Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
It depends on your definition of "proxy". If you mean without having to set a proxy server in the client computers config, then yes, you can do this.
It's called a transparent bridge/proxy and basically what you do is "bridge" both ethernet cards on your server together (so that any traffic recieved on one is transmitted by the other and vice versa), and then run iptables rules on that server.
These iptables rules silently grab and redirect any port 80 (i.e. HTTP) or other requests you want and force them through a proxy on the same machine (usually squid). To the clients, there IS no proxy, to the server, it sees, intercepts, proxies, filters and caches anything that people try to access without them knowing.
There are several transparent bridge and squid transparent HOWTO's on the net but none of them are simple to implement because it's quite a complex task to do. Using a combination of them and a lot of guesswork, I've implemented this myself in several schools for their main filtering systems (other 1000 users in one, running off a 1GHz machine with Gigabit Ethernet which filters ALL of their web requests).
You can still have other iptables rules (i.e. a firewall) on the server, you can still access the server via an IP address as normal if you wish (with the right IPTables rules) but you end up being a "proxy" without anyone knowing.
A lot of schools use this setup because it means you can make the proxy/filter invisible and, with the right iptables rules, practically impossible to hack because it's not ACTING on any traffic, it's just passing it along silently. The only thing that can get "hacked" is squid and you can make it so that squid's not accessible to the local network, only to "localhost", which is all it needs to filter.
Thanks ledow and rossonieri#1. I'll look into those more carefully in the next few days.
I'm not sure that I worded my second question (about MAC address filtering) correctly. I was asking about filtering content only for certain computers on my local network. For example, computer A wouldn't be filtered, but computer B would be. Is this possible?
Add a matching rule for each mac address to filter. Or if you have only one that isn't filtered use "!" and use the mac address that you don't want the rule for.
From the iptables manpage:
--mac-source [!] address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes
sense for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT
Another thing you could do as well, is to configure your dhcp server to serve the OpenDNS IP address to the restricted MAC addresses. Then you can add logging to the iptables rule which will allow you to know if the person has changed the DNS settings on their computer.