Solved

Dedicated Linux Box to restrict internet access.

Posted on 2004-09-29
8
1,025 Views
Last Modified: 2011-09-20
I have a network of 20 computers running mostly win2k and I want to limit where people can go on the Internet to only about 5 to 10 sites. Is it possible to achieve this with Linux firewall, filtering out all the traffic except for that coming from the sites that I want. If yes, then how do I do this?
0
Comment
Question by:alex-n-bill
8 Comments
 
LVL 2

Expert Comment

by:peteysa
ID: 12187554
Good Day,


A squid proxy server would be ideal to block access to all sites but what you allow.  The proxy server would "proxy" all web connections, perform content caching, and allow you to implement access policies for different sites.  

In this setup the server would not have to act as a firewall, but you would need a  firewall to restrict internet access to only from the squid proxy server box.  

Squid proxy server is packaged in most releases of linux.

Cheers!

Dan
0
 
LVL 10

Assisted Solution

by:Luxana
Luxana earned 250 total points
ID: 12189405
did you try use IPTABLES to block all incoming request for your websites?

http://www.linuxguruz.com/iptables/howto/
0
 
LVL 10

Expert Comment

by:Luxana
ID: 12189557
0
 

Author Comment

by:alex-n-bill
ID: 12191592
Do I really need a proxy server, or a firewall is enough? If I need to set up a firewall to block everything but a connection to the Proxy why don't I do the same for 5 additional IP addresses. What would be the iptables command to block all internet access except for 5 specified IP addresses. On the other hand: Is proxy server going to be easier to configure then iptables firewall?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 2

Accepted Solution

by:
peteysa earned 250 total points
ID: 12192138
Hey Alex,

Iptables is easiest, the problem with doing straight IPtables is that the addresses of the websites may change which will require a change to your IPtables rules, but you will have to configure your entire network to flow through the firewall.

I would recommend using webmin to manage your iptables rules and for that most of your administrative tasks on the linux server.  

Cheers,

Dan
0
 
LVL 10

Expert Comment

by:Luxana
ID: 12196007
or there is another and I think best solution because if you want to reject web page such as yahoo.com then you need reject many ip addresses. Instead of that you can use

http://www.censornet.com/

0
 
LVL 1

Expert Comment

by:shlomilev
ID: 12339311
hey there,
 
First solution of mine,
ok here it goes,
First of all do what the others did with the IPtables.
Moreover, as you say it's a dedicated linux pc for the network,
you can download IPCop or Smoothwall at:
IPCOP: http://www.ipcop.org
Smoothwall: http://www.smoothwall.org 

this r good firewalls,

here's the configuration:

IPCop and Smoothwall defines up to three network interfaces, RED,
GREEN and ORANGE.

GREEN: This interface only connects to the computer(s) that the
firewall is protecting. It is presumed to
be local. Traffic to it is routed though an Ethernet NIC on the
computer firewall.

ORANGE: This optional network allows you to place publicly accessible
servers on a separate network.
Computers on this network cannot get to the GREEN network, except
through tightly controlled "DMZ pinholes".
Traffic to this network is routed through an Ethernet NIC. The ORANGE
NIC must be different from the GREEN NIC

RED: This network is the Internet or other untrusted network. The
firewall's primary purpose is to protect the GREEN and ORANGE
networks and their computers from traffic originating on the RED
network. Your current connection method and hardware
are used to connect to this network.

There are two combinations allowed in the firewall. GREEN, RED is the
typical network combination specified for home and small offices.
GREEN, ORANGE, RED, is only specified when you wish to run publicly
accessible servers.

Since the RED interface can connect either by modem or by Ethernet,
there are four Network Configuration Types:

GREEN (RED is modem/ISDN)

GREEN + ORANGE (RED is modem/ISDN)

GREEN + RED (RED is Ethernet)

GREEN + ORANGE + RED (RED is Ethernet)
Most connections are going to be GREEN + RED. So if you are setting it
up the GREEN is going to the computer or router. So when
it asks for the IP address for the green it will be the ip of the
computer or firewall. RED is going to be the IP of the incoming line. ( The
Cable modem or the T1/ISDN line.)

Thats the basics of it. You connect the cables into the ethernet cards
and your ready to go.

Cheers

Sean
0
 

Expert Comment

by:dgdubya
ID: 12348501
I've used Squid and an open source product Dansguardian to filter internet access. You can download Dansguardian at http://dansguard.org. You might also consider using Smoothwall and/or Smootguardian to solve your problem. You can get Smoothwall at, http://www.smoothwall.org/.

Cheers,

Don

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now