Re: forcing a user through squid on local system

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Scot L. Harris wrote:

On Sun, 2004-11-07 at 12:01, Kumar Swamy wrote:


Hello,

This is my first post in this mailing list.
I have a peculiar problem. The gateway of my small network is a linux
box with Squid running in a transparent mode.
This transparent proxy can force all the systems behind it to go
through Squid.

The problem now is to force users working locally on
the proxy to go through Squid because I cannot give the command:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
as the request from Squid also would go through the OUTPUT chain in
the NAT table.
Any advice would be helpful.

TIA.
Swamy



In most cases the server acting as you proxy should not have any local
users on it. It should be dedicated to that one function. This lets
you setup your firewall to only allow http access from the proxy.




That is true. However, all internal users should be directed through the proxy and (as you stated) the firewall should reject direct accesses to the Internet on port 80 from any other systems than the one that has the proxy. This provides two levels of security to the internal users. Also, squid can be set up to prevent access to sites that you or whoever owns the network do not want accessed.
No user should be accessing the web from the system that is being used as a proxy, unless that system is the only system on the inside of the firewall.


James McKenzie


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux