On Fri, 11 Mar 2005, Henrik Nordstrom wrote: > > We'd like to configure Squid (or something else) to > > control access by certain user-agents (IE) to certain URLs (the > > Internet...). Ideally this would work as a transparent proxy. > > Is this possible in Squid? > > Yes. > See the browser and dstdomain acls, and Squid FAQ 10 Access Controls. Thanks, Henrik. I've also been looking at Perl HTTP::Proxy and made a thing to redirect IE users to an internal page, but whatever works ... Now the next problem... We are running a transparent bridge on an RH7.3 machine with Linux 2.4.21 using brctl. It works fine. Squid works fine in normal mode through the admin address of the bridge. But I can't get transparency to work. I started with the iptables recipe in http://www.tldp.org/HOWTO/TransparentProxy.html but the TCP replies get lost - if Squid is not running, I get "connection refused", but if it is running, the browser (telnet for testing) hangs and I see a TCP reset on the target host apparently coming from the client. If I test the redirect recipe with netcat (nc -u -l -p 9000) I can intercept outbound UDP packets OK. I realized that this recipe is designed for a router with 2 ip addresses not a bridge, and found a recipe on http://freshmeat.net/articles/view/1433/ which is pretty much what we have with brctl. However, adding the ebtables rule did not make any difference. I tried iptables -t nat -A PREROUTING -i br0 -p tcp --dport 9000 \ -j REDIRECT --to-port 3128 ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \ --ip-destination-port 9000 -j redirect --redirect-target ACCEPT Am I missing something, like a magic entry in /proc ? Or will it only work in a 2.6 kernel ? (ebtables build OK, and lists the rule back) -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) security@xxxxxxxxx
