Question about IPtables/firewall rules

ilan1 · 02-10-2006, 11:07 AM

I was wondering if there was an easy command I could type
as root on Knoppix so that all TCP/IP traffic was forced
to go to only one or two domains.

Basically, I just want to setup a machine so that I could
leave a web browser open and that everybody who uses the
machine is forced to only go to just one or two websites.

Could somebody clue me in?

Thank you.

Ilan

win32sux · 02-10-2006, 12:02 PM

Quote:

Originally Posted by ilan1

I was wondering if there was an easy command I could type
as root on Knoppix so that all TCP/IP traffic was forced
to go to only one or two domains.

something like this should work:

Code:

iptables -I OUTPUT -p TCP -d ! xxx.xxx.xxx.xxx -j REJECT

repeat as necessary for each ip address you want to be allowed... you can also use a domain name (such as cnn.com, for example) but:

Quote:

Originally Posted by ilan1

Basically, I just want to setup a machine so that I could
leave a web browser open and that everybody who uses the
machine is forced to only go to just one or two websites.

this kinda thing is better done with a proxy server, unless you are 100% positive the IP address of the two websites will not change...

ilan1 · 02-20-2006, 01:36 PM

Quote:

Originally Posted by win32sux

something like this should work:

Code:

iptables -I OUTPUT -p TCP -d ! xxx.xxx.xxx.xxx -j REJECT

repeat as necessary for each ip address you want to be allowed... you can also use a domain name (such as cnn.com, for example) but:

this kinda thing is better done with a proxy server, unless you are 100% positive the IP address of the two websites will not change...

I have tried this and set xxx.xxx.xxx.xxx to be the IP
address of a proxy server I was using and the iptables
command seems to work.

When I tried to visit another site, the browser would just
hang. Is there anyway to make it so that rather than timeouts
happening, that the connection drops are immediate? i.e. the
browser is more responsive?

I would prefer that it be obvious to the user that only one
or two websites are accessible and nothing else is accessible.

Thank you.

win32sux · 02-20-2006, 11:58 PM

Quote:

Originally Posted by ilan1

I have tried this and set xxx.xxx.xxx.xxx to be the IP
address of a proxy server I was using and the iptables
command seems to work.

When I tried to visit another site, the browser would just
hang. Is there anyway to make it so that rather than timeouts
happening, that the connection drops are immediate? i.e. the
browser is more responsive?

I would prefer that it be obvious to the user that only one
or two websites are accessible and nothing else is accessible.

Thank you.

i'm not sure i understand what you did with the iptables and the proxy, but the REJECT target should in fact send a "connection denied" (or whatever it's called) back to the client right away...

perhaps you need to edit your proxy's config?? well, like i said, i'm not sure i understand what you did...