From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EbRVZ-0006XB-4Z for garchives@archives.gentoo.org; Sun, 13 Nov 2005 23:43:38 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jADNgZFa011929; Sun, 13 Nov 2005 23:42:35 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [134.68.220.30]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jADNcfmR017611 for ; Sun, 13 Nov 2005 23:38:41 GMT Received: from main.gmane.org ([80.91.229.2] helo=ciao.gmane.org) by smtp.gentoo.org with esmtp (Exim 4.43) id 1EbRQn-0000dj-6Z for gentoo-user@lists.gentoo.org; Sun, 13 Nov 2005 23:38:41 +0000 Received: from list by ciao.gmane.org with local (Exim 4.43) id 1EbRPO-0005nD-JP for gentoo-user@gentoo.org; Mon, 14 Nov 2005 00:37:14 +0100 Received: from ppp-70-229-6-13.dsl.emhril.ameritech.net ([70.229.6.13]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 14 Nov 2005 00:37:14 +0100 Received: from reader by ppp-70-229-6-13.dsl.emhril.ameritech.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 14 Nov 2005 00:37:14 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: Harry Putnam Subject: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan Date: Sun, 13 Nov 2005 17:35:27 -0600 Organization: Still searching... Message-ID: <87zmo8i0jk.fsf@newsguy.com> References: <871x1lsamp.fsf@newsguy.com> <200511121717.40496.john@jolet.net> <873bm1gyb5.fsf@newsguy.com> <200511122114.17516.john@jolet.net> <87veyxf2gt.fsf@newsguy.com> <20051113084816.GA4180@princeton.edu> <87oe4ofnnk.fsf@newsguy.com> <20051113182640.GA20118@princeton.edu> <20051113213044.GA26188@princeton.edu> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: ppp-70-229-6-13.dsl.emhril.ameritech.net User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux) Cancel-Lock: sha1:914DTa36BdpDuuhcXOWcIfews74= Sender: news X-Archives-Salt: 33faa286-6609-459f-8abc-8ec2927ef588 X-Archives-Hash: 6eff1838df71ab94b525dcabdb65493a Willie Wong writes: > Two ways exist (AFAIK) of using squid: > 1) Run it as a proxy server. In the Internet Options for your > web browser, you point the proxy toward the proxy server. You submit > a request, it gets relayed to the internet, the response comes back, > squid passes it backs to your computer. > > 2) Run it transparently on the _router_. This is the important part: > on the router, you can force all traffic intended for HTTP traffic > to go through squid. There are many howtos on the web detailing how > this work, so I will not go into details and only say that it > involves intercepting the traffic halfway with iptables and pass > them to squid. > > Clearly, 1 cannot be forced: if you just unset the proxy setting from > the web browser, your computer will connect to the internet directly. In the different scenarios we've been discussing though, I'm thinking I've blocked internet access for several machines. If those machines are then set to proxy thru a local lan address (The gentoo box running squid). They would be able to contact that address. As I understand it, that is the only address they would see. And if the proxy were turned off in software they would then not be able to go to internet either since that avenue is already blocked. So the browser would stall and show no internet connection. > 2 cannot be implemented in your case, since it requires that > internet-bound traffic must pass through your gentoo box. If you try > to forward all traffic from the router toward your gentoo box, you > get an infinite loop since the gentoo box is behind the router. I'm not sure what you mean here about the infinite loop. Thats what routers do is foward traffic to machines behind them. What I'm thinking when I talk about setting default route to the gentoo box is that the router is also a switch. I'm wondering if internet bound packets can: o start on a win box behind the router o get to the router/switch o be switched to the gentoo box since it is the gateway listed o be sent back to the router by the gentoo box on its journey to INET. Is that even possible without another subnet, nic etc? -- gentoo-user@gentoo.org mailing list