David Talbot wrote: > > I tried what you suggested (Changing the destination to a different box) and > it still does it to all the requests. > > The goal of the firewall setting is to allow access only to a few specific > sites (in the case of the example provided amazon.com should be the only URL > the users can get to) and all other sites should go to an internal webserver > to tell them that they can't get to the site they're trying to go to. Does > this make sense? Is there any way to do the DNAT only when it's not on the > access list? (It's actually more like 100 sites I want the users to have > access to, I narrowed down the script a bit for the example). > > Any ideas? This one has been killing me for awhile... I know it's possible > because I've seen networks that behave like this. What about denying the direct access completely and use Squid as a transparent proxy. Then you don't need a seperate web server for the error page because Squid can generate customized error messages itself. And you can work not only based on IP addresses but also with regex for the URLs that you want to deny (or allow - it's up to you). Juri
