How to allow a group to access certain sites

dtournas · 12-01-2003, 01:38 PM

Hi there boys and girls!

I searching for a way to allow certain sites to be viewed from a unix group. The clients are on WinY2K logging into Samba PDC. I also have an IPCop PC installed. So which is the right application for me?

Thank you all!

Capt_Caveman · 12-06-2003, 09:46 AM

When you say sites, do you mean how can you control what web sites the clients can view or do you mean how can you limit client access to the Samba filesystem?

dtournas · 12-08-2003, 01:09 AM

First of all thank you for your reply. What I want is to find a way to allow certain sites to be viewed from a unix group.

Capt_Caveman · 12-08-2003, 03:00 AM

And by sites you mean = ???

Websites?
Files within the Samba filesystem?
Other parts of network?

You will need to be more specific about what you are trying to set up.

dtournas · 12-08-2003, 05:11 AM

Sorry about that, I must be more specific...

I ment WEBsites. What I need is sth like a proxy that will not cache the WEBsites but only allow i.e. the Financial Dept. to have access to the www.bank.com website.

Thanx!

Capt_Caveman · 12-08-2003, 10:13 AM

I would try either squid and turn off the cache function (it's in the configuration HOW-TO guide) or you could use iptables to block outbound http traffic that is coming through your gateway router.

Squid can be a little bit of a challenge to setup at first, but is excellent for higher traffic situations.

To use iptables, you would have to add a rule to block outbound http packets that are not destined for www.bank.com. The exact rule would depend on how your network is setup, but would look basically like this:

iptables -I FORWARD -p tcp --dport 80 -i internal_interface -o external_interface -d ! ip_address_of_bank.com -j REJECT

Savy users will be able to get around that rather easily. A more effective way to do it (but more complex as well) is to use iptables and squid in combination. You would block all port 80 traffic and then setup squid to listen on some higher port, then configure each of the clients to use the higher level port of the proxy server for communication.

chrisfirestar · 12-09-2003, 01:52 AM

Capt is very right I am using a similar setup here... basically I have IPTABLES running and SQUID running in TRANSPARENT mode (i think that wat its called) which means that ANY requests on port 80 (http) are automatically forwarded to port 3128 (squid default) then within my squid.conf file I have rules for some users that stop them from access urls I dont want them too.

your only problem could be allowing "users" but im sure their's a way to do it