I am currently deploying a modified version of Dansguardian (pass through proxy) on my LAN here at camp. I have setup iptables to foward port 80 LAN traffic to DansGuardian. It all works out if I set the workstations gateway to the machine running iptables (as well as DansGuardian and Squid). A client though can easily change the gateway address to the router's ip address and bypass the port 80 routing allowing unfiltered access.

I have setup a DHCP server to give out ip addresses and auto assign the correct gateway (iptables) but there is nothing stopping someone from changing the gateway address.

How can I force all workstations to use the iptables gateway rather than the actual router gateway address. My current setup is that ALL workstations are patched directly into a router hub.

Thanks for reading this essay,
Ben

Bump, I really need a reply asap,

thanks

if you change the routing tables of all the clients and dont give them root access , i think your problem would be solved...

The clients are using winboxes though

acompw

Filter outbound to port 80 (with the exception of the proxy box) on your router. That way even if they do change the gateway, the traffic just gets dropped.