On Fri, Dec 24, 2004 at 10:49:56AM +0800, Ow Mun Heng wrote: > On Fri, 2004-12-24 at 07:58, Cameron Simpson wrote: > > On 11:35 23 Dec 2004, Kanwar Ranbir Sandhu <m3freak@xxxxxxxxxx> wrote: .... > > | I have a client that wants to restrict access to the Internet to only > > | one website for every employee, except two people: these two should not > > | be restricted at all. > > | > > | I was at first considering using iptables, but after doing some > > | searching on the net, I discovered that Squid could be used. > > | > > | Which approach would be better? > > > > Squid. Much easier to configure and maintain. > > Just set up iptables enough so that everyone must use the squid to get out. > > I second that.. > Just set up a rule for redirecting all www traffic to squid and get > some sort of authenticating done. Either that or, limit by IP With one caution. A firewall/iptables can restrict connections to one box. Restricting users that have access to this 'squid' box is not very easy. Those with accounts on the firewall or on the squid/ proxy box are harder to constrain. Since you have a short list of privileged folk you might set them up with a dedicated proxy at a different port number. i.e. open up port 80 and 443 to the one site for all except the squid service then set up the squid server for the rest of the world. If your user community is 'large', this way only the two user need special setup and training. -- T o m M i t c h e l l spam unwanted email. SPAM, good eats, and a trademark of Hormel Foods.