forcing a user through squid on local system
James McKenzie
jjmckenzie51 at earthlink.net
Mon Nov 8 06:18:40 UTC 2004
Scot L. Harris wrote:
>On Sun, 2004-11-07 at 12:01, Kumar Swamy wrote:
>
>
>>Hello,
>>
>>This is my first post in this mailing list.
>>I have a peculiar problem. The gateway of my small network is a linux
>>box with Squid running in a transparent mode.
>>This transparent proxy can force all the systems behind it to go
>>through Squid.
>>
>>The problem now is to force users working locally on
>>the proxy to go through Squid because I cannot give the command:
>>iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
>>as the request from Squid also would go through the OUTPUT chain in
>>the NAT table.
>>Any advice would be helpful.
>>
>>TIA.
>>Swamy
>>
>>
>
>In most cases the server acting as you proxy should not have any local
>users on it. It should be dedicated to that one function. This lets
>you setup your firewall to only allow http access from the proxy.
>
>
>
That is true. However, all internal users should be directed through
the proxy and (as you stated) the firewall should reject direct accesses
to the Internet on port 80 from any other systems than the one that has
the proxy. This provides two levels of security to the internal users.
Also, squid can be set up to prevent access to sites that you or whoever
owns the network do not want accessed.
No user should be accessing the web from the system that is being used
as a proxy, unless that system is the only system on the inside of the
firewall.
James McKenzie
More information about the fedora-list
mailing list