Dido posted while i was still composing. i'll edit this and send it on anyway. Dido's post tells you what to do. mine tells you why to do it that way.
On Thursday 20 November 2003 15:31, Francis D. Dimzon wrote: > Users configure proxy on their browser, > btw i get it now, just kind of panic kanina when i saw students browsing > the internet where they're not supposed to. > here are my rules, not so sure of this, any comments on this > > iptables -A PREROUTING -t nat -i $local_interface -s $intranet -p tcp > --dport 80 -j DNAT --to $squid_ip:8080 one thing about doing nat and then transparent proxying is, the transparent proxy rule only triggers if the port being accessed is a standard one that you proxy. what if the remote port is something else? e.g., 8080? or 90? what if they find out about an open http proxy out in the world and they use it in their browser (i.e., configure the browser to use an open http proxy out in the world instead of setting the proxy empty so that your transparent proxy rule works). those issues might not matter. but if you've got some tech savvy users, some of them will figure out ways to do what they want if you rely only on transparent proxying. if you care enough to block this stuff, then you could become more strict with your firewall. a start would be to deny ALL outgoing requests except requests outward by your squid proxy (or to deny all incoming requests from your internal subnet to the NAT server unless they're HTTP requests, in which case they go to your squid proxy). [this is exactly what dido says to do] of course then people will whine, they can't do ssh, ftp, pop3, SMTP, https, irc, yahoo messenger, AIM, MSN Messenger, etc. you can then decide on a case to case basis to allow outgoing requests on those ports. note that many IM clients can proxy out through http. so you might want to figure out how to block those at the squid proxy (somehow, i haven't gotten around to figuring out how to do that) if you care about that. a savvy user (especially with the help of proxies out in the world) will *still* be able to do nefarious things, but it will be *much* more difficult and the risk will probably be small enough that you can stop worrying about it. tiger -- Gerald Timothy Quimpo gquimpo*hotmail.com tiger*sni*ph http://bopolissimus.sni.ph Public Key: "gpg --keyserver pgp.mit.edu --recv-keys 672F4C78" This is a court of law, young man, not a court of justice. Oliver Wendell Holmes. -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
