squid question

Stinky · 2005-03-07 02:48:33

Hey guys.
I put together an Arch box for a friend. I've set it up as a firewall/NAT router/Samba server and Squid proxy server w/transparent proxy using this rule:
$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

What I'd like to know is, is there a way to only have one client on the LAN forced through the proxy and all others just through the NAT router? The reason is...We want to limit one client's access to the internet to certain hours while the other clients have access without going through the proxy.
Hmmm...Wow, does that make any sense?
Thanks

cactus · 2005-03-07 03:06:51

sure. i believe iptables can have matching based on mac address. just put that in there..
if not, then you will have to assign a static ip to that one machine, and use an ip matching rule.

Stinky · 2005-03-07 03:19:42

That one machine already has a static ip. Actually the whole internal network is static. Because there are pc's on the LAN that I have ports forwarded to and need them to stay the same.
I'm having a major brain fart here. Does this look right for the one machine?

$iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.xxx --dport 80 -j REDIRECT --to-port 8080

cactus · 2005-03-07 03:32:11

yeah. seems ok (i didn't look it up, but it seems reasonably correct). just make sure it comes before the general redirect rule (if you keep that one).

Stinky · 2005-03-07 03:36:27

Ok thanks. I thought it looked generally correct but my paranoia wouldn't let me try it without bouncing it off of somebody first. lol.
Oh, and I'm just going to fling the general redirect out. We only want the one machine to use the proxy. Everybody else can be trusted.

Stinky · 2005-03-08 00:23:30

Yeah, actually that's the way it's set up now. But my buddy doesn't want to go through the proxy. Not sure why not....but...whatdoyado?

mercy · 2005-03-08 09:26:46

for this you will have to be very carefully that it works... especially if it is a "untrusted" machine you also have to prevent "misconfiguration" of it...

therefore it could get realy nasty to set it up properly and especially maintaining it...

if you got private static IP's the approach to set the untrustet PC in its own subnet would be much easier to handle

192.168.1.0/24 -> DMZ
192.168.2.0/24 -> workstations
192.168.3.0/28 -> Servers
192.168.4.0/24 -> untrusted

than the handling with iptables will be much easier indeed

mapping:
Workstations -> DMZ ( masquerade 192.168.2.0/24 to 192.168.1.1 eg)
Servers -> DMZ ( SNAT 192.168.3.2 - 192.168.3.16 to some addresses from 192.168.1.2 - 192.168.1.16)
untrusted -> DMZ ( masquerade 192.168.4.0/24 to 192.168.1.254)

DMZ -> Servers ( if you wish to do portforwarding here [all NOT private IPs] to [dmz-ip of the server]:[desired port]...)

Internet -> DMZ ( DNAT PublicIP:Port to DMZ-IP of the server:[same port] )
DMZ -> Internet [ masquerade ALL PRIVATE IPs to Public IP]

yes this looks very heavy at the first glance... but with this base-setup it will get much easier to set everything up securely and also maintaining it!
especially if you really want to "firewall" the network properly

cactus · 2005-03-08 20:16:28

*wonders what mercy is smoking*

mercy · 2005-03-08 22:02:48

:shock:

longlong ago that i have been in amsterdam

anyway.. id really do it this way.. especially cuz this way it getz really really easy to implement it using chains... :oops: ... tables ..

also in the future you can do even more nifty things with that... considering networking 8)
without loads of efford

Arch Linux

#1 2005-03-07 02:48:33

squid question

#2 2005-03-07 03:06:51

Re: squid question

#3 2005-03-07 03:19:42

Re: squid question

#4 2005-03-07 03:32:11

Re: squid question

#5 2005-03-07 03:36:27

Re: squid question

#6 2005-03-08 00:23:30

Re: squid question

#7 2005-03-08 09:26:46

Re: squid question

#8 2005-03-08 20:16:28

Re: squid question

#9 2005-03-08 22:02:48

Re: squid question

Board footer