You are not logged in.

#1 2005-03-07 02:48:33

Stinky
Member
From: The Colony, TX
Registered: 2004-05-28
Posts: 187

squid question

Hey guys. 
I put together an Arch box for a friend.  I've set it up as a firewall/NAT router/Samba server and Squid proxy server w/transparent proxy using this rule:
$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

What I'd like to know is, is there a way to only have one client on the LAN forced through the proxy and all others just through the NAT router?  The reason is...We want to limit one client's access to the internet to certain hours while the other clients have access without going through the proxy. 
Hmmm...Wow, does that make any sense?
Thanks

Offline

#2 2005-03-07 03:06:51

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: squid question

sure. i believe iptables can have matching based on mac address. just put that in there..
if not, then you will have to assign a static ip to that one machine, and use an ip matching rule.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#3 2005-03-07 03:19:42

Stinky
Member
From: The Colony, TX
Registered: 2004-05-28
Posts: 187

Re: squid question

That one machine already has a static ip.  Actually the whole internal network is static.  Because there are pc's on the LAN that I have ports forwarded to and need them to stay the same. 
I'm having a major brain fart here.  Does this look right for the one machine?

$iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.xxx --dport 80 -j REDIRECT --to-port 8080

Offline

#4 2005-03-07 03:32:11

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: squid question

yeah. seems ok (i didn't look it up, but it seems reasonably correct). just make sure it comes before the general redirect rule (if you keep that one).


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#5 2005-03-07 03:36:27

Stinky
Member
From: The Colony, TX
Registered: 2004-05-28
Posts: 187

Re: squid question

Ok thanks.  I thought it looked generally correct but my paranoia wouldn't let me try it without bouncing it off of somebody first.  lol. 
Oh, and I'm just going to fling the general redirect out.  We only want the one machine to use the proxy.  Everybody else can be trusted.   lol

Offline

#6 2005-03-08 00:23:30

Stinky
Member
From: The Colony, TX
Registered: 2004-05-28
Posts: 187

Re: squid question

Yeah, actually that's the way it's set up now.  But my buddy doesn't want to go through the proxy.  Not sure why not....but...whatdoyado?  tongue

Offline

#7 2005-03-08 09:26:46

mercy
Member
Registered: 2004-04-24
Posts: 62

Re: squid question

for this you will have to be very carefully that it works... especially if it is a "untrusted" machine you also have to prevent "misconfiguration" of it...

therefore it could get realy nasty to set it up properly and especially maintaining it...

if you got private static IP's the approach to set the untrustet PC in its own subnet would be much easier to handle

192.168.1.0/24 -> DMZ
192.168.2.0/24 -> workstations
192.168.3.0/28 -> Servers
192.168.4.0/24 -> untrusted

than the handling with iptables will be much easier indeed

mapping:
Workstations -> DMZ ( masquerade 192.168.2.0/24 to 192.168.1.1 eg)
Servers -> DMZ ( SNAT 192.168.3.2 - 192.168.3.16 to some addresses from 192.168.1.2 - 192.168.1.16)
untrusted -> DMZ ( masquerade 192.168.4.0/24 to 192.168.1.254)

DMZ -> Servers ( if you wish to do portforwarding here [all NOT private IPs] to [dmz-ip of the server]:[desired port]...)

Internet -> DMZ ( DNAT  PublicIP:Port to DMZ-IP of the server:[same port] )
DMZ -> Internet [ masquerade ALL PRIVATE IPs to Public IP]

yes this looks very heavy at the first glance... but with this base-setup it will get much easier to set everything up securely and also maintaining it!
especially if you really want to "firewall" the network properly

Offline

#8 2005-03-08 20:16:28

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: squid question

*wonders what mercy is smoking*


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#9 2005-03-08 22:02:48

mercy
Member
Registered: 2004-04-24
Posts: 62

Re: squid question

:shock:

longlong ago that i have been in amsterdam

roll

lol  lol  lol

anyway.. id really do it this way.. especially cuz this way it getz really really easy to implement it using chains...  :oops:  ... tables ..  wink

also in the future you can do even more nifty things with that... considering networking  8)
without loads of efford

Offline

Board footer

Powered by FluxBB