On Thu, Nov 5, 2009 at 12:00 AM, Michael Robinson <plu...@robinson-west.com> wrote: >> > You could always deny first then white list local network hosts and add an >> > allow statement for the proxy although you may need to do a tcpdump to see >> > if it uses the same port every single time for an outbound request. So you >> > filter based on the source and destinations for the proxy if the proxy port >> > is the same each time. I wasn't aware of denials based on user name, so if >> > you get that working I'd be interested in seeing how you set it up and how >> > it works. >> > >> > Drew- > > It works like a charm. What I'm doing is making a > special chain hooked as rule 1 to the OUTPUT chain. > I have to do user based packet blocking as dropping > the user specification I'd probably block legitimate > access to the Net from squid, postfix, yum,... > > As an example where 500 is a normal user... > iptables -A OUTPUT_USER -m owner --uid-owner 500 \ > -d 192.168.0.0/16 -j ACCEPT > iptables -A OUTPUT_USER -m owner --uid-owner 500 \ > -d 127.0.0.1 -j ACCEPT > iptables -A OUTPUT_USER -m owner --uid-owner 500 \ > -j DROP > > NOTE that the first rule in the OUTPUT chain is to > jump to the OUTPUT_USER chain and it has to be or > this probably won't work. Remember that I'm > firewalling an X enabled server so that people > can't surf the Net from it. The biggest problem > with allowing surfing of the Net from a server on > the Net is that I can't force the users to go > through a filter. > > _______________________________________________ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug >
Wouldn't it be easier to put a transparent squid proxy upstream of the connection, rather than mucking with ugly iptables rules per user, etc. -- Brent Jones br...@servuhome.net _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug