forcing a user through squid on local system

James McKenzie jjmckenzie51 at earthlink.net
Mon Nov 8 06:18:40 UTC 2004


Scot L. Harris wrote:

>On Sun, 2004-11-07 at 12:01, Kumar Swamy wrote:
>  
>
>>Hello,
>>
>>This is my first post in this mailing list.
>>I have a peculiar problem. The gateway of my small network is a linux
>>box with Squid running in a transparent mode.
>>This transparent proxy can force all the systems behind it to go
>>through Squid.
>>
>>The problem now is to force users working locally on
>>the proxy to go through Squid because I cannot give the command:
>>iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
>>as the request from Squid also would go through the OUTPUT chain in
>>the NAT table.
>>Any advice would be helpful.
>>
>>TIA.
>>Swamy
>>    
>>
>
>In most cases the server acting as you proxy should not have any local
>users on it.  It should be dedicated to that one function.  This lets
>you setup your firewall to only allow http access from the proxy.  
>
>  
>
That is true.  However, all internal users should be directed through 
the proxy and (as you stated) the firewall should reject direct accesses 
to the Internet on port 80 from any other systems than the one that has 
the proxy.  This provides two levels of security to the internal users.  
Also, squid can be set up to prevent access to sites that you or whoever 
owns the network do not want accessed.
No user should be accessing the web from the system that is being used 
as a proxy, unless that system is the only system on the inside of the 
firewall.

James McKenzie




More information about the fedora-list mailing list