hello again ;), Ok thanks to all you guys who have help as i've got the masqurading working now with the DNS resolution. What I need now is to be able to force the local network users to use the squid proxy and not access the net directly. I tried adding this:-

FW_REDIRECT_TCP="192.168.0.0/24,0/0,80,3128"

but when i restarted the script i got:-

ipchains: No target by that name (Maybe this kernel doesn't support transparent proxying?)

Compile in support for ipportfw. I tried this with Squid a while back and it didn't work for me, the strings are formatted for a werbserver and Squid doesn't quite grok them, maybe a newer version of Squid can handle it, I don't know.

the script doesn't return any error when restarted but if I try accessing the net i have no problems but it doesn't go through the proxy (which i need for extra secuirty).

Just firewall ALL outbound access to port 80, that'll make the users go through the proxy =). Also make sure you put up instructions on how to configure the client where they can get them easily. Or use MSIE's IEAK to build a version of IE that is preconfigured, for Netscape you can distribute a registry patch, and/or files for Linux they copy into their home dir to config it painlessly.

im using 6.4 with a 2.2.14 kernel staright outta the box do i need to recompile the kernel or is it another setting i've missed, screwed up or not prayed to properly ;)

Prolly need to compile ipportfw, but like I said, dunno if Squid'll grok things. Maybe something for someone to work on =)

Stuart Hodgkinson Software Engineer

Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/