Hello, all I have got a big problem about Firewall and Proxy. I am in a big Company intranet, and my boss told me that there are a group of consultants in a small local network, which should be behind a firewall, need to access a Web server, in the big company intranet, or to say in the outside of the small localnet. it is a cumbersome Requirement that they can not access any other Web server in the intranet except the given one, but at the same time they can access Internet site, say Yahoo.com or hotmail.com. So I used a Linux server as firewall, with Redhat 6.2, to separate those consultants in a local network from the outside company intranet. As there have been some other firewall rules in Input and Forward Chains to filter network packages, I added two rules in the Output Chain: output -s the_external_IP_of _Linux_server/24 -d the_IP_of_the_site/32 80:80 -p ! TCP -i eth0 -j ACCEPT output -s the_external_IP_of _Linux_server/24 -d the_network_IP_of_the_intranet/16 80:80 -p ! TCP -i eth0 -j DENY In the place of source IpAddr, I used the_external_IP_of _Linux_server not the internal local network ip address because the Firewall should take up the function of IP_Masquerading. and it worked. But the real problem is when I set the client machine in the local network with a Proxy which is outside of the Linux Firewall, in order to enable those consultants to surf in internet. Note the Proxy is in the Big company intranet, and even the Linux Firewall should use it as proxy if it want to access to internet. I found that the Proxy seemed have the power can invalid the rules I have set, ie. those consultants can access to the intranet web servers should be forbidden. So, what should I do, If the client machines use Proxy, does it matter to the IP header, I mean the source or destination address? Could Anybody give me some farther advices? Thanx Regards Charles - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
