blue line by removing the # sign in front of it then squid will block all the flash enable websites even if they are not video streaming sites.
Restart the squid3 service:
sudo service squid3 restart

Check the youtube.com from the client machine:

Squid will even block the HD videos:

Check the videos on facebook.com:

Check the squid3 log for verification, that it’s really block the video streaming:
sudo tail -f /var/log/squid3/access.log

Suppose we want to give access to one of our developer to the video streaming sites for testing purpose, create a file and add the mac address of this developer’s machine in this file(in my case this file is named as spclients and it located at /etc/squid3/). The reason to add the mac address instead of ip address is that, here squid is working as a transparent bridge on layer 2 and mac address is working on layer 2 not an ip address.
Find the mac address of developer’s machine by using this command:
ipconfig /all

Create a file that we discuss above:
sudo nano /etc/squid3/spclients

Add the mac address here:

Restart the squid3 service:
sudo service squid3 restart

Now check the youtube.com from the developer’s machine that we added as an exception:

Also check the facebook.com videos:

Yes, it’s working……..

 More Details click Here
     author by:-rbgeek.wordpress

0 comments:

Post a Comment