On Tue, Jun 05, 2001 at 11:20:30AM -0500, David Talbot wrote: > I want 10.0.1.1 and 10.1.250.1 to have full unrestricted access to the > internet including FTP, Kazaa, etc. > All other IPS I want to only be able to use port 80 (web) through the > transparent proxy. The proxy I would configure to use the walled ACLs so all > these people have access to is amazon.com. > > Is that possible? With the transparent proxy iptables settings I've seen so > far the transparent proxy applies to everyone when it is done. How can I > make it so people on my unfettered access list don't get piped through the > proxy? You can do this by transparent proxying the entire 10.0.0.0 network, then inserting rules above this for the special cases, that just 'ACCEPTS' them: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -I PREROUTING -i eth0 -p tcp -s 10.0.1.1 -j ACCEPT iptables -t nat -I PREROUTING -i eth0 -p tcp -s 10.1.250.1 -j ACCEPT This is assuming the proxy server is on the NAT box, if not, you'll have to adjust the first rule. This will allow traffic from 10.0.1.1 and 10.1.250.1 straight through, and transparently proxy everything else. -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [rogue.enfusion-group.com] up 28 days, 23:48, 3 users