Title: Untitled Document
I have squidguard set up to limit access at certain times of day and to
limit access to certain workstations. As far as being able to turn it
on and off "at will". The only way I can think of to do that would be
to route the internet through a gateway with port forwarding, that way
every computer would be forced to go through the proxy server/internet
gateway. Then you could simply stop routing a certain workstation by IP
address. I have some of my work stations by-passing the proxy server
with port forwarding. Good luck.
This is a script I wrote to enable port forwarding and to force all but
only a few workstations to go through the proxy server. It also
establishes IP Masquerading.
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Transparent Proxying
iptables -I PREROUTING -t nat -p tcp -s 192.168.1.6 --dport 80 -j
ACCEPT # These IP's are allowed to bypass the proxy. If you put DENY
in place of
iptables -I PREROUTING -t nat -p tcp -s 192.168.1.7 --dport 80 -j
ACCEPT # the word ACCEPT, they wouldn't be able to access the
internet at all.
iptables -I PREROUTING -t nat -p tcp -s 192.168.1.8 --dport 80 -j ACCEPT
iptables -I PREROUTING -t nat -p tcp -s 192.168.1.18 --dport 80 -j
ACCEPT
iptables -I PREROUTING -t nat -p tcp -s 192.168.1.73 --dport 80 -j
ACCEPT
iptables -I PREROUTING -t nat -p tcp -s 192.168.1.105 --dport 80 -j
ACCEPT
iptables -I PREROUTING -t nat -p tcp -s 192.168.1.196 --dport 80 -j
ACCEPT
iptables -I PREROUTING -t nat -p tcp -s 192.168.1.200 --dport 80 -j
ACCEPT
iptables -I PREROUTING -t nat -p tcp -s 192.168.1.201 --dport 80 -j
ACCEPT
iptables -I PREROUTING -t nat -p tcp -s 192.168.1.206 --dport 80 -j
ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
Jason Baker
IT Coordinator
![]()
Glastender Inc.
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.4444
www.glastender.com
Jason Bassett wrote:
Hello
Has anyone used squid/squidguard to stop access to particular rooms at
the click of a button? My environment is a secondary school where
teachers would like to turn the internet for the computers in their
rooms on/off at will. Preferably by using an interface on the staff
area of our school intranet site.
Thankyou
Jason
|
