Quote:
Originally Posted by nimnull22
What kind of OS is on users computers?
|
First of all thanks for showing interest. Regarding your question students have all Windows family OS, Apples MACs, nix based distributions etc. Ours is a college, where a laptop/wireless user after obtaining an ip from a Wireless AP will have to configure either one of these proxy server address in there browsers to get web access. There is no authentication involved in this scheme meaning anyone with a laptop or wireless device can access the web. To resolve this we like to introduce authentication in our setup so that we can track users. "Squid NTLM Authentication against Active Directory" is one way to do this but it needs a costly Windows 2003 Server license which we cannot afford. Another solution is to run a "Captive Portal" which intercepts http/https requests and redirect them to a login page for authentication. The two lines i previously quoted in my earlier post are part of this script which has been modified so that, after successful user authentication users will be redirected to the lone squid proxy running in transparent mode. My question is, is it possible to redirect web traffic (http/https) to two proxy servers using iptables. (for example using ip range iptables -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-destination 172.16.0.1-172.16.0.2)
# Generated by iptables-save v1.2.8 on Tue Jan 31 20:19:08 2006
*filter
:INPUT DROP [98:9891]
:FORWARD ACCEPT [62452:12516145]
:OUTPUT ACCEPT [28235:10386076]
:LOGDROP - [0:0]
-A LOGDROP -j LOG
-A LOGDROP -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 1812 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 1813 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 1814 -j ACCEPT
-A INPUT -i eth1 -j LOGDROP
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3990 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j LOGDROP -A FORWARD -i eth0 -j LOGDROP
-A FORWARD -o eth0 -j LOGDROP COMMIT
# Completed on Tue Jan 31 20:19:08 2006
# Generated by iptables-save v1.2.8 on Tue Jan 31 20:19:08 2006
*nat
:PREROUTING ACCEPT [4569:305698]
:POSTROUTING ACCEPT [415:33518]
:OUTPUT ACCEPT [634:47605]
-A PREROUTING -d ! 192.168.1.1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# Transparent proxy do not work on https
#-A PREROUTING -d ! 192.168.1.1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128
# SSH
-A POSTROUTING -o eth1 -p tcp -m tcp --dport 22 -j MASQUERADE
# Direct access to JCT squid
-A POSTROUTING -d 147.161.1.25 -o eth1 -p tcp -m tcp --dport 3128 -j MASQUERADE
# DNS
-A POSTROUTING -o eth1 -p tcp -m tcp --dport 53 -j MASQUERADE
-A POSTROUTING -o eth1 -p udp -m udp --dport 53 -j MASQUERADE
# POP IMAP
-A POSTROUTING -o eth1 -p tcp -m tcp --dport 993 -j MASQUERADE
-A POSTROUTING -o eth1 -p tcp -m tcp --dport 995 -j MASQUERADE
-A POSTROUTING -o eth1 -p tcp -m tcp --dport 110 -j MASQUERADE
-A POSTROUTING -o eth1 -p tcp -m tcp --dport 143 -j MASQUERADE
# SMTP
-A POSTROUTING -o eth1 -p tcp -m tcp --dport 25 -j MASQUERADE
-A POSTROUTING -o eth1 -p tcp -m tcp --dport 587 -j MASQUERADE
# https
-A POSTROUTING -o eth1 -p tcp -m tcp --dport 443 -j MASQUERADE
COMMIT
# Completed on Tue Jan 31 20:19:08 2006
