Scot L. Harris wrote:
On Sun, 2004-11-07 at 12:01, Kumar Swamy wrote:That is true. However, all internal users should be directed through the proxy and (as you stated) the firewall should reject direct accesses to the Internet on port 80 from any other systems than the one that has the proxy. This provides two levels of security to the internal users. Also, squid can be set up to prevent access to sites that you or whoever owns the network do not want accessed.
Hello,
This is my first post in this mailing list. I have a peculiar problem. The gateway of my small network is a linux box with Squid running in a transparent mode. This transparent proxy can force all the systems behind it to go through Squid.
The problem now is to force users working locally on the proxy to go through Squid because I cannot give the command: iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 as the request from Squid also would go through the OUTPUT chain in the NAT table. Any advice would be helpful.
TIA.
Swamy
In most cases the server acting as you proxy should not have any local
users on it. It should be dedicated to that one function. This lets
you setup your firewall to only allow http access from the proxy.
No user should be accessing the web from the system that is being used as a proxy, unless that system is the only system on the inside of the firewall.
James McKenzie
