DNS and NAT

Jan Engelhardt jengelh at linux01.gwdg.de
Mon Jul 11 23:36:57 CEST 2005


> Proxy servers are a good choice in some circumstances; you maintain maximum
> control over what clients can and cannot do (unless users have shell access to
> the proxy server, perhaps.) But proxying is far more resource-intensive than
> NAT.

Not hard either. Just catch any non-squid packets and redir them to lo. In 
iptables words:

  -A OUTPUT -j DNAT -p tcp --dport {80|3128} --to-dest 127.0.0.1:80 \
    -m owner ! --uid-owner squid

{80,3128} depending on whether you want transparent(80) proxying or 
intercepted(3128) proxying.

Since squid usually listens on an unprivilegued port (3128), the socket 
creation can be deferred until after the setuid from root to squid; therefore, 
the socket belongs to "squid" and thus, --uid-owner can match.


Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/




More information about the netfilter mailing list