LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-14-2005, 02:09 AM   #1
b:z
Member
 
Registered: Mar 2005
Posts: 146

Rep: Reputation: 15
Local webserver -- How to deny all client install their local web server--Please help


Some clients want to install their web server using Apache, IIS in local network, but i don't agree with their idea, however they still try to install web server run on local network.
How can i deny all install web server on local network.

I have used Linux Gateway provided DHCP, DNS for clients.

Please help me solve the problem. Thanks so much.
 
Old 04-14-2005, 08:05 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
huh? can you explain this a little more clearly?
 
Old 04-14-2005, 08:16 AM   #3
b:z
Member
 
Registered: Mar 2005
Posts: 146

Original Poster
Rep: Reputation: 15
ok, this is the scenario:
1. Network diagram:

<<Internet>>------<<eth0+++eth1>>-------<localnetwork>

2. Problem:

Some user in local network have install web server such as: Apache, IIS,... they want their computer become the local web server, however it's terrible because more users also do the same when they know someone can complete.

3. My wish:

They can install any web server problem, however when any clients in local network access any unallow web server will be denied.

4. Other matter:

My linux gateway server also have existed Clear Web Server, and i want all clients can only access to it, no unallow webserver in local network accessed. Beside all clients can access Internet through Linux Gateway (server).

Are there clear for you? If you need any information, i will provide you.
Thanks so much.
 
Old 04-14-2005, 08:21 AM   #4
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116
I think you want to stop any connection which starts as being inbound to port80(www) within the local network, but still allow outbound ones to the internet. If you dont have access to the local machines then such a network limitation seems to be the only way of controlling webserver usage.
 
Old 04-14-2005, 08:27 AM   #5
b:z
Member
 
Registered: Mar 2005
Posts: 146

Original Poster
Rep: Reputation: 15
thanks for your suggestions,
however can you help me with "iptables" to redirect all request to port 80 in my local network will be transfer to the web page.
Example: when any clients access to one of unallow web server: http://192.168.1.19/index.html will be redirect to http://www.abc.com --or-- when any clients access to another unallow web server also redirect to http://www.abc.com.
In general, all request to port 80 in local network will be redirected to "http://www.abc.com"

Can you show me the way with "iptables" to do this?. Thanks so much
 
Old 04-14-2005, 07:53 PM   #6
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
http://krnlpanic.com/tutorials/iptables.php

Where 192.168.1.19 is the host you want not to be able to serve web site content and 1.1.1.1 is the host you're redirecting to.

I'm not sure if iptables can take host names as redirects (I'm pretty sure not) so if you need to find out the IP address of abc.com just issue `host abc.com` and copy-paste it.

Code:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.19 --dport 80 -i eth1 -j DNAT --to 1.1.1.1
Do this for every local IP address you want to redirect.

Optionally, if you want to be sneaky and silently disallow web sites (without a redirect)
Code:
iptables -A FORWARD -p tcp -d 192.168.1.19 --dport 80 -j DROP
Then, do this to save and later restore the firewall rules:
Code:
iptables-save > iptables_config.fw
iptables-restore iptables_config.fw
(If I've made a boo boo in my iptables please feel free to correct me please )

Last edited by michaelsanford; 04-14-2005 at 07:57 PM.
 
Old 04-14-2005, 10:19 PM   #7
b:z
Member
 
Registered: Mar 2005
Posts: 146

Original Poster
Rep: Reputation: 15
Everything is not useful when i try both. It seem no suitable with my local network.
When i use the first command, nothing happen. User can access to unallow local web server.
When i use the second command, also nothing is better. ........................................... (

Thanks for your help. Please help me solve the problem.
 
Old 04-14-2005, 10:52 PM   #8
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
There is also the possibility that I made a mistake in the firewall rules. I'll let someone comment on that before I offer more 'help' :P
 
Old 04-15-2005, 01:17 AM   #9
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
You can't REDIRECT traffic you didn't receive..

One pc talking to another doesn't go through the firewall, it goes direct..
You problem is at each workstation..

You could only block this at the network hub/switch (if it smart enough)

Last edited by peter_robb; 04-15-2005 at 01:19 AM.
 
Old 04-15-2005, 01:32 AM   #10
b:z
Member
 
Registered: Mar 2005
Posts: 146

Original Poster
Rep: Reputation: 15
Quote:
ou can't REDIRECT traffic you didn't receive..

One pc talking to another doesn't go through the firewall, it goes direct..
You problem is at each workstation..

You could only block this at the network hub/switch (if it smart enough)
Noway to deny/solve my problem, exclude purchased new switch with traffic filler function.
Is there anyway to solve my matter?

Thanks for your reply and thanks for your help.
 
Old 04-15-2005, 01:41 AM   #11
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
peter_robb is totally right,

Sorry, I took it for granted that the default route of all your clients was through your gateway which was marshalling connections. If it's not then you can't do much to stop it.
 
Old 04-15-2005, 01:57 AM   #12
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
I saw this yesterday and was interested to see if anyone came up with a plan because my first reaction is that it cannot be done in this situation unless all the traffic for the network is moving through that system. Even if this was the case then dropping all connections on port 80 would deny access to the internet as well. I agree with the above comment about this being a an individual box situation.
Since a server is based on a box there is very little that can be done to prevent particular traffic moving between boxes on the intranet without affecting every box on the network. If you are the administrator then ban the use of internet servers on local boxes.
 
Old 04-15-2005, 08:28 AM   #13
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
Out of curiosity, would this work any better in a wireless lan (with a central access point in a hub and spoke configuration) since traffic needs to go through the access point?
 
Old 04-16-2005, 07:11 PM   #14
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Anywhere there is a place to be in the middle of the packet stream, there is a possibility to apply rules.

Question is, can the hardware do it..

If the workstations required a domain logon to operate, you can have the ability to control registry settings with a boot file. If workstations boot without a logon, they can still operate on the network, but not access priveleged services/servers.

Using this approach, you can force a dns server that won't allow username browsing. This drops them into ip address browsing which can be blocked from the registry.

Or even deny installing software in the workstations.. (but be prepared for a management increase!)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cant make web server run my local web page... Nik0s Linux - Newbie 22 10-08-2006 10:30 PM
problem starting web server from rc.local juanb Linux - General 2 10-13-2005 08:56 AM
my web server can't be reached by local network tiang_ono Linux - Software 4 07-14-2005 08:02 PM
Alias for local web server nrambeck Linux - Networking 6 02-09-2005 11:28 AM
Local Web Server amdawi Linux - Networking 15 09-30-2003 04:25 PM


All times are GMT -5. The time now is 11:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration