From: Varun <var...@vs...> - 2004-05-01 02:23:55
|
Kai Wollweber wrote: >Ken Cobler wrote: > > >>Varun wrote: >> >> >>>Hello, >>> I want to put my ltsp4 server and squid proxy server >>>on the same machine. >>>I want internet access only for non ltsp clients. >>>I want no ltsp clients to have internet access. >>> >>> > > > >>2) Route all internet requests through the squid proxy server. Put the >>LTSP workstations in a specific IP address range. Reject requests >>inside squid for the specific IP address range of the LTSP workstations. >> >>3) Disable default gateway for the LTSP workstations. No gateway, no >>access to the Internet. >> >> > >2) and 3) will not work because its the server which runs the browser processes >for the LTSP clients, so you need to disable access from the server to any >destinations port 80. On the other hand squid itself needs just this connection. > >You should have a packet filter (iptables) allowing squid as the only user to connect >to the internet. You can redirect all other connections from port 80 to >squid's input port 3128. Doing this you get a transparent proxy and do not need to >configure any browser. > >Try the following firewall rules (I use them on a SuSE 9.0): > ># transparent proxy for localhost: >#allow user squid and root to access the internet via destination port 80(www): >iptables -A OUTPUT -o ppp0 tcp --dport www -t nat -m owner --uid-owner squid -j ACCEPT >iptables -A OUTPUT -o ppp0 tcp --dport www -t nat -m owner --uid-owner root -j ACCEPT > >#force all other request for destination port 80(www) to port 3128 >iptables -A OUTPUT -o ppp0 tcp --dport www -t -j REDIRECT --to 3128 > >Within squid you can handle specific needs for user access via access control lists. Or you >can configure iptables to accept connection from any other clients to the internet. > >cu > > Hello Kai You will need to guide thru this. So first I must have iptables and a firewall installed. Second I must build an iptables of client IPs. I will reconfigure squid to use iptables for auth then come back to you. Thanks Varun > > > |