Are that the rules on the squid-machine acting as a gateway?
If I read this correctly then all webtraffic is redirected to the proxy,
and the proxy itself is not matched in the input/ouput chain, only a
client (Accounting PC).
Your input/output default policy seems to be ACCEPT for those chains,
therefore the proxy can connect to every site and server them to the
clients.
Regards, Hendrik.
andre@ictserver.digitcell.com wrote:
> Thanks before to all ppl that help me out, my problem (slowlyness has
> gone). Now i'm move on my IBM XSERIES, everything works smooth.
> But i have another problem (may be because i'm newbie on this). My
> other NAT already configured allow to browsing a few site only, but when i put
> transparent proxy rules (ipchains based) they can browsing to anywhere |
> *The ipchains rules that already defined seems didn't work anymore*
>
> my fw rules are
>
> touch /var/lock/subsys/local
> insmod ipchains
> echo 1 > /proc/sys/net/ipv4/ip_forward
> ipchains -P forward DENY
> ipchains -A forward -s 192.168.2.0/24 -j MASQ
>
> ipchains -A input -p TCP -d 127.0.0.1/24 www -j ACCEPT
> ipchains -A input -p TCP -d 192.168.2.0/24 www -j ACCEPT
> ipchains -A input -p TCP -d any/0 www -j REDIRECT 3128
>
> #settings for Accounting PC
> ipchains -A input -s 192.168.2.21 -d ip1 80 -p tcp -j ACCEPT
> ipchains -A input -s 192.168.2.21 -d ip2 80 -p tcp -j ACCEPT
> ipchains -A input -s 192.168.2.21 -d ip3 80 -p tcp -j ACCEPT
> ipchains -A input -s 192.168.2.21 -d ip4 80 -p tcp -j ACCEPT
> ipchains -A input -s 192.168.2.21 -d 0.0.0.0/0 80 -p tcp -j REJECT
>
> regards,
>
> Andry Yudianto
Received on Mon May 31 2004 - 02:06:34 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Jun 01 2004 - 12:00:02 MDT