[K12OSN] Changing proxy settings
Christopher K. Johnson
ckjohnson at gwi.net
Fri Feb 20 13:22:01 UTC 2004
Joe Guenther wrote:
>The PROBLEM with this on an LTSP box is that you as the terminal are the
>same IP as the proxy. So if you cut off the IP address of the user, squid
>can now no longer talk either ... catch 22
>
>read my other thread on the solution to this.... use UID verification in
>IPTABLES
>
>joe
>
>
>
Given your clarification of the problem being solved I wholeheartedly
concur. I have used UID restrictions in the OUTPUT chain of the filter
table and it is very powerful. Something like this should do the trick:
*filter
...
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -m owner --uid-owner root -j ACCEPT
-A OUTPUT -o eth1 -m owner --uid-owner named -j ACCEPT
-A OUTPUT -o eth1 -m owner --uid-owner squid -j ACCEPT
-A OUTPUT -o eth1 -j REJECT
...
COMMIT
I don't know what else you have configured on this server, so be careful
when/how you test this.
The following commands can help to see what is happening if you don't
get expected results:
cat /proc/net/ip_conntrack
iptables -vL OUTPUT
Chris
--
-----------------------------------------------------------
"Spend less! Do more! Go Open Source..." -- Dirigo.net
Chris Johnson, RHCE #807000448202021
More information about the K12OSN
mailing list