Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
11-14-2009, 02:10 PM
|
#1
|
Member
Registered: Jul 2008
Posts: 57
Rep:
|
Question for iptables.
Hi, i have network of 10-15 pc, i want to block some sites with iptables, but allow for 2-3 pc. How to do it?
|
|
|
11-14-2009, 02:37 PM
|
#2
|
Moderator
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
|
Depends on your existing rule-set. What have you got? Sanitise output
before posting - don't tell the world your public IP ;}
Cheers,
Tink
|
|
|
11-14-2009, 02:55 PM
|
#3
|
Member
Registered: Sep 2005
Location: UK
Distribution: Gentoo/Debian/Ubuntu
Posts: 308
Rep:
|
Just an idea, but look up Squid Proxy as well 
|
|
|
11-14-2009, 05:38 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Yeah, if by "sites" you mean Web sites, then Squid would be a much better choice than iptables.
To get an idea of what's involved, check out this thread.
|
|
|
11-15-2009, 12:44 PM
|
#5
|
Member
Registered: Jul 2008
Posts: 57
Original Poster
Rep:
|
Ok, lets say i have rules to block 1.2.3.4 for my network (10 pc), like this:
iptables -A INPUT -s 1.2.3.4 -j DROP
so, how i allow this web site(1.2.3.4) to 1 pc of these 10?
etc. i have squid, but want do it with iptables. And tanks to all.
|
|
|
11-15-2009, 01:24 PM
|
#6
|
Senior Member
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375
|
Use a rule previous to that one with a defined destination... for example.
iptables -I INPUT -s 1.2.3.4 -d 192.168.0.9 -j ACCEPT
Where 192.168.0.9 is the machine you wish to allow to connect to the IP.
|
|
|
11-15-2009, 01:40 PM
|
#7
|
Member
Registered: Jul 2008
Posts: 57
Original Poster
Rep:
|
Thanks, i'll try it tomorrow.
|
|
|
11-15-2009, 08:09 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by mkp
Ok, lets say i have rules to block 1.2.3.4 for my network (10 pc), like this:
iptables -A INPUT -s 1.2.3.4 -j DROP
so, how i allow this web site(1.2.3.4) to 1 pc of these 10?
etc. i have squid, but want do it with iptables. And tanks to all.
|
If this is for your network, why are you using the INPUT chain? If you're doing packet forwarding you're gonna need to do this in the FORWARD chain. Here's an example of what it might look like:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.1.3 -d 1.2.3.4 -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -d 1.2.3.4 -j REJECT
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j ACCEPT
Here, the LAN PC with IP 192.168.1.3 is allowed to connect to IP 1.2.3.4 on the WAN side, while al the other PCs are denied access. Keep in mind that a Web site's IP address can change any time, and there can be multiple IPs for a given site, so don't rely on iptables for this sort of thing if you're looking for effective access control measures (use Squid instead).
Last edited by win32sux; 11-15-2009 at 08:17 PM.
|
|
|
11-16-2009, 01:04 AM
|
#9
|
Member
Registered: Jul 2008
Posts: 57
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
........ Keep in mind that a Web site's IP address can change any time, and there can be multiple IPs for a given site, ......
|
I now that.
Quote:
Originally Posted by win32sux
............. (use Squid instead).
|
I think that what i need, can't do it with squid. Lets say i have 5 pc(IT dep.) with full rights,have 100 pc with limit rights and have 10 pc(design studio) witch must have full rights, but their boss want they cannot open web sites like facebook,twitter, etc. So, how i do it with squid? I have squid, here is my squid.conf:
mynet.acl - IT dep.
banned.acl - blocked web sites by ip.
block_url.acl - words like porno, sex, etc.
ogranichenaskorost.acl - limit speed
Code:
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
#acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
#acl Safe_ports port 70 # gopher
#acl Safe_ports port 210 # wais
#acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280 # http-mgmt
#acl Safe_ports port 488 # gss-http
#acl Safe_ports port 591 # filemaker
#acl Safe_ports port 777 # multiling http
#acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl mynet src "/etc/squid/mynet.acl"
#acl malkoprava src "/etc/squid/malkoprava.acl"
#acl mnogoprava src "/etc/squid/mnogoprava.acl"
acl banned dst "/etc/squid/banned.acl"
#acl ebanking src "/etc/squid/ebanking.acl"
#acl ebanking_url url_regex -i e-postbank.bg
acl download url_regex -i \.iso \.mdf \.mkv \.mp4 \.wma \.mp3 \.wav \.flac \.torrent \.mpeg \.mpg \.exe$ \.vbs \.msi
acl ogranichenaskorost src "/etc/squid/ogranichenaskorost.acl"
acl bad url_regex "/etc/squid/block_url.acl
acl good url_regex "/etc/squid/allow_url.acl
# Facebook range
acl block_range dst 69.63.0.0/16
##max connections per ip
acl maxuserconn src 192.168.0.0/16
acl limitusercon maxconn 30
http_access deny maxuserconn limitusercon
Код:
http_access allow localhost
http_access allow mynet
http_access allow good
http_access deny banned
http_access deny download
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access allow !Safe_ports
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_ports
#
acl our_networks src 192.168.0.0/16
#http_access allow our_networks
#acl our_networks src 192.168.10.0/24
#http_access allow our_networks
# Allow the localhost to have access by default
http_access allow localhost
http_access allow mynet
http_access deny bad
http_access deny download
http_access deny banned
http_access deny block_range
#http_access deny malkoprava
#http_access allow mnogoprava
http_access allow good
http_access allow our_networks
# And finally deny all other access to this proxy
http_access deny all
How block specific web sites for these 10 pc?
|
|
|
11-16-2009, 02:14 AM
|
#10
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by mkp
I think that what i need, can't do it with squid. Lets say i have 5 pc(IT dep.) with full rights,have 100 pc with limit rights and have 10 pc(design studio) witch must have full rights, but their boss want they cannot open web sites like facebook,twitter, etc. So, how i do it with squid?
|
Did you search LQ? I ask because there's been tons of discussions which show how to achieve this sort of configuration. For example, see this thread. Assuming that what you meant is that those 100 PCs can only browse certain sites (while the 10 PCs will only be blocked from certain sites), then this could fit together like this:
Code:
acl IT_department src 192.168.1.11-192.168.1.15
acl the_hundred src 192.168.1.101-192.168.1.200
acl design_studio src 192.168.1.231-192.168.1.240
acl allowed_sites dstdomain "/etc/squid/allowed_sites.txt"
acl banned_sites dstdomain "/etc/squid/banned_sites.txt"
# Grant full access for the IT department:
http_access allow IT_department
# Grant access to certain sites for the 100 PCs:
http_access allow the_hundred allowed_sites
# Deny access to certain sites for the design studio PCs:
http_access deny banned_sites design_studio
# Grant access to anything not banned for the design studio PCs:
http_access allow design_studio
# Take care of everything else:
http_access deny all
Last edited by win32sux; 11-16-2009 at 02:19 AM.
|
|
|
11-16-2009, 02:26 AM
|
#11
|
Member
Registered: Jul 2008
Posts: 57
Original Poster
Rep:
|
Thanks win32sux for help, you are very patient. I can't believe, but i think this will work. I'll try it now.
|
|
|
11-16-2009, 06:55 AM
|
#12
|
Member
Registered: Jul 2008
Posts: 57
Original Poster
Rep:
|
My new squid.conf:
Code:
acl purge method PURGE
acl CONNECT method CONNECT
acl mynet src "/etc/squid/mynet.acl"
acl banned dst "/etc/squid/banned.acl"
acl download url_regex -i \.iso \.mdf \.mkv \.mp4 \.wma \.mp3 \.wav \.flac \.torrent \.mpeg \.mpg \.exe$ \.vbs \.msi
acl ogranichenaskorost src "/etc/squid/ogranichenaskorost.acl"
acl bad url_regex "/etc/squid/block_url.acl
acl good url_regex "/etc/squid/allow_url.acl
acl block_range dst 69.63.0.0/16
acl design_studio src 192.168.10.185
acl banned_sites dstdomain "/etc/squid/banned_sites.txt"
http_access allow localhost
http_access allow mynet
http_access allow good
http_access deny banned
http_access deny download
http_access deny banned_sites design_studio
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access allow !Safe_ports
http_access allow design_studio
http_access allow download design_studio
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_portsacl our_networks src 192.168.0.0/16
#http_access allow our_networks
#acl our_networks src 192.168.10.0/24
#http_access allow our_networks
# Allow the localhost to have access by default
http_access allow localhost
http_access allow mynet
http_access deny bad
http_access deny download
http_access deny banned
http_access deny block_range
http_access deny banned_sites design_studio
http_access allow good
http_access allow our_networks
http_access allow design_studio
http_access allow download design_studio
# And finally deny all other access to this proxy
http_access deny all
Now they can't download, what i miss?
|
|
|
11-16-2009, 07:59 AM
|
#13
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by mkp
My new squid.conf:
Code:
acl purge method PURGE
acl CONNECT method CONNECT
acl mynet src "/etc/squid/mynet.acl"
acl banned dst "/etc/squid/banned.acl"
acl download url_regex -i \.iso \.mdf \.mkv \.mp4 \.wma \.mp3 \.wav \.flac \.torrent \.mpeg \.mpg \.exe$ \.vbs \.msi
acl ogranichenaskorost src "/etc/squid/ogranichenaskorost.acl"
acl bad url_regex "/etc/squid/block_url.acl
acl good url_regex "/etc/squid/allow_url.acl
acl block_range dst 69.63.0.0/16
acl design_studio src 192.168.10.185
acl banned_sites dstdomain "/etc/squid/banned_sites.txt"
http_access allow localhost
http_access allow mynet
http_access allow good
http_access deny banned
http_access deny download
http_access deny banned_sites design_studio
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access allow !Safe_ports
http_access allow design_studio
http_access allow download design_studio
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_portsacl our_networks src 192.168.0.0/16
#http_access allow our_networks
#acl our_networks src 192.168.10.0/24
#http_access allow our_networks
# Allow the localhost to have access by default
http_access allow localhost
http_access allow mynet
http_access deny bad
http_access deny download
http_access deny banned
http_access deny block_range
http_access deny banned_sites design_studio
http_access allow good
http_access allow our_networks
http_access allow design_studio
http_access allow download design_studio
# And finally deny all other access to this proxy
http_access deny all
Now they can't download, what i miss?
|
I'm not sure if this is what you're referring to (you didn't state who they are), but the condition I painted in green wouldn't ever happen, as the line I painted in red would have denied access already. The effect would be what you've described, and one possible fix would be to move the green line above the red one. You'll probably want to move the line I painted blue above both of those too (unless your intention is to let them download from the banned sites).
BTW, you've got a bunch of duplicate lines in there which you should clean up.
Last edited by win32sux; 11-16-2009 at 08:03 AM.
|
|
|
11-16-2009, 08:36 AM
|
#14
|
Member
Registered: Jul 2008
Posts: 57
Original Poster
Rep:
|
Yes, it's now working. Thanks win32sux, you are the man. My new squid.conf:
Code:
acl our_networks src 192.168.0.0/16
# Only allow cachemgr access from localhost
http_access allow localhost
http_access allow mynet
http_access allow good
http_access deny bad
http_access deny banned
http_access deny banned_sites design_studio
http_access allow download design_studio
http_access deny download
http_access allow our_networks
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access allow !Safe_ports
http_access allow design_studio
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_ports
#acl our_networks src 192.168.0.0/16
# And finally deny all other access to this proxy
http_access deny all
|
|
|
All times are GMT -5. The time now is 05:17 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|