Fw: IPTables dynamic routing for school

Fw: IPTables dynamic routing for school

[Danny Patel]

[-- Attachment #1: Type: text/plain, Size: 1628 bytes --]

Hi,
  Thanks for the awesome packet filtering tool. It has really come in handy for our school setup. I have on issue that I am hoping you can help me with. After thoroughly researching this issue I can't seem to find any solution to the following situation in my school setup:

The server is Gateway/Firewall
IPTables ver: 1.2.6
Kernel: 2.4.18 (Red Hat)
Cable Modem (with DHCP for external address)
Internal network: 192.168.1.0/24
Internal interface: eth0
External interface: eth1
Internally we use DHCP service to allocate ips to the student PCs. (192.168.1.0/24)

Goal of what I am trying to do: When the firewall first starts we would like to redirect all HTTP traffic headed to the internet from the student PCs to our internal webserver (192.168.1.1) where the students are first required to pick an assignment. Once a student picks an assignment then we would like to allow only that student's ip to access the internet, hence allow his HTTP traffic out to the internet. This way we can restrict the students from wasting time and allow us to keep records of each student accepting assignments before having access to the internet to do the research for the assignment.

The key here is to only allow those student PCs that have selected an assignment access to the internet and redirect all other students to our local webserver till they pick an assignment.

From my current understanding of IPTables it appears that you can only do redirection/dnat in the -t nat PREROUTING chain but then this ends up applying to all IPs instead of select few.

Any help is greatly appreciated.

Thanks in advance

[-- Attachment #2: Type: text/html, Size: 2446 bytes --]

Re: Fw: IPTables dynamic routing for school

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 2102 bytes --]

Hi

I think you can accomplish this by using squid acl's.

You would need to setup squid (either as a transparent or
non-transparent (opaque?) ) proxy.
Configure a squid acl to use a file.
Have the web application (where students check out assignments) write
the acl file that squid requires.

That's it.

Ray


On Wed, 2003-04-02 at 02:31, Danny Patel wrote:
> Hi,
>   Thanks for the awesome packet filtering tool. It has really come in
> handy for our school setup. I have on issue that I am hoping you can
> help me with. After thoroughly researching this issue I can't seem to
> find any solution to the following situation in my school setup:
>  
> The server is Gateway/Firewall
> IPTables ver: 1.2.6
> Kernel: 2.4.18 (Red Hat)
> Cable Modem (with DHCP for external address)
> Internal network: 192.168.1.0/24
> Internal interface: eth0
> External interface: eth1
> Internally we use DHCP service to allocate ips to the student PCs.
> (192.168.1.0/24)
>  
> Goal of what I am trying to do: When the firewall first starts we
> would like to redirect all HTTP traffic headed to the internet from
> the student PCs to our internal webserver (192.168.1.1) where the
> students are first required to pick an assignment. Once a student
> picks an assignment then we would like to allow only that student's ip
> to access the internet, hence allow his HTTP traffic out to the
> internet. This way we can restrict the students from wasting time and
> allow us to keep records of each student accepting assignments before
> having access to the internet to do the research for the assignment.
>  
> The key here is to only allow those student PCs that have selected an
> assignment access to the internet and redirect all other students to
> our local webserver till they pick an assignment.
>  
> From my current understanding of IPTables it appears that you can only
> do redirection/dnat in the -t nat PREROUTING chain but then this ends
> up applying to all IPs instead of select few.
>  
> Any help is greatly appreciated.
>  
> Thanks in advance

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]