We help IT Professionals succeed at work.

how to drop all traffic except internet and specific local IP address

559 Views
Last Modified: 2013-11-16
I will like to allow traffic to internet from one station, but not to the local network (lan). I would like if posible to allow access from that station to 3 diferent servers on the local network: DHCP,  Proxy cache and UNTANGLE. Any Idea?

The internet access is Client - LINUX BOX - switch - CISCO ROUTER - LINUX PROXY - UNTANGLE SERVER - ISP ROUTER TO INTERNET
Comment
Watch Question

Commented:
For Internet access (assuming your have your NAT done)
create an access list  
ip acces-list ext (Insert name here) permit tcp host x.x.x.x (IP) any eq http  
ip acces-list ext (Insert name here)  permit tcp host x.x.x.x (IP) any eq https
on your internet bound interface,
ip access-group (Name from above) in
 
 
If that station is on the same subnet as the other 3 boxes, a router wont help you filter.
If it is not, more access control lists.

Commented:
where is the DHCP ?   a network diagram would help

Author

Commented:
CCI_IT: You mean an access list on the cisco router?
vadirajj: DHCP and Proxy are on the Local Network (LAN) switches connect all stations, including DHCP Server, proxy and cisco router. Untangle its just after proxy, and internet router its just after untangle server.
You can achieve this by using ACLs or PBR. If you give more information, that will give clearer idea.

nayan

Commented:
Yes. an Access-list on the router. But again it depends.
scenario 1:
all servers are on the same subnet, the router will only filter internet traffic, but wont prevent machines from talking to one another. a single ACL permit only that host will implicitly deny all other hosts from getting out to the Internet.
Scenario 2:
Servers are on Different subnets. The rouer will be able to filter who talks to who as long as they are on different subnets (including the Internet) using ACLs.  I can get mroe specific if you give a more detailed topology. In either case, Internet filtering will be done the same way. (With or without a firewall).

Author

Commented:
First: all have the same  subnet, until now (bad design).
Second: I did it with a bridged firewall, all traffic who pass from one side0 of the firewall to side1 was just allowed to access not local network, no mather of what type of traffic: http, https, ftp, and so on.

Commented:
Not sure what that means.
So,
Can your router support access lists (what brand is it)?
How many interfaces are on the router?
Do you have a layer 2 switch that all of the computers connect to that connects to the router (what brand is that)?
What I am getting at is this. You can create 2 vlans on the switch and (depending on the router) create subinterfaces on the router in order to provide routing between the 2 VLans (subnets) . That way, you can create access lists on the router to filter traffic between the 2 subnets and also between any domain machine and the Internet. Once I know what you are working with I can be a little more specific.

Author

Commented:
CCI_IT:

What I was looking for on the original post, was a port on a public location of my network to pass trough the network to the internet, without any other option than the internet.

In this scenario, it will has to pass for:
1. varios cisco catalyst 500 series switches, to get to my central cisco 3800 series router,
2. then been redirected to a untangle linux (debian lenny based gateway) who is preceded by a debian lenny transparent cache proxy.
3. then been redirected to cisco 878 router who connect to ower ISP.

That is the trayectoria needed to get to the internet from that public port, and the requirement its that not let that public port get access to other place than the internet.
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Commented:
Just remember when creating the access-list in i) to restrict access to all of your subnets to ensure security.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.