Re: [squid-users] Best policy to allow only proxy surfing

From: Glenn English <>
Date: Wed, 5 May 2010 10:34:51 -0600

On May 5, 2010, at 9:54 AM, Boniforti Flavio wrote:

>> Don't know if this is going to work, but if it does, rules
>> similar to these may solve your problem. With no proxy whinage.
> This *is* going to work

Thanks for that. Now I know that if it doesn't, it's my implementation, not the design...

> I did such setups too, some years ago. The fact
> is, that similar solutions require some more intervention, because (as
> you might know) every day a new software/tool/internet application needs
> to be used (and it is FOR SURE that it HAS to be used, for working
> purposes, not for joke)... This would mean, adding rules from time to
> time...

It would indeed. One of the delights (IMHO) of iptables is local chains. My packet filter will have special chains for stuff. So when a new rule LAN to NET rule is needed,

"iptables -A LANtNET -p <...> --dport <...> -j ALLOW"

is all that's needed. Actually, that'd go into the shell script that builds the filter.

> Good luck, but still I confess that I *may be* switching to this your
> suggestion too! ;-)

Use default deny and break up the logic into chains (within reason). Makes things a lot easier to maintain. Did for me, anyway.

Glenn English
Received on Wed May 05 2010 - 16:34:57 MDT

This archive was generated by hypermail 2.2.0 : Thu May 06 2010 - 12:00:08 MDT