Solved

Dedicated Linux Box to restrict internet access.

Posted on 2004-09-29
8
1,033 Views
Last Modified: 2011-09-20
I have a network of 20 computers running mostly win2k and I want to limit where people can go on the Internet to only about 5 to 10 sites. Is it possible to achieve this with Linux firewall, filtering out all the traffic except for that coming from the sites that I want. If yes, then how do I do this?
0
Comment
Question by:alex-n-bill
8 Comments
 
LVL 2

Expert Comment

by:peteysa
ID: 12187554
Good Day,


A squid proxy server would be ideal to block access to all sites but what you allow.  The proxy server would "proxy" all web connections, perform content caching, and allow you to implement access policies for different sites.  

In this setup the server would not have to act as a firewall, but you would need a  firewall to restrict internet access to only from the squid proxy server box.  

Squid proxy server is packaged in most releases of linux.

Cheers!

Dan
0
 
LVL 10

Assisted Solution

by:Luxana
Luxana earned 250 total points
ID: 12189405
did you try use IPTABLES to block all incoming request for your websites?

http://www.linuxguruz.com/iptables/howto/
0
 
LVL 10

Expert Comment

by:Luxana
ID: 12189557
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:alex-n-bill
ID: 12191592
Do I really need a proxy server, or a firewall is enough? If I need to set up a firewall to block everything but a connection to the Proxy why don't I do the same for 5 additional IP addresses. What would be the iptables command to block all internet access except for 5 specified IP addresses. On the other hand: Is proxy server going to be easier to configure then iptables firewall?
0
 
LVL 2

Accepted Solution

by:
peteysa earned 250 total points
ID: 12192138
Hey Alex,

Iptables is easiest, the problem with doing straight IPtables is that the addresses of the websites may change which will require a change to your IPtables rules, but you will have to configure your entire network to flow through the firewall.

I would recommend using webmin to manage your iptables rules and for that most of your administrative tasks on the linux server.  

Cheers,

Dan
0
 
LVL 10

Expert Comment

by:Luxana
ID: 12196007
or there is another and I think best solution because if you want to reject web page such as yahoo.com then you need reject many ip addresses. Instead of that you can use

http://www.censornet.com/

0
 
LVL 1

Expert Comment

by:shlomilev
ID: 12339311
hey there,
 
First solution of mine,
ok here it goes,
First of all do what the others did with the IPtables.
Moreover, as you say it's a dedicated linux pc for the network,
you can download IPCop or Smoothwall at:
IPCOP: http://www.ipcop.org
Smoothwall: http://www.smoothwall.org 

this r good firewalls,

here's the configuration:

IPCop and Smoothwall defines up to three network interfaces, RED,
GREEN and ORANGE.

GREEN: This interface only connects to the computer(s) that the
firewall is protecting. It is presumed to
be local. Traffic to it is routed though an Ethernet NIC on the
computer firewall.

ORANGE: This optional network allows you to place publicly accessible
servers on a separate network.
Computers on this network cannot get to the GREEN network, except
through tightly controlled "DMZ pinholes".
Traffic to this network is routed through an Ethernet NIC. The ORANGE
NIC must be different from the GREEN NIC

RED: This network is the Internet or other untrusted network. The
firewall's primary purpose is to protect the GREEN and ORANGE
networks and their computers from traffic originating on the RED
network. Your current connection method and hardware
are used to connect to this network.

There are two combinations allowed in the firewall. GREEN, RED is the
typical network combination specified for home and small offices.
GREEN, ORANGE, RED, is only specified when you wish to run publicly
accessible servers.

Since the RED interface can connect either by modem or by Ethernet,
there are four Network Configuration Types:

GREEN (RED is modem/ISDN)

GREEN + ORANGE (RED is modem/ISDN)

GREEN + RED (RED is Ethernet)

GREEN + ORANGE + RED (RED is Ethernet)
Most connections are going to be GREEN + RED. So if you are setting it
up the GREEN is going to the computer or router. So when
it asks for the IP address for the green it will be the ip of the
computer or firewall. RED is going to be the IP of the incoming line. ( The
Cable modem or the T1/ISDN line.)

Thats the basics of it. You connect the cables into the ethernet cards
and your ready to go.

Cheers

Sean
0
 

Expert Comment

by:dgdubya
ID: 12348501
I've used Squid and an open source product Dansguardian to filter internet access. You can download Dansguardian at http://dansguard.org. You might also consider using Smoothwall and/or Smootguardian to solve your problem. You can get Smoothwall at, http://www.smoothwall.org/.

Cheers,

Don

0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
E-mail settings for Fail2ban 7 132
I get an error right after Fail2ban restart in Ubuntu 14.04 2 95
Squid Authentication 7 69
Xymon customize http timeout 2 86
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question