On Thu, Nov 20, 2003 at 02:56:37PM +0800, Francis D. Dimzon wrote: > Hello guys! > > I enable nat in my gateway/proxy. Now users/students can browse the net > if they bypass the proxy(direct connection to the internet). > How to i setup iptables rules to get around with this. > I need to proxy so that i can control which machines will have net > connection.
Block all outbound connections to the Internet except for your proxy server. These rules should be sufficient: iptables -A INPUT -p tcp -s <your proxy server> --sport 80 -j ACCEPT iptables -A INPUT -p tcp -s <your proxy server> --sport 443 -j ACCEPT iptables -A INPUT -p tcp -s <your proxy server> --sport 21 -j ACCEPT iptables -A INPUT -p tcp --syn -j REJECT These two rules should be sufficient to block all types of Internet access except for your Squid proxy server, which is allowed only normal HTTP, HTTP over SSL, and FTP access outbound. If your gateway and proxy servers are the same, these two rules should be good enough: iptables -A INPUT -p tcp -s <your local net> --sport <squid port> -j ACCEPT iptables -A INPUT -p tcp --syn -j REJECT This allows your local users to connect to the Squid port you've assigned, and to nowhere else. -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
