beside this. You could remove privileges from the clients, even with an active directory implementation (ajjjj) or i think i saw cybercafe software that block any settings change on the client box. ----- Original Message ----- From: "Antony Stone" <Antony@xxxxxxxxxxxxxxxxxxxx> To: "Netfilter" <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Tuesday, April 20, 2004 10:53 AM Subject: Re: Rules for Blocking Proxies... > On Tuesday 20 April 2004 2:35 pm, Alexis wrote: > > > set up your own proxy server and only permit connections to this box :) > > I must admit I had assumed, when answering this previously, that Harry was > already running his own proxy, but wanted to stop clients reconfiguring their > browsers to go direct instead. > > If the proxy server is instead on the outside of the network, then the answer > to the question "how do I stop people changing the browser settings to bypass > the proxy?" is to allow connections on TCP port 80 to the proxy server only, > and block all other destination addresses for that port. > > Remember of course that you can always do a DNAT rule to send people to the > proxy address anyway, even if they did decide to go direct - then instead of > getting a "connection timeout" message they find themselves using the proxy > even after reconfiguring their browser settings :) > > iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to IP.of.pro.xy > > Regards, > > Antony. > > > Hi All, > > I am running Fedora and Redhat 9 on two servers at my Cybercafe, > > connected on two Hi speed Lines, I have a decent firewall script, but these > > days I am facing issues about people changing the Proxy settings in order > > to get thru porn sites, can anybody suggest some rules which I can > > implement in the script that avoids connection to these servers? > > Suggestions are welcome. > > > > Regards > > > > Harry > > -- > The difference between theory and practice is that in theory there is no > difference, whereas in practice there is. > > Please reply to the list; > please don't CC me. > > >
