Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hallo everybody !
I have a question concerning the internet access from a local network.
I know there are firewalls which can deny the access to certain sites using some kind of blacklist or negativelist, but that would not solve my problem. I need to grant the users of a lan access to some sites (about 20), to eMail and to deny the access to the rest of the i-net.
The number of sites the users may have access to can vary in number an address (maybe updateable through the sysadmin).
Is this possible ? If it is, how can I do this ?
Do I need to run a Proxy or do I need to setup special Firewall rules ?
Can anyone point to a link with examples or some detailed HOWTOs ?
You can setup a firewall rule to deny all outgoing packets from the LAN to the internet and then add specific rules to enable only DNS (for domain queries), email and outgoing packets to port 80 (http).
Still quite new to iptables but if it's possible I was thinking maybe only allowing forwarding based on the destination IP address. You could have a plain text file with the IP's you want to allow access to, one on each line which you could add and delete entries from depending on circumstances
The forwarding rules could then be added by reading in the values from the valid ip file something like
allow_access=`cat ipfile.txt`;
for i in $allow_access;
do
iptables -A FORWARD -i my_lan_interface -d $allow_access -j ACCEPT;
done;
iptables -A FORWARD -m state --state ESTABLISHED,RELATED, -j ACCEPT
You could have different scripts to add/delete rules. No sure if that's a proper use of the FORWARD rule but if you try it and it works then all's well.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.