-   Linux - Security (
-   -   Permit access to only one website from a station in the internal network (

rocordial 05-17-2004 03:42 PM

Permit access to only one website from a station in the internal network

I am new to linux and iptables

I have a linux box connected to internet on eth0 and to the local network on eth1

(I'll put underscores in place of dots because I'm new :) )

The local network is 192_168_0_0/24.

I want to restrict the access of 192_168_0_5 to only one website (i.e. www_website_com)

Is that possible with iptables?

I tried:

iptables -F
iptables -A INPUT -s 192_168_0_5 -d www_website_com -j ACCEPT
iptables -A INPUT -s 192_168_0_5 -p tcp -j REJECT

the default policy on all channels is ACCEPT

it doesn't work.

Thank you!

Linux.tar.gz 05-17-2004 04:35 PM

Can't aswer 'cause i'm new to iptables too, but i strongly suggest you use DROP instead of REJECT, because REJECT gives an answer to those you reject.

Poetics 05-18-2004 03:26 PM

Do you still need access to the rest of the network? You could simply modify your hosts.allow and hosts.deny files. (Welcome to LQ by the way!)

Something akin to allowing website_com and disallowing everything that doesn't have a local address would work just fine, I imagine.

rocordial 05-18-2004 03:40 PM

thank you for welcomeing and for you answer!

(i am not a native english speaker so sorry for the language)

the ideea is interesting. I know what to put in the hosts.allow but how can I deny everything in hosts.deny?

The station I talk about is a win98 machine.

look forward for your answer.

ppuru 05-19-2004 01:56 AM

Hope you have ip_forward enabled and configured iptables rules to do MASQUERADING.

As your default policy is ACCEPT, you may need to add a DROP/REJECT rule to deny the identified PC from accessing other ports / websites.

You should use FORWARD instead of INPUT.

Poetics 05-19-2004 04:47 AM

if you're going the hosts.deny route you'd put in the following:


To deny all except what is explicitly accepted

rocordial 05-19-2004 07:37 AM

the hosts method didn't work. The station I tested was a win_XP

the ip forvarding is enabled and the masqerading is working.

I put these and only these lines in the firewall:


iptables -F
iptables -A FORWARD -p tcp -s -d -j ACCEPT
iptables -A FORWARD -p tcp -s -d ! -j REJECT

I still have full access to internet from the 59 station.

I forgot to mention that squid is running on :8080 and the station is configured to use the proxy. Is that a problem?

Thank you for your help

ppuru 05-20-2004 04:05 AM

Try giving the IP address of the site. Never tried giving a hostname in iptables (so not sure if that is the reason).

rocordial 05-23-2004 01:58 PM

Thank you all for your kind help!

I solved the problem. The solution I found is based, in the end, on Squid (proxy) + iptables.

The solution with iptables, in my previous reply, worked only with the browser set not to use the proxy.

Now, I set the Squid to work as a transparent proxy (so the user could not avoid the proxy in the browser) and denyed the access to all sites but the one I need in squid.conf

Thank's again!

fuzzie 06-05-2004 11:08 AM

I use masquerading and it is working fine...
But now one of my kids is old enough to start playing on the computer. I want to allow him access to only 3 or 4 sites. I know I will have to hard code them in, no big deal. Problem is, how do I do that in the iptables masquerading firewall script.

Say his machine, which dual boots to XP and Fedora, and sometimes to Knoppix for Kids (so his host file isn't an option) has an IP of, the gateway/script is on, running dhcp.
I don't want to restrict any access to any other machine on the LAN.

Any ideas?

mlp68 06-05-2004 09:32 PM

That shouldn't be too hard...

You must configure your dhcp server to assign a static address to your kid's box. Otherwise there's no guarantee that it gets the same ip next time, and he could zip past your firewall rules easily.

Then let's say you want your kid to be able to go to only. (Ok, reports 2 IPs,

Then add
-A INPUT -s -d -j ACCEPT
-A INPUT -s -d -j ACCEPT

-A INPUT -s -d 0/0 -j DROP

to the iptables config on your gateway machine.

The first two lines allow those desired connections, all others get squashed. (The "INPUT" may be called differently in your file.)

That should work, but here's an additional trick that I find invaluable.

I add

#-A LOG_AND_DROP -j LOG --log-level info --log-prefix dropped-packet:

somewhere close to the top. Note the commented-out line. I change all "DROP" targets later on to "LOG_AND_DROP" so the above line would read

-A INPUT -s -d 0/0 -j LOG_AND_DROP

Nothing has changed; the formerly dropped packets still get dropped, only after a detour through the new LOG_AND_DROP chain.

But if you uncomment the line in the middle, you get a log entry in your syslog for each dropped packet, and that lets you diagnose problems with connections not working easily. Especially for complex FW rules this can save hours of debugging. So if your kid complains that he cannot go somewhere where you think he should be allowed, that's the fastest way to find out.

BTW, depending on how clever your kid is, he might figure out how to assign a different static IP independent from the DHCP server and go past your safeguards... You should still monitor what's going on. And don't let him go to this forum... :-)

Hope it helps,


fuzzie 06-05-2004 10:19 PM

That's great! Thanks...I'm working on it now.

How do I assign the same IP to him...MAC address?

There is little chance he will figure out assigning a static IP for some time (he's 6) but you never know.

I take it, I can hard code an IP and the gateway to my wife's log on, so she will have unfettered access?

fuzzie 06-05-2004 11:17 PM

I found the dhcp stuff:
# Assign a static IP to
host atlantis {
hardware ethernet 00:45:40:10:FE:12;
not the real numbers....

But, I can't get the firewall deal to work. I followed your post, and all access was denied, so I added a line allowing the gateway internal IP, then everything comes through.
Tired and frustrated.
Thanks for you help.

mlp68 06-06-2004 12:53 AM

Hm. You did the additions to the iptables file on your gateway, right? Not on the .5 machine.

Then to narrow the problem area down, comment out the -d 0/0 -j DROP line for now, but change the "neopets" lines to drop. Then you should be able to go everywhere *except* the neopets. Just to see that this works.

Finally, activate the log_and_drop and see what gets dropped.

With those 3 lines, you shouldn't have to do anything special for your wife's machine. The rules say that when the source is and destination == neopets, ok, else not. Your wife's machine has another "source" IP.

Maybe you want to post a few lines from your 1.1's iptables.

Hope it helps,

fuzzie 06-06-2004 01:04 AM

Yes, I put it on the gateway machine.
Here is a copy of the script:

it's under the XXXXXXXX's access section.

I tried commenting out the Drop and changing the others to Drop...still allowed anywhere.
No I am not rebooting the kids machine. All I do is an ipconfig /release then /renew.
Does that matter?

All times are GMT -5. The time now is 02:14 AM.