Hallo everybody !
I have a question concerning the internet access from a local network.
I know there are firewalls which can deny the access to certain sites using some kind of blacklist or negativelist, but that would not solve my problem. I need to grant the users of a lan access to some sites (about 20), to eMail and to deny the access to the rest of the i-net.
The number of sites the users may have access to can vary in number an address (maybe updateable through the sysadmin).
Is this possible ? If it is, how can I do this ?
Do I need to run a Proxy or do I need to setup special Firewall rules ?
Can anyone point to a link with examples or some detailed HOWTOs ?

Thanks in advance !

You can setup a firewall rule to deny all outgoing packets from the LAN to the internet and then add specific rules to enable only DNS (for domain queries), email and outgoing packets to port 80 (http).

You can do that with IPtables or IPF on openbsd.

Yes, but if I add the rules for DNS queries, all sites will be seen by the users.

Yes, but if I add the rules for DNS queries, all sites will be seen by the users.
No they won't. Sounds like you didn't even try it.

No I didn´t. Because it sounds to me like it would not work, but if you say it works, then I will try.

Still quite new to iptables but if it's possible I was thinking maybe only allowing forwarding based on the destination IP address. You could have a plain text file with the IP's you want to allow access to, one on each line which you could add and delete entries from depending on circumstances

The forwarding rules could then be added by reading in the values from the valid ip file something like

allow_access=`cat ipfile.txt`;

for i in $allow_access;
do
iptables -A FORWARD -i my_lan_interface -d $allow_access -j ACCEPT;
done;

iptables -A FORWARD -m state --state ESTABLISHED,RELATED, -j ACCEPT

You could have different scripts to add/delete rules. No sure if that's a proper use of the FORWARD rule but if you try it and it works then all's well.