zamezeni pristupu do urcitych domen na workstation

[Miroslav Pragl]

Takze cisco:
--------------------------------------------------------------------
interface Ethernet1
 ip policy route-map proxy-redir

.
.
.

route-map proxy-redir permit 10
 match ip address 120
 set ip next-hop 192.168.1.9 		<- adresa proxy serveru
.
.
.

access-list 10 permit 192.168.0.0 0.0.255.255 <-nezajimave, cely intranet
access-list 120 deny   tcp any any neq www		  <- netyka se jine komunikace
nez www (80)
access-list 120 deny   tcp host 192.168.1.9 any eq www  <- netyka se proxy
(ten by mel mit pristup na www, zejo :)
access-list 120 permit tcp any any				  <- zbytek dle proxy-redir sup na
transp. proxy


ipchains na proxy serveru
--------------------------------------------------------------------
...
echo "1" > /proc/sys/net/ipv4/ip_forward # to chce ...
...
/sbin/ipchains -A input -p tcp -s 192.168.0.0/255.255.0.0 -d 192.168.1.9
80 -j ACCEPT #pozadavek z lokalni site na webserver - ten je OK

/sbin/ipchains -A input -p tcp -s 127.0.0.1 -d 127.0.0.1 80 -j ACCEPT #to
same z lo

/sbin/ipchains -A input -p tcp -s 192.168.0.0/255.255.0.0 -d 0.0.0.0/0 80 -j
REDIRECT 3128 #redirect z cisca, toto tedy nepatri komancovi ale squidu,
protoze destinace neni z lokalni site

/sbin/ipchains -A input -p tcp -d 0.0.0.0/0 80 -j DENY -l
...



squid
--------------------------------------------------------------------
...
httpd_accel_host        virtual
httpd_accel_port        80
httpd_accel_with_proxy  on
httpd_accel_uses_host_header on
...
(je okomentovane v konfiguraku)


omlouvam se za zpozdeni, nekdo se nam sem crackoval :/

snad nechybi nic podstatne

MP

> to by mne zajimalo, mohu poprosit o vsechny tri konfigurace?

> > muzu poslat sample config pro cisco, linux, squid