Hi > >>>Hello, > >>> I want to put my ltsp4 server and squid proxy server > >>>on the same machine. > >>>I want internet access only for non ltsp clients. > >>>I want no ltsp clients to have internet access. > >>> > >>> > > > > > > > >>2) Route all internet requests through the squid proxy server. Put the > >>LTSP workstations in a specific IP address range. Reject requests > >>inside squid for the specific IP address range of the LTSP workstations. > >> > >>3) Disable default gateway for the LTSP workstations. No gateway, no > >>access to the Internet. > >> > >> > > > >2) and 3) will not work because its the server which runs the browser processes > >for the LTSP clients, so you need to disable access from the server to any > >destinations port 80. On the other hand squid itself needs just this connection. > > > >You should have a packet filter (iptables) allowing squid as the only user to > >connect > >to the internet. You can redirect all other connections from port 80 to > >squid's input port 3128. Doing this you get a transparent proxy and do not need to > >configure any browser. > > > >Try the following firewall rules (I use them on a SuSE 9.0): > > > ># transparent proxy for localhost: > >#allow user squid and root to access the internet via destination port 80(www): > >iptables -A OUTPUT -o ppp0 tcp --dport www -t nat -m owner --uid-owner squid -j > >ACCEPT > >iptables -A OUTPUT -o ppp0 tcp --dport www -t nat -m owner --uid-owner root -j > >ACCEPT > > > >#force all other request for destination port 80(www) to port 3128 > >iptables -A OUTPUT -o ppp0 tcp --dport www -t -j REDIRECT --to 3128 > > > >Within squid you can handle specific needs for user access via access control > >lists. Or you > >can configure iptables to accept connection from any other clients to the internet. > > > >cu > > > > > > Hello Kai > You will need to guide thru this. > So first I must have iptables and a firewall > installed. > Second I must build an iptables of client IPs. > I will reconfigure squid to use iptables for auth > then come back to you.
The point that has been lost in this discussion: The LTSP machines do not run the browser, the run the DISPLAY. The browsers runs on the server! So some server-browsers are restricted, some are not! James ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
