It sounds to me like you haven't thought this through. Creating a security scheme for Internet access is complicated. Your idea of blocking all ports except port 80 can be easily circumvented by a slightly clever high school student.
First you can block ports using iptables.
You should block port 80 from all machines except one. This one machine is going to be set up as an http proxy server.
That is the answer to your question. However the answer to your intended goal is more complicated. Unfortunately there are numerous ways to implement Internet restrictions. Here is one idea.
If your Internet gateway is a fully fledged computer running Linux then you can use it to block traffic to and from specific IP addresses. You would install some software to monitor all Internet traffic and block traffic to and from addresses on a black list. You could obtain a blacklist from some place like Spamhause.
Some Linux distributions are geared toward performing this sort of security function. One that comes to mind is Open Wall Linux (OWL).
If your gateway is not a full fledged computer running linux you have other options to achieve the same goal. For example if your gateway is a Linksys cable modem/router then there is a Linux distribution that you can load onto the Linksys router to perform enhanced security filtering as already described.
If that is not an option then you can put a fully functioning computer between your cable modem and your router and set up that machine as a bridge. You can run security software on the bridge.
This is a very complicated subject. If you are just doing this so that you can learn about network security then my suggestions above should provide some direction for you to research these issues. If you are setting up a network in a professional context then you should hire an experienced consultant to help you.
|