LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-17-2004, 03:42 PM   #1
rocordial
LQ Newbie
 
Registered: May 2004
Location: Romania, Europe
Distribution: Slackware 8.1
Posts: 28

Rep: Reputation: 15
Permit access to only one website from a station in the internal network


Hello

I am new to linux and iptables

I have a linux box connected to internet on eth0 and to the local network on eth1

(I'll put underscores in place of dots because I'm new )

The local network is 192_168_0_0/24.

I want to restrict the access of 192_168_0_5 to only one website (i.e. www_website_com)

Is that possible with iptables?

I tried:

iptables -F
iptables -A INPUT -s 192_168_0_5 -d www_website_com -j ACCEPT
iptables -A INPUT -s 192_168_0_5 -p tcp -j REJECT

the default policy on all channels is ACCEPT

it doesn't work.

Thank you!
 
Old 05-17-2004, 04:35 PM   #2
Linux.tar.gz
Senior Member
 
Registered: Dec 2003
Location: Paris
Distribution: Slackware forever.
Posts: 2,534

Rep: Reputation: 100Reputation: 100
Can't aswer 'cause i'm new to iptables too, but i strongly suggest you use DROP instead of REJECT, because REJECT gives an answer to those you reject.
 
Old 05-18-2004, 03:26 PM   #3
Poetics
Senior Member
 
Registered: Jun 2003
Location: California
Distribution: Slackware
Posts: 1,181

Rep: Reputation: 49
Do you still need access to the rest of the network? You could simply modify your hosts.allow and hosts.deny files. (Welcome to LQ by the way!)

Something akin to allowing website_com and disallowing everything that doesn't have a local address would work just fine, I imagine.
 
Old 05-18-2004, 03:40 PM   #4
rocordial
LQ Newbie
 
Registered: May 2004
Location: Romania, Europe
Distribution: Slackware 8.1
Posts: 28

Original Poster
Rep: Reputation: 15
hosts

thank you for welcomeing and for you answer!

(i am not a native english speaker so sorry for the language)

the ideea is interesting. I know what to put in the hosts.allow but how can I deny everything in hosts.deny?

The station I talk about is a win98 machine.

look forward for your answer.
 
Old 05-19-2004, 01:56 AM   #5
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Hope you have ip_forward enabled and configured iptables rules to do MASQUERADING.

As your default policy is ACCEPT, you may need to add a DROP/REJECT rule to deny the identified PC from accessing other ports / websites.

You should use FORWARD instead of INPUT.
 
Old 05-19-2004, 04:47 AM   #6
Poetics
Senior Member
 
Registered: Jun 2003
Location: California
Distribution: Slackware
Posts: 1,181

Rep: Reputation: 49
if you're going the hosts.deny route you'd put in the following:

Code:
ALL:ALL
To deny all except what is explicitly accepted
 
Old 05-19-2004, 07:37 AM   #7
rocordial
LQ Newbie
 
Registered: May 2004
Location: Romania, Europe
Distribution: Slackware 8.1
Posts: 28

Original Poster
Rep: Reputation: 15
the hosts method didn't work. The station I tested was a win_XP

the ip forvarding is enabled and the masqerading is working.

I put these and only these lines in the firewall:

Code:
iptables -F
iptables -A FORWARD -p tcp -s 192.168.14.59 -d www.site.com -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.14.59 -d ! www.site.com -j REJECT
I still have full access to internet from the 59 station.

I forgot to mention that squid is running on :8080 and the station is configured to use the proxy. Is that a problem?

Thank you for your help

Last edited by rocordial; 05-19-2004 at 07:40 AM.
 
Old 05-20-2004, 04:05 AM   #8
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Try giving the IP address of the site. Never tried giving a hostname in iptables (so not sure if that is the reason).
 
Old 05-23-2004, 01:58 PM   #9
rocordial
LQ Newbie
 
Registered: May 2004
Location: Romania, Europe
Distribution: Slackware 8.1
Posts: 28

Original Poster
Rep: Reputation: 15
Thank you all for your kind help!

I solved the problem. The solution I found is based, in the end, on Squid (proxy) + iptables.

The solution with iptables, in my previous reply, worked only with the browser set not to use the proxy.

Now, I set the Squid to work as a transparent proxy (so the user could not avoid the proxy in the browser) and denyed the access to all sites but the one I need in squid.conf

Thank's again!
 
Old 06-05-2004, 11:08 AM   #10
fuzzie
LQ Newbie
 
Registered: Mar 2003
Posts: 10

Rep: Reputation: 0
I use masquerading and it is working fine...
But now one of my kids is old enough to start playing on the computer. I want to allow him access to only 3 or 4 sites. I know I will have to hard code them in, no big deal. Problem is, how do I do that in the iptables masquerading firewall script.

Say his machine, which dual boots to XP and Fedora, and sometimes to Knoppix for Kids (so his host file isn't an option) has an IP of 192.168.1.5, the gateway/script is on 192.168.1.1, running dhcp.
I don't want to restrict any access to any other machine on the LAN.

Any ideas?
thanks
 
Old 06-05-2004, 09:32 PM   #11
mlp68
Member
 
Registered: Jun 2002
Location: NY
Distribution: Gentoo,RH
Posts: 333

Rep: Reputation: 40
That shouldn't be too hard...


You must configure your dhcp server to assign a static address to your kid's box. Otherwise there's no guarantee that it gets the same ip next time, and he could zip past your firewall rules easily.

Then let's say you want your kid to be able to go to www.neopets.com only. (Ok, neopets.com reports 2 IPs,
Name: www.neopets.com
Address: 206.132.214.10
Name: www.neopets.com
Address: 207.218.164.15
)

Then add
-A INPUT -s 192.168.1.5 -d 206.132.214.10 -j ACCEPT
-A INPUT -s 192.168.1.5 -d 207.218.164.15 -j ACCEPT

-A INPUT -s 192.168.1.5 -d 0/0 -j DROP

to the iptables config on your gateway machine.

The first two lines allow those desired connections, all others get squashed. (The "INPUT" may be called differently in your file.)

That should work, but here's an additional trick that I find invaluable.

I add

-N LOG_AND_DROP
#-A LOG_AND_DROP -j LOG --log-level info --log-prefix dropped-packet:
-A LOG_AND_DROP -j DROP

somewhere close to the top. Note the commented-out line. I change all "DROP" targets later on to "LOG_AND_DROP" so the above line would read

-A INPUT -s 192.168.1.5 -d 0/0 -j LOG_AND_DROP

Nothing has changed; the formerly dropped packets still get dropped, only after a detour through the new LOG_AND_DROP chain.

But if you uncomment the line in the middle, you get a log entry in your syslog for each dropped packet, and that lets you diagnose problems with connections not working easily. Especially for complex FW rules this can save hours of debugging. So if your kid complains that he cannot go somewhere where you think he should be allowed, that's the fastest way to find out.

BTW, depending on how clever your kid is, he might figure out how to assign a different static IP independent from the DHCP server and go past your safeguards... You should still monitor what's going on. And don't let him go to this forum... :-)

Hope it helps,

mlp
 
Old 06-05-2004, 10:19 PM   #12
fuzzie
LQ Newbie
 
Registered: Mar 2003
Posts: 10

Rep: Reputation: 0
That's great! Thanks...I'm working on it now.

How do I assign the same IP to him...MAC address?

There is little chance he will figure out assigning a static IP for some time (he's 6) but you never know.

I take it, I can hard code an IP and the gateway to my wife's log on, so she will have unfettered access?
 
Old 06-05-2004, 11:17 PM   #13
fuzzie
LQ Newbie
 
Registered: Mar 2003
Posts: 10

Rep: Reputation: 0
I found the dhcp stuff:
# Assign a static IP to atlantis.linuxhelp.ca
host atlantis {
hardware ethernet 00:45:40:10:FE:12;
fixed-address 192.168.1.5;
}
not the real numbers....

But, I can't get the firewall deal to work. I followed your post, and all access was denied, so I added a line allowing the gateway internal IP 192.168.1.1, then everything comes through.
Tired and frustrated.
Thanks for you help.
 
Old 06-06-2004, 12:53 AM   #14
mlp68
Member
 
Registered: Jun 2002
Location: NY
Distribution: Gentoo,RH
Posts: 333

Rep: Reputation: 40
Hm. You did the additions to the iptables file on your 192.168.1.1 gateway, right? Not on the .5 machine.

Then to narrow the problem area down, comment out the -d 0/0 -j DROP line for now, but change the "neopets" lines to drop. Then you should be able to go everywhere *except* the neopets. Just to see that this works.

Finally, activate the log_and_drop and see what gets dropped.

With those 3 lines, you shouldn't have to do anything special for your wife's machine. The rules say that when the source is 192.168.1.5 and destination == neopets, ok, else not. Your wife's machine has another "source" IP.

Maybe you want to post a few lines from your 1.1's iptables.

Hope it helps,
mlp
 
Old 06-06-2004, 01:04 AM   #15
fuzzie
LQ Newbie
 
Registered: Mar 2003
Posts: 10

Rep: Reputation: 0
Yes, I put it on the gateway machine.
Here is a copy of the script:
http://REMOVED

it's under the XXXXXXXX's access section.

I tried commenting out the Drop and changing the others to Drop...still allowed anywhere.
No I am not rebooting the kids machine. All I do is an ipconfig /release then /renew.
Does that matter?

Last edited by fuzzie; 06-06-2004 at 02:11 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
A. how to permit more then one user to access a file mudasar Linux - Networking 2 11-20-2005 01:19 PM
measure the network speed between a wifi station and access point powah Linux - Wireless Networking 1 08-19-2005 11:35 AM
can only access apache website from within network kubrickfan799 Linux - Networking 3 08-10-2004 06:33 PM
Netgear router blocking website when using internal network esteeven Linux - Networking 8 09-30-2003 07:48 AM
Internal Network access is slow SkullOne Linux - Networking 4 02-07-2003 03:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration