Solved

Dedicated Linux Box to restrict internet access.

Posted on 2004-09-29
8
1,043 Views
Last Modified: 2011-09-20
I have a network of 20 computers running mostly win2k and I want to limit where people can go on the Internet to only about 5 to 10 sites. Is it possible to achieve this with Linux firewall, filtering out all the traffic except for that coming from the sites that I want. If yes, then how do I do this?
0
Comment
Question by:alex-n-bill
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 2

Expert Comment

by:peteysa
ID: 12187554
Good Day,


A squid proxy server would be ideal to block access to all sites but what you allow.  The proxy server would "proxy" all web connections, perform content caching, and allow you to implement access policies for different sites.  

In this setup the server would not have to act as a firewall, but you would need a  firewall to restrict internet access to only from the squid proxy server box.  

Squid proxy server is packaged in most releases of linux.

Cheers!

Dan
0
 
LVL 10

Assisted Solution

by:Luxana
Luxana earned 250 total points
ID: 12189405
did you try use IPTABLES to block all incoming request for your websites?

http://www.linuxguruz.com/iptables/howto/
0
 
LVL 10

Expert Comment

by:Luxana
ID: 12189557
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:alex-n-bill
ID: 12191592
Do I really need a proxy server, or a firewall is enough? If I need to set up a firewall to block everything but a connection to the Proxy why don't I do the same for 5 additional IP addresses. What would be the iptables command to block all internet access except for 5 specified IP addresses. On the other hand: Is proxy server going to be easier to configure then iptables firewall?
0
 
LVL 2

Accepted Solution

by:
peteysa earned 250 total points
ID: 12192138
Hey Alex,

Iptables is easiest, the problem with doing straight IPtables is that the addresses of the websites may change which will require a change to your IPtables rules, but you will have to configure your entire network to flow through the firewall.

I would recommend using webmin to manage your iptables rules and for that most of your administrative tasks on the linux server.  

Cheers,

Dan
0
 
LVL 10

Expert Comment

by:Luxana
ID: 12196007
or there is another and I think best solution because if you want to reject web page such as yahoo.com then you need reject many ip addresses. Instead of that you can use

http://www.censornet.com/

0
 
LVL 1

Expert Comment

by:shlomilev
ID: 12339311
hey there,
 
First solution of mine,
ok here it goes,
First of all do what the others did with the IPtables.
Moreover, as you say it's a dedicated linux pc for the network,
you can download IPCop or Smoothwall at:
IPCOP: http://www.ipcop.org
Smoothwall: http://www.smoothwall.org 

this r good firewalls,

here's the configuration:

IPCop and Smoothwall defines up to three network interfaces, RED,
GREEN and ORANGE.

GREEN: This interface only connects to the computer(s) that the
firewall is protecting. It is presumed to
be local. Traffic to it is routed though an Ethernet NIC on the
computer firewall.

ORANGE: This optional network allows you to place publicly accessible
servers on a separate network.
Computers on this network cannot get to the GREEN network, except
through tightly controlled "DMZ pinholes".
Traffic to this network is routed through an Ethernet NIC. The ORANGE
NIC must be different from the GREEN NIC

RED: This network is the Internet or other untrusted network. The
firewall's primary purpose is to protect the GREEN and ORANGE
networks and their computers from traffic originating on the RED
network. Your current connection method and hardware
are used to connect to this network.

There are two combinations allowed in the firewall. GREEN, RED is the
typical network combination specified for home and small offices.
GREEN, ORANGE, RED, is only specified when you wish to run publicly
accessible servers.

Since the RED interface can connect either by modem or by Ethernet,
there are four Network Configuration Types:

GREEN (RED is modem/ISDN)

GREEN + ORANGE (RED is modem/ISDN)

GREEN + RED (RED is Ethernet)

GREEN + ORANGE + RED (RED is Ethernet)
Most connections are going to be GREEN + RED. So if you are setting it
up the GREEN is going to the computer or router. So when
it asks for the IP address for the green it will be the ip of the
computer or firewall. RED is going to be the IP of the incoming line. ( The
Cable modem or the T1/ISDN line.)

Thats the basics of it. You connect the cables into the ethernet cards
and your ready to go.

Cheers

Sean
0
 

Expert Comment

by:dgdubya
ID: 12348501
I've used Squid and an open source product Dansguardian to filter internet access. You can download Dansguardian at http://dansguard.org. You might also consider using Smoothwall and/or Smootguardian to solve your problem. You can get Smoothwall at, http://www.smoothwall.org/.

Cheers,

Don

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
netcat nc -l reads data in socket too fast - slow it down 18 827
ovirt web management page 1 87
Iptables and mirroring ports 4 93
Xymon customize http timeout 2 102
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question