George, In most cases my response to this would be RTFM, but I have had some interactions with you in the past but I am feeling like a generous guy today and I have recently had some very helpful responses to my queries from other PLUG members. You can go with the configuration I suggest, but the idea David Demland proposes would probably work just as well. I suggest doing this: # this will allow firefox to contact your proxy through port 8080 iptables -A OUTPUT -p TCP --dport 8080 127.1.1.1 -m owner -d --uid-owner cff -j ACCEPT # this will stop all other communications with potentially cretinous slobs iptables -A OUTPUT -p TCP -m owner --uid-owner cff -j DROP I havent debugged this, but this should work( or something very close ). Its been a while since I've worked directly with IPtables. best of luck, jmz iptables On 1/22/07, George Toft wrote: > Your assumption is correct - squid + DansGuardian > > I need a little help. > > I tried: > iptables -A OUTPUT -p TCP --dport 80 --uid-owner cff -j REJECT > and got this error: > iptables v1.3.3: Unknown arg `--uid-owner' > Try `iptables -h' or `iptables --help' for more information. > > I also tried > iptables -A OUTPUT -p TCP --dport 80 --uid-owner 1001 -j REJECT > with the same error. > > I looked in the man page, and it looks right to me: > --uid-owner userid > Matches if the packet was created by a process with the > given effective user id. > > What did I mess up? > > George Toft, CISSP, MSIS > 623-203-1760 > > > > Joshua Zeidner wrote: > > On 1/21/07, George Toft wrote: > > > >>I need to set up a Linux workstation (Computers for Families project) > >>that filters content. The workstation is an edubuntu install. Users > >>have a generic login, separate from the admin, and the root account is > >>locked. I added Squid and DansGuardian, which works perfectly once the > >>Firefox connection settings are set to 127.0.0.1:8080. Problem is that > >>any user can override this setting in their local profile. > >> > >>Is there an elegan way to prevent a user from changing this setting and > >>surfing the sites of ill repute? > >> > >>Kluge/Hackjob method 1: > >>I guess I could implement a cronjob that checks to see if firefox has > >>any established port 80 connections, then kills it. Pretty Draconian, > >>but it will get the point across. Make pref.js read-only for the user > >>which restores the proxy settings. Pretty inconvenient for the user :( > >> > >> > >>Thoughts? > > > > > > George, > > > > I am assuming you are running Squid and DansGaurdian as a > > different user than firefox( if not you should change it ). You > > should set iptables to block all packets with destination other than > > localhost:8080 from your browser user( use --uid-owner > > switch ). This will also stop them from using other applications to > > contact internet services of ill repute. > > > > -jmz > > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- .0000. communication. .0001. development. .0010. strategy. .0100. appeal. JOSHUA M. ZEIDNER IT Consultant ++power; ++perspective; ++possibilities; ( 602 ) 490 8006 jjzeidner@gmail.com --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss