IpTables Gurus out there?
Jun. 7th, 2006 10:47 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
elfsI have a rather ordinary set-up at home: A mini-tower box running Linux acts as my firewall, using NAT to assist everyone inside the house from getting out but preventing anyone from getting in. It's not perfect, but it's your standard solid setup. I haven't had any problem with it and I keep it updated.
I would like to run Dan's Guardian on the NAT box, but I would like only some of the machines in the house to be routed through it, namely, the kids'. Dan's Guardian is basically a proxy that uses a cache (Squid, in this case) to retrieve content from the web, and then analyzes both the addresses and the content for things you might not want.
Can anybody tell me what the iptables magic is for directing traffic from a specific host on a specific subnet to the proxy engine? The idea here is to prevent anything that tries to "route around" the proxy (like, the kids figure out how to turn "use proxy" off on their browsers) from being able to go anywhere without going through it.
I would like to run Dan's Guardian on the NAT box, but I would like only some of the machines in the house to be routed through it, namely, the kids'. Dan's Guardian is basically a proxy that uses a cache (Squid, in this case) to retrieve content from the web, and then analyzes both the addresses and the content for things you might not want.
Can anybody tell me what the iptables magic is for directing traffic from a specific host on a specific subnet to the proxy engine? The idea here is to prevent anything that tries to "route around" the proxy (like, the kids figure out how to turn "use proxy" off on their browsers) from being able to go anywhere without going through it.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2006-06-07 07:25 pm (UTC)The only fix for that would be to open up the box and stick in a rogue ethernet card. I'm not sure a nine-year-old is quite there yet.
I am sure that someday one of them will figure out how to get past all of the barriers-- xscreensaver-lock, whatever Omaha has on her MAC, and so forth. The rule there is much the same as why we keep all the adult books on the top shelf: when they're tall enough, and interested enough, to start taking those down, it's seriously time to start talking to them about what happens next.
Measures of maturity
Date: 2006-06-07 10:20 pm (UTC)I looked at the setup, figured out how to bypass the proxy server, and told 'em it was easy and as soon as they figured it out themselves I'd run interference with their mom on letting 'em have free access to the net.
So I think of it as a maturity test and incentive: When they can figure out how to bypass the system there's nothin' I can really do anyway, so I may as well make it a learning experience.
I'm actually not sure if they ever did bypass it, shortly thereafter cablemodem came to the valley and dial-ups through the school system fell by the wayside, but I do know now, years later, that their LAN parties went to gigabit ethernet not because of latency in gaming, but because copying terabytes of hentai around on 100baseT just wasn't working...
no subject
Date: 2006-06-08 07:27 am (UTC)