> Proxy servers are a good choice in some circumstances; you maintain maximum
> control over what clients can and cannot do (unless users have shell access to
> the proxy server, perhaps.) But proxying is far more resource-intensive than
> NAT.
Not hard either. Just catch any non-squid packets and redir them to lo. In
iptables words:
-A OUTPUT -j DNAT -p tcp --dport {80|3128} --to-dest 127.0.0.1:80 \
-m owner ! --uid-owner squid
{80,3128} depending on whether you want transparent(80) proxying or
intercepted(3128) proxying.
Since squid usually listens on an unprivilegued port (3128), the socket
creation can be deferred until after the setuid from root to squid; therefore,
the socket belongs to "squid" and thus, --uid-owner can match.
Jan Engelhardt
--
| Alphagate Systems, http://alphagate.hopto.org/
