Hi,

Well I am new here and new to linux, but can pick things up quick and can read a manual, so mostly I am looking for someone to point me in the right direction or give me some ideas on how to ge tthis to work....

Here is my situation:

I have a CISCO Pix NAT firewall between my network and lan.
All hosts on our lan reside in the same subnet.

I have a bunch of admin machines that are allowed to browse and look anywhere they need to on the net (ie: IT department, sales department etc) and I have anohter department that should only be able to access a handful of sites.

Right now all hosts on my network point to the ip of the CISCO pix as a default gateway which is gving everyone full access to the net, what I want to do is this:

Basically I want to configure a linux box to control access to the web;
I want the machines to be locked down to use this linux box as the default gateway so that it is transparent, and I want the linux box to forward all ports except port 80, it is only the http requests I want to validate and grant o deny access to.

This machine should not use NAT if possibe as the CISCO pix already handles that if the packet is leaving my network.

Can this be done? and if so, can someone start me off on the right foot?

Thanks.

LAN - linux - router

if u configure your network like this, u can do easyly.. i did same for my network at offce. u need to learn "iptables" and "squid"...

for transparent proxy.. u need to type this iptables command to redirect http requests comes from LAN to squid port (squid default port is tcp 3128). (change 10.0.0.0/24 to your local network)

iptables -t nat -A PREROUTING -s 10.0.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128

add these lines into squid.conf

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on


if u want more info visit www.netfilter.org

ohh.. i forgot to tell u that first u must enable routing for your linux:
echo 1 > /proc/sys/net/ipv4/ip_forward

This is sort of what I want, however....

I dont want the Proxy to sit between my entire lan and my router.
I have one lan on one subnet, they hit my CISCO router when leaving the network and are Nat'd at that point.

I want to take a small handful of these PC's on my lan and change their default gateway to point to the proxy, the rest I still want to go straight to my router.

I do not want the linux proxy to do any NAT at all, I want it to forward all ports, except for port 80 which I want to redirect to squid.

So say I have 100 PC's in my current configuration.
The default gateway on all 100 PC's is: 193.100.100.10
which is the lan IP of my CISCO PIX

I want to build a linux box with squid and give it an IP of say: 193.100.100.11 and put it on my switch

I then want to change 50 of my PC's on my network to point to 193.100.100.11 for their default gateway and the other 50 remain on 193.100.100.10 This way 50 PC's go straght out and 50 go through linux.

So now all internet bound traffic from these 50 PC's goes to the linux squid box.
I do not want this traffic Nat'd,just passed on to my cisco router, except if the port is 80 in which case I want it to redirect to squid.

So....

What I am seeing in my head is a Linux server with one network card hanging off my switch. If the traffic from these 50PC's is internal, the switch handles it, if it is internet based, the linux box handles it and forwards all ports to my cisco router unless it is port 80 in which case it forwards to squid which allows or denies the request and if allowed passes the request on to my cisco router which then handles the NAT process.

I want to draw specific attention the the ONE NETWORK CARD part. I am thinking I would only need one network card for this since if I had 2 they would both be on the same subnet in the same ip range anyway, so I see no reason why I would need two interfaces on the same lan/subnet

I know this is probably a little complex for a newbie, but I have room to play and learn here and am hoping this can be done.

in my configuration, linux DOES NOT make any NAT. it just redirects http recuests comes from LAN to its squid port. so squid checks http access.
other packets will be routed to router directly. i think this configuration is good..

if u want to do that with only ONE NIC. u must configure the browsers of your clients to use proxy server. but if these proxy configuration for client browsers is romeved by someone they can access net via router.

i never tried other configurations. because i didnt think it could be good network stracture.

by the way sorry for bad english. please try explain your troubles with simple sentences.
thnx