LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-14-2009, 03:10 PM   #1
mkp
Member
 
Registered: Jul 2008
Posts: 57

Rep: Reputation: 15
Question for iptables.


Hi, i have network of 10-15 pc, i want to block some sites with iptables, but allow for 2-3 pc. How to do it?
 
Old 11-14-2009, 03:37 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Depends on your existing rule-set. What have you got? Sanitise output
before posting - don't tell the world your public IP ;}



Cheers,
Tink
 
Old 11-14-2009, 03:55 PM   #3
arckane
Member
 
Registered: Sep 2005
Location: UK
Distribution: Gentoo/Debian/Ubuntu
Posts: 307

Rep: Reputation: 38
Just an idea, but look up Squid Proxy as well
 
Old 11-14-2009, 06:38 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
Yeah, if by "sites" you mean Web sites, then Squid would be a much better choice than iptables.

To get an idea of what's involved, check out this thread.
 
Old 11-15-2009, 01:44 PM   #5
mkp
Member
 
Registered: Jul 2008
Posts: 57

Original Poster
Rep: Reputation: 15
Ok, lets say i have rules to block 1.2.3.4 for my network (10 pc), like this:

iptables -A INPUT -s 1.2.3.4 -j DROP

so, how i allow this web site(1.2.3.4) to 1 pc of these 10?

etc. i have squid, but want do it with iptables. And tanks to all.
 
Old 11-15-2009, 02:24 PM   #6
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
Use a rule previous to that one with a defined destination... for example.

iptables -I INPUT -s 1.2.3.4 -d 192.168.0.9 -j ACCEPT

Where 192.168.0.9 is the machine you wish to allow to connect to the IP.
 
Old 11-15-2009, 02:40 PM   #7
mkp
Member
 
Registered: Jul 2008
Posts: 57

Original Poster
Rep: Reputation: 15
Thanks, i'll try it tomorrow.
 
Old 11-15-2009, 09:09 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
Quote:
Originally Posted by mkp View Post
Ok, lets say i have rules to block 1.2.3.4 for my network (10 pc), like this:

iptables -A INPUT -s 1.2.3.4 -j DROP

so, how i allow this web site(1.2.3.4) to 1 pc of these 10?

etc. i have squid, but want do it with iptables. And tanks to all.
If this is for your network, why are you using the INPUT chain? If you're doing packet forwarding you're gonna need to do this in the FORWARD chain. Here's an example of what it might look like:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.1.3 -d 1.2.3.4 -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -d 1.2.3.4 -j REJECT
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j ACCEPT
Here, the LAN PC with IP 192.168.1.3 is allowed to connect to IP 1.2.3.4 on the WAN side, while al the other PCs are denied access. Keep in mind that a Web site's IP address can change any time, and there can be multiple IPs for a given site, so don't rely on iptables for this sort of thing if you're looking for effective access control measures (use Squid instead).

Last edited by win32sux; 11-15-2009 at 09:17 PM.
 
Old 11-16-2009, 02:04 AM   #9
mkp
Member
 
Registered: Jul 2008
Posts: 57

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
........ Keep in mind that a Web site's IP address can change any time, and there can be multiple IPs for a given site, ......
I now that.


Quote:
Originally Posted by win32sux View Post
............. (use Squid instead).
I think that what i need, can't do it with squid. Lets say i have 5 pc(IT dep.) with full rights,have 100 pc with limit rights and have 10 pc(design studio) witch must have full rights, but their boss want they cannot open web sites like facebook,twitter, etc. So, how i do it with squid? I have squid, here is my squid.conf:

mynet.acl - IT dep.
banned.acl - blocked web sites by ip.
block_url.acl - words like porno, sex, etc.
ogranichenaskorost.acl - limit speed

Code:
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
#acl Safe_ports port 21         # ftp
acl Safe_ports port 443 563     # https, snews
#acl Safe_ports port 70         # gopher
#acl Safe_ports port 210                # wais
#acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280                # http-mgmt
#acl Safe_ports port 488                # gss-http
#acl Safe_ports port 591                # filemaker
#acl Safe_ports port 777                # multiling http
#acl Safe_ports port 901                # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl mynet src "/etc/squid/mynet.acl"

#acl malkoprava src "/etc/squid/malkoprava.acl"
#acl mnogoprava src "/etc/squid/mnogoprava.acl"
acl banned dst "/etc/squid/banned.acl"
#acl ebanking src "/etc/squid/ebanking.acl"
#acl ebanking_url url_regex -i e-postbank.bg
acl download url_regex -i \.iso \.mdf \.mkv \.mp4 \.wma \.mp3 \.wav \.flac \.torrent \.mpeg \.mpg \.exe$ \.vbs \.msi
acl ogranichenaskorost src "/etc/squid/ogranichenaskorost.acl"
acl bad url_regex "/etc/squid/block_url.acl
acl good url_regex "/etc/squid/allow_url.acl
# Facebook range
acl block_range dst 69.63.0.0/16

##max connections per ip
acl maxuserconn src 192.168.0.0/16
acl limitusercon maxconn 30
http_access deny maxuserconn limitusercon

Код:
http_access allow localhost
http_access allow mynet
http_access allow good
http_access deny banned
http_access deny download
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access allow !Safe_ports
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_ports
#
acl our_networks src 192.168.0.0/16

#http_access allow our_networks
#acl our_networks src 192.168.10.0/24
#http_access allow our_networks

# Allow the localhost to have access by default
http_access allow localhost
http_access allow mynet
http_access deny bad
http_access deny download
http_access deny banned
http_access deny block_range

#http_access deny malkoprava
#http_access allow mnogoprava
http_access allow good
http_access allow our_networks

# And finally deny all other access to this proxy
http_access deny all
How block specific web sites for these 10 pc?
 
Old 11-16-2009, 03:14 AM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
Quote:
Originally Posted by mkp View Post
I think that what i need, can't do it with squid. Lets say i have 5 pc(IT dep.) with full rights,have 100 pc with limit rights and have 10 pc(design studio) witch must have full rights, but their boss want they cannot open web sites like facebook,twitter, etc. So, how i do it with squid?
Did you search LQ? I ask because there's been tons of discussions which show how to achieve this sort of configuration. For example, see this thread. Assuming that what you meant is that those 100 PCs can only browse certain sites (while the 10 PCs will only be blocked from certain sites), then this could fit together like this:
Code:
acl IT_department src 192.168.1.11-192.168.1.15
acl the_hundred src 192.168.1.101-192.168.1.200
acl design_studio src 192.168.1.231-192.168.1.240
acl allowed_sites dstdomain "/etc/squid/allowed_sites.txt"
acl banned_sites dstdomain "/etc/squid/banned_sites.txt"

# Grant full access for the IT department:
http_access allow IT_department

# Grant access to certain sites for the 100 PCs:
http_access allow the_hundred allowed_sites

# Deny access to certain sites for the design studio PCs:
http_access deny banned_sites design_studio

# Grant access to anything not banned for the design studio PCs:
http_access allow design_studio

# Take care of everything else:
http_access deny all

Last edited by win32sux; 11-16-2009 at 03:19 AM.
 
Old 11-16-2009, 03:26 AM   #11
mkp
Member
 
Registered: Jul 2008
Posts: 57

Original Poster
Rep: Reputation: 15
Thanks win32sux for help, you are very patient. I can't believe, but i think this will work. I'll try it now.
 
Old 11-16-2009, 07:55 AM   #12
mkp
Member
 
Registered: Jul 2008
Posts: 57

Original Poster
Rep: Reputation: 15
My new squid.conf:

Code:
acl purge method PURGE
acl CONNECT method CONNECT
acl mynet src "/etc/squid/mynet.acl"
acl banned dst "/etc/squid/banned.acl"
acl download url_regex -i \.iso \.mdf \.mkv \.mp4 \.wma \.mp3 \.wav \.flac \.torrent \.mpeg \.mpg \.exe$ \.vbs \.msi
acl ogranichenaskorost src "/etc/squid/ogranichenaskorost.acl"
acl bad url_regex "/etc/squid/block_url.acl
acl good url_regex "/etc/squid/allow_url.acl
acl block_range dst 69.63.0.0/16
acl design_studio src 192.168.10.185
acl banned_sites dstdomain "/etc/squid/banned_sites.txt"
http_access allow localhost
http_access allow mynet
http_access allow good
http_access deny banned
http_access deny download
http_access deny banned_sites design_studio
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access allow !Safe_ports
http_access allow design_studio
http_access allow download design_studio
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_portsacl our_networks src 192.168.0.0/16

#http_access allow our_networks
#acl our_networks src 192.168.10.0/24
#http_access allow our_networks

# Allow the localhost to have access by default
http_access allow localhost
http_access allow mynet
http_access deny bad
http_access deny download
http_access deny banned
http_access deny block_range
http_access deny banned_sites design_studio
http_access allow good
http_access allow our_networks
http_access allow design_studio
http_access allow download design_studio
# And finally deny all other access to this proxy
http_access deny all
Now they can't download, what i miss?
 
Old 11-16-2009, 08:59 AM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
Quote:
Originally Posted by mkp View Post
My new squid.conf:

Code:
acl purge method PURGE
acl CONNECT method CONNECT
acl mynet src "/etc/squid/mynet.acl"
acl banned dst "/etc/squid/banned.acl"
acl download url_regex -i \.iso \.mdf \.mkv \.mp4 \.wma \.mp3 \.wav \.flac \.torrent \.mpeg \.mpg \.exe$ \.vbs \.msi
acl ogranichenaskorost src "/etc/squid/ogranichenaskorost.acl"
acl bad url_regex "/etc/squid/block_url.acl
acl good url_regex "/etc/squid/allow_url.acl
acl block_range dst 69.63.0.0/16
acl design_studio src 192.168.10.185
acl banned_sites dstdomain "/etc/squid/banned_sites.txt"
http_access allow localhost
http_access allow mynet
http_access allow good
http_access deny banned
http_access deny download
http_access deny banned_sites design_studio
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access allow !Safe_ports
http_access allow design_studio
http_access allow download design_studio
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_portsacl our_networks src 192.168.0.0/16

#http_access allow our_networks
#acl our_networks src 192.168.10.0/24
#http_access allow our_networks

# Allow the localhost to have access by default
http_access allow localhost
http_access allow mynet
http_access deny bad
http_access deny download
http_access deny banned
http_access deny block_range
http_access deny banned_sites design_studio
http_access allow good
http_access allow our_networks
http_access allow design_studio
http_access allow download design_studio
# And finally deny all other access to this proxy
http_access deny all
Now they can't download, what i miss?
I'm not sure if this is what you're referring to (you didn't state who they are), but the condition I painted in green wouldn't ever happen, as the line I painted in red would have denied access already. The effect would be what you've described, and one possible fix would be to move the green line above the red one. You'll probably want to move the line I painted blue above both of those too (unless your intention is to let them download from the banned sites).

BTW, you've got a bunch of duplicate lines in there which you should clean up.

Last edited by win32sux; 11-16-2009 at 09:03 AM.
 
Old 11-16-2009, 09:36 AM   #14
mkp
Member
 
Registered: Jul 2008
Posts: 57

Original Poster
Rep: Reputation: 15
Yes, it's now working. Thanks win32sux, you are the man. My new squid.conf:

Code:
acl our_networks src 192.168.0.0/16
# Only allow cachemgr access from localhost
http_access allow localhost
http_access allow mynet
http_access allow good
http_access deny bad
http_access deny banned
http_access deny banned_sites design_studio
http_access allow download design_studio
http_access deny download
http_access allow our_networks
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access allow !Safe_ports
http_access allow design_studio
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_ports
#acl our_networks src 192.168.0.0/16

# And finally deny all other access to this proxy
http_access deny all
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables question yongitz Linux - Security 1 08-28-2006 05:05 AM
iptables question 09kevin77 Linux - Security 3 02-14-2006 11:39 AM
Another IPtables question brianbek Linux - Networking 1 03-07-2005 02:04 PM
Iptables Question? unixfreak Linux - Security 1 09-01-2004 09:23 PM
iptables question randomx Linux - Networking 0 03-11-2003 06:34 PM


All times are GMT -5. The time now is 02:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration