|
Local webserver -- How to deny all client install their local web server--Please help
Some clients want to install their web server using Apache, IIS in local network, but i don't agree with their idea, however they still try to install web server run on local network.
How can i deny all install web server on local network. I have used Linux Gateway provided DHCP, DNS for clients. Please help me solve the problem. Thanks so much. |
huh? can you explain this a little more clearly? :confused:
|
ok, this is the scenario:
1. Network diagram: <<Internet>>------<<eth0+++eth1>>-------<localnetwork> 2. Problem: Some user in local network have install web server such as: Apache, IIS,... they want their computer become the local web server, however it's terrible because more users also do the same when they know someone can complete. 3. My wish: They can install any web server problem, however when any clients in local network access any unallow web server will be denied. 4. Other matter: My linux gateway server also have existed Clear Web Server, and i want all clients can only access to it, no unallow webserver in local network accessed. Beside all clients can access Internet through Linux Gateway (server). Are there clear for you? If you need any information, i will provide you. Thanks so much. |
I think you want to stop any connection which starts as being inbound to port80(www) within the local network, but still allow outbound ones to the internet. If you dont have access to the local machines then such a network limitation seems to be the only way of controlling webserver usage.
|
thanks for your suggestions,
however can you help me with "iptables" to redirect all request to port 80 in my local network will be transfer to the web page. Example: when any clients access to one of unallow web server: http://192.168.1.19/index.html will be redirect to http://www.abc.com --or-- when any clients access to another unallow web server also redirect to http://www.abc.com. In general, all request to port 80 in local network will be redirected to "http://www.abc.com" Can you show me the way with "iptables" to do this?. Thanks so much |
http://krnlpanic.com/tutorials/iptables.php
Where 192.168.1.19 is the host you want not to be able to serve web site content and 1.1.1.1 is the host you're redirecting to. I'm not sure if iptables can take host names as redirects (I'm pretty sure not) so if you need to find out the IP address of abc.com just issue `host abc.com` and copy-paste it. Code:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.19 --dport 80 -i eth1 -j DNAT --to 1.1.1.1Optionally, if you want to be sneaky and silently disallow web sites (without a redirect) Code:
iptables -A FORWARD -p tcp -d 192.168.1.19 --dport 80 -j DROPCode:
iptables-save > iptables_config.fw |
Everything is not useful when i try both. It seem no suitable with my local network.
When i use the first command, nothing happen. User can access to unallow local web server. When i use the second command, also nothing is better. ........................................... :(( Thanks for your help. Please help me solve the problem. |
There is also the possibility that I made a mistake in the firewall rules. I'll let someone comment on that before I offer more 'help' :P
|
You can't REDIRECT traffic you didn't receive..
One pc talking to another doesn't go through the firewall, it goes direct.. You problem is at each workstation.. You could only block this at the network hub/switch (if it smart enough) |
Quote:
Is there anyway to solve my matter? Thanks for your reply and thanks for your help. |
peter_robb is totally right,
Sorry, I took it for granted that the default route of all your clients was through your gateway which was marshalling connections. If it's not then you can't do much to stop it. |
I saw this yesterday and was interested to see if anyone came up with a plan because my first reaction is that it cannot be done in this situation unless all the traffic for the network is moving through that system. Even if this was the case then dropping all connections on port 80 would deny access to the internet as well. I agree with the above comment about this being a an individual box situation.
Since a server is based on a box there is very little that can be done to prevent particular traffic moving between boxes on the intranet without affecting every box on the network. If you are the administrator then ban the use of internet servers on local boxes. |
Out of curiosity, would this work any better in a wireless lan (with a central access point in a hub and spoke configuration) since traffic needs to go through the access point?
|
Anywhere there is a place to be in the middle of the packet stream, there is a possibility to apply rules.
Question is, can the hardware do it.. If the workstations required a domain logon to operate, you can have the ability to control registry settings with a boot file. If workstations boot without a logon, they can still operate on the network, but not access priveleged services/servers. Using this approach, you can force a dns server that won't allow username browsing. This drops them into ip address browsing which can be blocked from the registry. Or even deny installing software in the workstations.. (but be prepared for a management increase!) |
| All times are GMT -5. The time now is 11:44 AM. |