Permit access to only one website from a station in the internal network
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I solved the problem. The solution I found is based, in the end, on Squid (proxy) + iptables.
The solution with iptables, in my previous reply, worked only with the browser set not to use the proxy.
Now, I set the Squid to work as a transparent proxy (so the user could not avoid the proxy in the browser) and denyed the access to all sites but the one I need in squid.conf
I use masquerading and it is working fine...
But now one of my kids is old enough to start playing on the computer. I want to allow him access to only 3 or 4 sites. I know I will have to hard code them in, no big deal. Problem is, how do I do that in the iptables masquerading firewall script.
Say his machine, which dual boots to XP and Fedora, and sometimes to Knoppix for Kids (so his host file isn't an option) has an IP of 192.168.1.5, the gateway/script is on 192.168.1.1, running dhcp.
I don't want to restrict any access to any other machine on the LAN.
You must configure your dhcp server to assign a static address to your kid's box. Otherwise there's no guarantee that it gets the same ip next time, and he could zip past your firewall rules easily.
Then let's say you want your kid to be able to go to www.neopets.com only. (Ok, neopets.com reports 2 IPs,
Name: www.neopets.com
Address: 206.132.214.10
Name: www.neopets.com
Address: 207.218.164.15
)
Then add
-A INPUT -s 192.168.1.5 -d 206.132.214.10 -j ACCEPT
-A INPUT -s 192.168.1.5 -d 207.218.164.15 -j ACCEPT
-A INPUT -s 192.168.1.5 -d 0/0 -j DROP
to the iptables config on your gateway machine.
The first two lines allow those desired connections, all others get squashed. (The "INPUT" may be called differently in your file.)
That should work, but here's an additional trick that I find invaluable.
I add
-N LOG_AND_DROP
#-A LOG_AND_DROP -j LOG --log-level info --log-prefix dropped-packet:
-A LOG_AND_DROP -j DROP
somewhere close to the top. Note the commented-out line. I change all "DROP" targets later on to "LOG_AND_DROP" so the above line would read
-A INPUT -s 192.168.1.5 -d 0/0 -j LOG_AND_DROP
Nothing has changed; the formerly dropped packets still get dropped, only after a detour through the new LOG_AND_DROP chain.
But if you uncomment the line in the middle, you get a log entry in your syslog for each dropped packet, and that lets you diagnose problems with connections not working easily. Especially for complex FW rules this can save hours of debugging. So if your kid complains that he cannot go somewhere where you think he should be allowed, that's the fastest way to find out.
BTW, depending on how clever your kid is, he might figure out how to assign a different static IP independent from the DHCP server and go past your safeguards... You should still monitor what's going on. And don't let him go to this forum... :-)
I found the dhcp stuff:
# Assign a static IP to atlantis.linuxhelp.ca
host atlantis {
hardware ethernet 00:45:40:10:FE:12;
fixed-address 192.168.1.5;
}
not the real numbers....
But, I can't get the firewall deal to work. I followed your post, and all access was denied, so I added a line allowing the gateway internal IP 192.168.1.1, then everything comes through.
Tired and frustrated.
Thanks for you help.
Hm. You did the additions to the iptables file on your 192.168.1.1 gateway, right? Not on the .5 machine.
Then to narrow the problem area down, comment out the -d 0/0 -j DROP line for now, but change the "neopets" lines to drop. Then you should be able to go everywhere *except* the neopets. Just to see that this works.
Finally, activate the log_and_drop and see what gets dropped.
With those 3 lines, you shouldn't have to do anything special for your wife's machine. The rules say that when the source is 192.168.1.5 and destination == neopets, ok, else not. Your wife's machine has another "source" IP.
Maybe you want to post a few lines from your 1.1's iptables.
Yes, I put it on the gateway machine.
Here is a copy of the script: http://REMOVED
it's under the XXXXXXXX's access section.
I tried commenting out the Drop and changing the others to Drop...still allowed anywhere.
No I am not rebooting the kids machine. All I do is an ipconfig /release then /renew.
Does that matter?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.