I may just do that (god knows it would make the walling process easier to be able to use reg exps), but before I do let me explain the overall problem. If I do the transparent proxy I would want it done to all addresses except the ones on my explicit list. For example: I want 10.0.1.1 and 10.1.250.1 to have full unrestricted access to the internet including FTP, Kazaa, etc. All other IPS I want to only be able to use port 80 (web) through the transparent proxy. The proxy I would configure to use the walled ACLs so all these people have access to is amazon.com. Is that possible? With the transparent proxy iptables settings I've seen so far the transparent proxy applies to everyone when it is done. How can I make it so people on my unfettered access list don't get piped through the proxy? -David Talbot -----Original Message----- From: lartc-admin@xxxxxxxxxxxxxxx [mailto:lartc-admin@xxxxxxxxxxxxxxx]On Behalf Of Juri Haberland Sent: Tuesday, June 05, 2001 10:48 AM To: dtalbot@xxxxxxxxxxxx Cc: lartc@xxxxxxxxxxxxxxx Subject: Re: [LARTC] Redirecting wayward traffic David Talbot wrote: > > I tried what you suggested (Changing the destination to a different box) and > it still does it to all the requests. > > The goal of the firewall setting is to allow access only to a few specific > sites (in the case of the example provided amazon.com should be the only URL > the users can get to) and all other sites should go to an internal webserver > to tell them that they can't get to the site they're trying to go to. Does > this make sense? Is there any way to do the DNAT only when it's not on the > access list? (It's actually more like 100 sites I want the users to have > access to, I narrowed down the script a bit for the example). > > Any ideas? This one has been killing me for awhile... I know it's possible > because I've seen networks that behave like this. What about denying the direct access completely and use Squid as a transparent proxy. Then you don't need a seperate web server for the error page because Squid can generate customized error messages itself. And you can work not only based on IP addresses but also with regex for the URLs that you want to deny (or allow - it's up to you). Juri _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
