LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Allow only a sub domain in firewell (http://www.linuxquestions.org/questions/linux-networking-3/allow-only-a-sub-domain-in-firewell-886016/)

muradcsc 06-13-2011 05:07 AM

Allow only a sub domain in firewell
 
Hi
I have got a centos 5.5 box with 2 interface (WAN & LAN) and trying to configure firewall so that LAN user can browse XXX.subdomain.com
(where XXX can be anything). nothing else.

I googled whole day but no luck

Any Help will be appreciated.

thanks

Murad

acid_kewpie 06-13-2011 05:10 AM

this is not a firewalls job. It will deal with IP addressing, and NOT domain names. Not surprising you didn't find anything.

Whilst it is occasionally possible to have firewalling systems that can utilize some elements of DNS, it is not viable to rely on DNS lookups to permit firewall connections as the overhead and latency is vast, and the reliability is poor.

muradcsc 06-13-2011 05:31 AM

Hi Chris,
thanks for your quick reply.
could you please help how can i do that? is there any possible way?

regards

Murad

acid_kewpie 06-13-2011 05:33 AM

what do you mean by "browse a domain"? if this is web traffic, then that's what an http proxy is for. Anything else, you need to write more informative and detailed posts about your situation.

muradcsc 06-13-2011 05:53 AM

OK let me explain, As I told before my linux server contains 2 interface cards eth0 for WAN and eth1 is LAN(10.10.0.0/24), dhcp server is enabled on eth1 interface. Now situation is I want configure the linux server such way that any node inside LAN (for example 10.10.10.254) can only access XXX.subdomain.com. if it want to access say for example www.google.com it will be rejected.

Hope the situation is now clear.

thanks again

Murad

acid_kewpie 06-13-2011 06:03 AM

Well that's not really any more use, but I'll assume you do mean http traffic. So use a proxy, like Squid.

instag 06-13-2011 04:53 PM

A proxy is the best way for sure.
If you don't care about using the server for other outgoing traffic and "XXX.subdomain.com" has a fixed IP address range (for example "188.40.138.0/24"), you could restrict the traffic with an OUTPUT rule:
Code:

iptables -A OUTPUT -o eth0 ! -d 188.40.138.0/24 -j REJECT


All times are GMT -5. The time now is 05:09 AM.