Re: DNS and NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Proxy servers are a good choice in some circumstances; you maintain maximum
> control over what clients can and cannot do (unless users have shell access to
> the proxy server, perhaps.) But proxying is far more resource-intensive than
> NAT.

Not hard either. Just catch any non-squid packets and redir them to lo. In 
iptables words:

  -A OUTPUT -j DNAT -p tcp --dport {80|3128} --to-dest 127.0.0.1:80 \
    -m owner ! --uid-owner squid

{80,3128} depending on whether you want transparent(80) proxying or 
intercepted(3128) proxying.

Since squid usually listens on an unprivilegued port (3128), the socket 
creation can be deferred until after the setuid from root to squid; therefore, 
the socket belongs to "squid" and thus, --uid-owner can match.


Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux