Solved

how to drop all traffic except internet and specific local IP address

Posted on 2009-05-05
10
499 Views
Last Modified: 2013-11-16
I will like to allow traffic to internet from one station, but not to the local network (lan). I would like if posible to allow access from that station to 3 diferent servers on the local network: DHCP,  Proxy cache and UNTANGLE. Any Idea?

The internet access is Client - LINUX BOX - switch - CISCO ROUTER - LINUX PROXY - UNTANGLE SERVER - ISP ROUTER TO INTERNET
0
Comment
Question by:solohayuno
10 Comments
 
LVL 4

Expert Comment

by:CCI_IT
ID: 24310632
For Internet access (assuming your have your NAT done)
create an access list  
ip acces-list ext (Insert name here) permit tcp host x.x.x.x (IP) any eq http  
ip acces-list ext (Insert name here)  permit tcp host x.x.x.x (IP) any eq https
on your internet bound interface,
ip access-group (Name from above) in
 
 
If that station is on the same subnet as the other 3 boxes, a router wont help you filter.
If it is not, more access control lists.
0
 
LVL 1

Expert Comment

by:vadirajj
ID: 24312913
where is the DHCP ?   a network diagram would help
0
 

Author Comment

by:solohayuno
ID: 24313172
CCI_IT: You mean an access list on the cisco router?
vadirajj: DHCP and Proxy are on the Local Network (LAN) switches connect all stations, including DHCP Server, proxy and cisco router. Untangle its just after proxy, and internet router its just after untangle server.
0
 
LVL 3

Expert Comment

by:nrpanchal
ID: 24313470
You can achieve this by using ACLs or PBR. If you give more information, that will give clearer idea.

nayan
0
 
LVL 4

Expert Comment

by:CCI_IT
ID: 24313612
Yes. an Access-list on the router. But again it depends.
scenario 1:
all servers are on the same subnet, the router will only filter internet traffic, but wont prevent machines from talking to one another. a single ACL permit only that host will implicitly deny all other hosts from getting out to the Internet.
Scenario 2:
Servers are on Different subnets. The rouer will be able to filter who talks to who as long as they are on different subnets (including the Internet) using ACLs.  I can get mroe specific if you give a more detailed topology. In either case, Internet filtering will be done the same way. (With or without a firewall).
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:solohayuno
ID: 24420821
First: all have the same  subnet, until now (bad design).
Second: I did it with a bridged firewall, all traffic who pass from one side0 of the firewall to side1 was just allowed to access not local network, no mather of what type of traffic: http, https, ftp, and so on.
0
 
LVL 4

Expert Comment

by:CCI_IT
ID: 24426967
Not sure what that means.
So,
Can your router support access lists (what brand is it)?
How many interfaces are on the router?
Do you have a layer 2 switch that all of the computers connect to that connects to the router (what brand is that)?
What I am getting at is this. You can create 2 vlans on the switch and (depending on the router) create subinterfaces on the router in order to provide routing between the 2 VLans (subnets) . That way, you can create access lists on the router to filter traffic between the 2 subnets and also between any domain machine and the Internet. Once I know what you are working with I can be a little more specific.
0
 

Author Comment

by:solohayuno
ID: 24482201
CCI_IT:

What I was looking for on the original post, was a port on a public location of my network to pass trough the network to the internet, without any other option than the internet.

In this scenario, it will has to pass for:
1. varios cisco catalyst 500 series switches, to get to my central cisco 3800 series router,
2. then been redirected to a untangle linux (debian lenny based gateway) who is preceded by a debian lenny transparent cache proxy.
3. then been redirected to cisco 878 router who connect to ower ISP.

That is the trayectoria needed to get to the internet from that public port, and the requirement its that not let that public port get access to other place than the internet.
0
 
LVL 4

Accepted Solution

by:
CCI_IT earned 500 total points
ID: 24482625
ok.
I think I understand what you are saying. You will..
1) set up a VLAN for that box only.
2)span that VLAN all of the way to your 3800.
on the 3800 you will do 2 things.
                                      i) create an access list permitting access to the 3 machines you said that box has to communicate with
                                      ii) add to that access list a statement denying access to your LAN subnets.
                                     iii) create a policy roupte-map that will set the default gateway to be your 878 (assuming the cache proxy is L3 transparent) ~ this requires another access list to be created in order to define traffic that will match the policy
                                    iv) apply both the access list and the policy based route map to the inbound interface of the VLAN
 
This will isolate traffice from that box to the 878 and prevent access to yoru LAN (with the exception of the 3 machines you said it needs to see). I am not sure what networks are on your 878, but you can set up a policy route map on that as well should you need to isolate that traffic all of the way through to the internet.
0
 
LVL 4

Expert Comment

by:CCI_IT
ID: 24485347
Just remember when creating the access-list in i) to restrict access to all of your subnets to ensure security.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now