(Please do not start a new thread by replying to an old one.) On 11/28/07 11:56, James Lay wrote:
A curious question I have been asked from a client...any way to block web-based proxies with iptables? Wondering what it would take.
Well, IPTables can filter packets based on source IP of the proxies if they are known. You could also use some sort of layer 7 match looking for some sort of header indicating that a proxy was in use. However this would be very easy to circumvent and very much a catch up game on the IP blocking.
If you are really serious about doing this I would suggest that you do something that functioned based on the number of connections from a given source IP with in a time frame knowing that it is likely that proxies will possibly have a higher hit count than single systems. However this will also catch NATing gateways for companies. So you will have to deal with white listing too.
Grant. . . . - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
