> That sounds good.
> I don't need to transparently proxy, because I have configured the dansguardian proxy into the
> browser that the children use.
> So a group for adults that allows port 80 and 443 would work.
> I just need to block packets except 8080 to the proxy.
> I guess a default of deny all and then allow --gid-owner $adults (all ports)
> and another allow 8080 for all users.
I guess you would need to allow everything from root and other system
users too, not only adults, so it would be easier to allow everything
from all but children and allow only TCP 8080 to proxy from children
(assuming the proxy is defined by IP address or by name resolved in
/etc/hosts, not by DNS, otherwise you must allow DNS out too).
iptables -A OUTPUT -m owner ! --gid-owner $children -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $children \
-d $proxy_address -p tcp --dport 8080 -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner $children -j DROP
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact email@example.com