I have a public and private subnet on my network and I'm routing all traffic on my private subnet through a NAT machine on the public subnet. On the NAT machine, I have configured the squid proxy server so that I'm allowing the https connection only to a particular domain (let's say google.com). An excerpt from my squid configuration is as below:
acl allowed_https_sites ssl::server_name google.com
On my iptables rules, I add the below rules according to my squid configuration. The rules are:
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129 sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130 sudo service iptables save From within the private subnet machine, if I try to navigate to google.com it works and if I navigate to any other https website, I am not able to access it which is exactly what I want.
I want to take it to one more step where I don't want any kind of outbound connections other than to google.com possible from my NAT machine as well. To achieve this, I am trying to implement a solution as discussed in this solution but am not getting the desired results.
If I modify the rules accordingly as mentioned on the above link, I'm not able to achieve the end result. The end result I'm trying to achieve is allow only a single https domain from my machine in the private subnet and rest everything should be blocked/rejected. At first I thought, I could do a simple string match on iptables rules but I was mistaken. This seems more challenging than I originally anticipated. Any other ideas that I could try out or I can somehow tweak the above solution to fit my usecase?
