On Tuesday 20 April 2004 2:35 pm, Alexis wrote:
> set up your own proxy server and only permit connections to this box :)
I must admit I had assumed, when answering this previously, that Harry was
already running his own proxy, but wanted to stop clients reconfiguring their
browsers to go direct instead.
If the proxy server is instead on the outside of the network, then the answer
to the question "how do I stop people changing the browser settings to bypass
the proxy?" is to allow connections on TCP port 80 to the proxy server only,
and block all other destination addresses for that port.
Remember of course that you can always do a DNAT rule to send people to the
proxy address anyway, even if they did decide to go direct - then instead of
getting a "connection timeout" message they find themselves using the proxy
even after reconfiguring their browser settings :)
iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to IP.of.pro.xy
Regards,
Antony.
> Hi All,
> I am running Fedora and Redhat 9 on two servers at my Cybercafe,
> connected on two Hi speed Lines, I have a decent firewall script, but these
> days I am facing issues about people changing the Proxy settings in order
> to get thru porn sites, can anybody suggest some rules which I can
> implement in the script that avoids connection to these servers?
> Suggestions are welcome.
>
> Regards
>
> Harry
--
The difference between theory and practice is that in theory there is no
difference, whereas in practice there is.
Please reply to the list;
please don't CC me.
