LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 04-28-2005, 12:20 PM   #1
masand
LQ Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
allow only Linux for internet


hi there

can it be dome like we allow only linux basd achine to acces the internet throught (squid)proxy and firewall(iptabes)

in my university after a major virus attack on win mahcines ,the administration want to allow internet access only through linux mahcines and keep windows for offline work
this might reduce the chances the virus attacks.of course if they download an attachment in linux which might be virus for windows but at atleast the linux machine will keep on working

so how should we go about it??

one way could be to keep those win machines on a domain ,and allow only restricted acces to those machines for all users so that they cannot change the network settings in windows,

but we hope to block the internet access from a windows machine

regards
 
Old 04-28-2005, 01:54 PM   #2
Lleb_KCir
Senior Member
 
Registered: Nov 2003
Location: Orlando FL
Distribution: Debian
Posts: 1,765

Rep: Reputation: 45
subnets is all i could think of. put all windows systems on a subnet that is not allowed access to the WAN side of your routers. this will also make them basically invisible to your linux boxes unless you give the linux boxes access to that subnet too.
 
Old 04-28-2005, 01:56 PM   #3
masand
LQ Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Original Poster
Rep: Reputation: 58
no no

let me make this more clear

we will be having windows and linux on a single machine
to access internet u need to go to Linux

regards
 
Old 04-28-2005, 02:09 PM   #4
lefty.crupps
Member
 
Registered: Apr 2005
Location: Minneap USA
Distribution: Debian, Mepis, Sidux
Posts: 470

Rep: Reputation: 32
just don't make the micro$oft machines internet enabled. take out their tcp/ip stack, and do all their workgroups via netbeui and samba. all should be able to see all, but without tcp/ip the m$ cannot get access to the net
 
Old 04-28-2005, 02:26 PM   #5
masand
LQ Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Original Poster
Rep: Reputation: 58
yes that will be a good idea but the problem is that we will need to keep them under some domain controllerso that they do not install that TCP/IP in windows

regards
 
Old 04-28-2005, 04:41 PM   #6
Lleb_KCir
Senior Member
 
Registered: Nov 2003
Location: Orlando FL
Distribution: Debian
Posts: 1,765

Rep: Reputation: 45
you do not need the AD to do that. both win2k and XP pro have local security settings. you can make it so that the user (not admin) can not install anything if you want, in fact you can even limit exactly what they can run.

look around in the local security and settings you will find all kinds of security settings in there you can apply to the user accounts. no need for an AD setup with a win2k or 2k3 server running unless you just want to set it up that way.
 
Old 04-28-2005, 04:45 PM   #7
masand
LQ Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Original Poster
Rep: Reputation: 58
yes that can be done through a local machine but with the domain controller we could have control over the machines more

again this solution is not much prefered
since we have a large no of machines around 800 in the university

regards
 
Old 04-28-2005, 10:39 PM   #8
lefty.crupps
Member
 
Registered: Apr 2005
Location: Minneap USA
Distribution: Debian, Mepis, Sidux
Posts: 470

Rep: Reputation: 32
set them all to run tcp/ip (for "domain" purposes, which is really tied to the internet...) and the linux boxes only to run the ipx/spx stack. then allow that stack only into the default gateway, where there is a proxie server / protocol switcher (linux box or appliance). the ipx/spx (linux netwk data) will be repackaged as tcp/ip for internet. you might need some powerful protocol machines though!!

or just lock down the permissions tighter, like Lleb_KCir said. What Microsoft O$ are you running?
 
Old 04-28-2005, 11:01 PM   #9
masand
LQ Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Original Poster
Rep: Reputation: 58
all types of win OS

98, Xp , 2000

a domain controller wil help though
and i will look into ur suggestions as well

thanks
 
Old 04-28-2005, 11:19 PM   #10
Lleb_KCir
Senior Member
 
Registered: Nov 2003
Location: Orlando FL
Distribution: Debian
Posts: 1,765

Rep: Reputation: 45
with 9x in the mix you will not be running a full set of AD as 9x does not follow all of the permiessions set down by the AD. you can do the exact same thing in the AD as you can in your local security settings. just do it by OU and place all of your users into that OU to prevent them from getting close to the WAN side of things including removing the ability to open IE or either OE or Outlook.

once you have the users set to lowest level they will NOT be able to install 90% of the software out there, nor will they be able to adjust any of the TCP/IP settings.

THIS IS NOT TRUE FOR WIN9x SYSTEMS. as mentioned above win9x is not going to follow the AD permissions for the OU security or user level you have set. your only option for the win9x boxes is to upgrade them or remove windows from them completly and leave linux only on those older systems.

sadly with roughly 800 boxes you will still have to touch each and every box to implement a lot of this.

1. configure your OU
2. assign the users to that OU
3. configure p/w levels for the users
4. touch every box and lock down the local system to prevent local login and ONLY allow domain level log in.
5. remove floppy drives from all boxes for maxium security. with a floppy drive any and all windows systems can be 100% comprimised in less then 5min by someone who knows what they are doing and 15-20min by a script kiddy.

that should help. sadly that will again leave you touching every box. if the school has batches of simular hardware systems, then i HIGHLY sujest looking into Symantecs GHOST enterprise. this is pricey, but a school might get a substantial discount. with that you will be able to bring down 1 of each hardware setup and rebuild it. make a ghost img, then do a LAN based roll out.

you can also do something simular with RIS in win2k/win2k3 servers, but those are not near as effective and only give you a base level install not a fully secured and locked down system that ghost enterprise will.

you would also need ghostwalker to roll the SIDs on all of the systems before you bring them live to the domain.

i hope that is a bit better for you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
XP-Linux Internet network linux gateway ALInux Linux - Networking 1 05-16-2005 07:11 AM
ok. reply if you can help me with my modem, Linux+Internet= :), Linux €/ Internet= Wi carrie Linux - Hardware 1 10-24-2004 11:13 AM
can't connect to the internet:linux dont read my internet address droplsh Linux - General 1 02-29-2004 08:32 PM
can't get on internet with linux qtaznromeo7 Linux - Networking 2 02-03-2004 08:47 AM
sharing internet connection from linux to another linux priest_judas Linux - Networking 7 12-15-2003 11:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 03:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration