Menu
▾
▴
Re: [Ltsp-discuss] internet access
|
From: Varun <var...@vs...> - 2004-05-01 02:23:55
|
Kai Wollweber wrote:
>Ken Cobler wrote:
>
>
>>Varun wrote:
>>
>>
>>>Hello,
>>> I want to put my ltsp4 server and squid proxy server
>>>on the same machine.
>>>I want internet access only for non ltsp clients.
>>>I want no ltsp clients to have internet access.
>>>
>>>
>
>
>
>>2) Route all internet requests through the squid proxy server. Put the
>>LTSP workstations in a specific IP address range. Reject requests
>>inside squid for the specific IP address range of the LTSP workstations.
>>
>>3) Disable default gateway for the LTSP workstations. No gateway, no
>>access to the Internet.
>>
>>
>
>2) and 3) will not work because its the server which runs the browser processes
>for the LTSP clients, so you need to disable access from the server to any
>destinations port 80. On the other hand squid itself needs just this connection.
>
>You should have a packet filter (iptables) allowing squid as the only user to connect
>to the internet. You can redirect all other connections from port 80 to
>squid's input port 3128. Doing this you get a transparent proxy and do not need to
>configure any browser.
>
>Try the following firewall rules (I use them on a SuSE 9.0):
>
># transparent proxy for localhost:
>#allow user squid and root to access the internet via destination port 80(www):
>iptables -A OUTPUT -o ppp0 tcp --dport www -t nat -m owner --uid-owner squid -j ACCEPT
>iptables -A OUTPUT -o ppp0 tcp --dport www -t nat -m owner --uid-owner root -j ACCEPT
>
>#force all other request for destination port 80(www) to port 3128
>iptables -A OUTPUT -o ppp0 tcp --dport www -t -j REDIRECT --to 3128
>
>Within squid you can handle specific needs for user access via access control lists. Or you
>can configure iptables to accept connection from any other clients to the internet.
>
>cu
>
>
Hello Kai
You will need to guide thru this.
So first I must have iptables and a firewall
installed.
Second I must build an iptables of client IPs.
I will reconfigure squid to use iptables for auth
then come back to you.
Thanks
Varun
>
>
>
|