/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Jake Colman wrote:
> I have a proxy server running on port 8000 (junkbuster) and 3128 (squid). I
> do NOT want to transparently redirect all browser requests since that caused
> me some problems. I DO want to close down outgoing ports such that my user's
> browsers won't work unless they use one of the two proxys. How do I set
> things up on my firewall such that they can only access the world outside my
> firewall via one of the two allowed ports?
disallow all access to/from any host other than the firewall host.
then everything has to work through a proxy of some kind (e.g. socks).
something like:
ipchains -A input ! -d $fwip -j DENY
ipchains -A output ! -s $fwip -j REJECT
where $fwip is the firewall host's ip address.
if you have multiple proxies, it could look like:
ipchains -A input -d $proxy1 -j ACCEPT
ipchains -A input -d $proxy2 -j ACCEPT
ipchains -A input -d $proxyn -j ACCEPT
ipchains -A input -j DENY
ipchains -A output -s $proxy1 -j ACCEPT
ipchains -A output -s $proxy2 -j ACCEPT
ipchains -A output -s $proxyn -j ACCEPT
ipchains -A output -j REJECT
note: to talk to the proxies, the internal hosts will be
connecting to ports on one of the proxy/firewall host's
internal interfaces, they won't be connecting any ports
on external hosts. the proxy/firewall host has to proxy
everything for them. oh, and don't forget to tell your
users about the proxies :)
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
