LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-02-2006, 04:00 AM   #1
asoka_ajay
LQ Newbie
 
Registered: May 2006
Posts: 2

Rep: Reputation: 0
Post How do i block certain LAN IP from accessing Internet?


Good day,

I'm currently using Redhat 9 as my internet gateway. I used simple IP masquerading scripts to enable the internet sharing function. Now, i would like to block certain LAN IP (static LAN IP) from accessing my internet and enable certain websites only to be accessed by my client machines. How can i do this in Redhat 9? Hope someone can guide and assist me on this.

Thank you.
 
Old 05-02-2006, 04:14 AM   #2
baboooss
LQ Newbie
 
Registered: May 2006
Posts: 11

Rep: Reputation: 0
for blocking certain IP you can use iptable/ipchain...
but for filtering URL use any URL filtering software
 
Old 05-03-2006, 10:54 PM   #3
asoka_ajay
LQ Newbie
 
Registered: May 2006
Posts: 2

Original Poster
Rep: Reputation: 0
Thanx for reply baboooss........but maybe u can help me with the script for iptable/ipchain. I used below script to configure my internet sharing:-
------------------------------------------------------------------------------------
#!/bin/sh
iptables=/sbin/iptables



$iptables --flush -t nat


iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
------------------------------------------------------------------------------------

I also shall be grateful if you could suggest some url filtering software for redhat 9/linux.

Thank you
 
Old 05-04-2006, 01:11 AM   #4
~=gr3p=~
Member
 
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227

Rep: Reputation: 30
Quote:
Originally Posted by asoka_ajay
#!/bin/sh
iptables=/sbin/iptables



$iptables --flush -t nat


iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
Hey that's easy. Say for example you want explicitly allow IP 192.168.1.2 to access only www.google.com and you want 192.168.1.3 full access to the internet.

So the rules are as follows.
Quote:
iptables -t nat -I POSTROUTING -s 192.168.1.2 -o eth1 -d www.google.com -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.3 -o eth1 -j MASQUERADE

iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward
thats all. Now just change the default gateway and DNS on you client machine to point to the firewall machine IP address. All other Clients on your LAN will not be able to access internet till you explicitly add the rule in iptables.
 
Old 05-04-2006, 03:55 AM   #5
vimal
Red Hat India
 
Registered: Nov 2004
Location: Kerala/Pune,india
Distribution: RedHat, Fedora
Posts: 260

Rep: Reputation: 36
Hello asoka_ajay,

To deny certain machines from accessing your internet connection, i think you could use the output chain in the gateway.

#iptables -A OUTPUT -s 'IP of the internal machine' -d 0/0 -p tcp -j REJECT ,

To reject certain sites from the client machines, you can add the rule.

#iptables -A OUTPUT -s 'IP of the internal machine' -d 'URL of the site' -p tcp -j REJECT.

Please reply if this don't works. If so reply with more details.

Thanks,,
 
Old 05-04-2006, 04:44 AM   #6
~=gr3p=~
Member
 
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227

Rep: Reputation: 30
This is not correct way. He has setup a gateway firewall ROUTER.

Quote:
Originally Posted by vimal
Hello asoka_ajay,

To deny certain machines from accessing your internet connection, i think you could use the output chain in the gateway.

#iptables -A OUTPUT -s 'IP of the internal machine' -d 0/0 -p tcp -j REJECT ,

To reject certain sites from the client machines, you can add the rule.

#iptables -A OUTPUT -s 'IP of the internal machine' -d 'URL of the site' -p tcp -j REJECT.

Please reply if this don't works. If so reply with more details.

Thanks,,

Last edited by ~=gr3p=~; 05-04-2006 at 04:49 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
accessing shared Internet Connection on a MS peer to peer LAN from PC running Linux inschris Linux - Networking 2 04-09-2006 03:40 PM
Block accessing inernet directly how to shipon_97 Linux - Newbie 1 03-27-2006 03:16 PM
Is there a way to block people from accessing my site if they came from a certin url? abefroman Linux - Security 5 02-14-2006 12:16 AM
Accessing LAN from outside OliXNet Linux - Networking 11 02-08-2005 06:46 AM
SQUID:How can I block my LAN clients accessing Internet mwj Linux - Networking 1 10-27-2003 05:01 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration