Linux as gateway/packet filter

I have a few computers on my network (company.ee) for which I want to disallow port 80 and port 21 connections outside .ee domain.

I mean that these computers would have full access but only inside .ee. So Linux should act as a gateway and prevent any traffic between those few computers and any computer's which is outside .ee domain ports 80 and 21.

And they all must use real IP-s because I sometimes want to make ftp server or game server on them.

ipchains doesn't allow to use DNS (i.e. I can't say there !ee port 80 DENY) or does it?
LVL 1
hennoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mmipsCommented:
Yes you can filter requests from reaching the outside from your local domain...But, not the  way you are trying to use it but check-out the ipchains HOW-TO..under section 7. A Serious Example.
 This should give you all the information necessary to set-up your internal filtering rules...

http://howto.tucows.com/LDP/HOWTO/IPCHAINS-HOWTO.html
0
bughead1Commented:
Another good site to check out for tips on firewalls/gateways/routers is http://www.nanux.com.
0
hennoAuthor Commented:
Why can't linux check where the packets from those computers are going and just not pass them on?
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

OarokusCommented:
It is possible to do this with ipchains.
I had a simular problem keeping people
on the internet from connecting to my
ftp server, while allowing access to
the machines on my LAN.  

My solution was to create a firewall
(with ipchains) that would filter out
any packets going to my FTP server
that was not coming from the LAN.
I did it like this:

ipchains -A input -p TCP -s ! 192.95.207.0/24 ftp -j DENY


-p TCP stands for the TCP protocol

-s stands for source (where the packets
are coming from)

! 192.95.207.0/24 stands for all
addresses that are NOT(!) inbetween
192.95.207.0 - 192.95.207.225

I came up with this since all of the
machines on the LAN all have IP
addresses within the 192.95.207.* range.

ftp is the port[21] (this can be a number as well)

And -j DENY = jump to DENY

With your problem I would use the command:

ipchains -A input -p TCP -s ! 192.95.207.0/24 ftp -j DENY

but replace the address with an
address that would apply to your net.

Then do the command again but this time
replace ftp with www or 80 to block
off the other port.







   
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hennoAuthor Commented:
Ok, how do I specify the whole *.ee domain?
0
OarokusCommented:
replace the address with an address
that would apply to your net.

Instead of 192.95.207.0/24 use ee
0
hennoAuthor Commented:
I still can't specify the *.ee domain

unknown host/network
0
OarokusCommented:
I didn't say *.ee is said ee
0
OarokusCommented:
Just try this:

ipchains -A input -p TCP -s ! ee ftp -j DENY
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.