[K12OSN] Block internet access on thinclient side
Brian Chivers
brian at portsmouth-college.ac.uk
Wed Apr 2 13:06:46 UTC 2008
No problem.
Typed it in and it's added OK, just issued
iptables-save > /etc/sysconfig/iptables
so hopefully it'll kick in if I reboot.
Now just have to test it on a box :-)
Brian
James P. Kinney III wrote:
> Ugh. Still blinked and missed the foobar.
>
> iptables -A PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j
> DNAT --to-destination 192.168.0.80:8080
>
> The -I means to "insert" a rule and a required rule number must be next.
> Without the rule number, nothing happens (as you have seen :-) -A means
> to append to the list. I've spent the last several day doing inserts and
> that is the current personal default :) sorry for the slip.
>
> On Tue, 2008-04-01 at 14:12 +0100, Brian Chivers wrote:
>> OK being really stupid today :-(
>>
>> I've done
>>
>> iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j DNAT --to-destination
>> 192.168.0.80:8080
>>
>> If I then do a
>>
>> iptables --list
>>
>> Nothing shows up, do I have to save it in some way ??
>>
>> In /etc/sysconfig there is a file called iptables, can I just add it to that ??
>>
>> Sorry I'm being really slow about this :-/
>>
>> Brian
>>
>> James P. Kinney III wrote:
>>> Sorry. sleep deprivation. change REDIRECT to DNAT
>>>
>>> For a full discussion of all the parts of iptables, man iptables tells
>>> all. But it is quite overwhelming :)
>>>
>>> For a great book on Linux Security, get Real World Linux Security by Bob
>>> Toxen (I know him personally - he was one of the small team that ported
>>> unix to the SGI MIPS platform back when dinosaurs...).
>>> On Tue, 2008-04-01 at 10:36 +0100, Brian Chivers wrote:
>>>> Just tried this and got the error below
>>>>
>>>> iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j REDIRECT --to-destination
>>>> 192.168.0.80:8080
>>>>
>>>> iptables v1.3.5: Unknown arg `--to-destination'
>>>> Try `iptables -h' or 'iptables --help' for more information.
>>>>
>>>>
>>>> Help :-)
>>>> Brian
>>>>
>>>>
>>>> James P. Kinney III wrote:
>>>>> Hi Brian,
>>>>>
>>>>> It is quite easy to do what you need. The thin clients all run their web
>>>>> browser on the server so only the thin client servers need to be
>>>>> adjusted. iptables is the correct way to do it because proxy settings in
>>>>> user configs can be changed.
>>>>>
>>>>> iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j
>>>>> REDIRECT --to-destination <ip of proxy>:<port of proxy>
>>>>>
>>>>> Repeat that for all other port traffic you need by just changing the 80.
>>>>>
>>>>> You can save the final configuration with iptables-save >
>>>>> iptables-saved-file
>>>>> and restore with iptables-restore iptables-saved-file
>>>>> On Mon, 2008-03-31 at 12:09 +0100, Brian Chivers wrote:
>>>>>> I'd like to block all access to the outside network / internet from our thinclients unless they go
>>>>>> via the our proxy server. I have installed a global extension for firefox that has setup it up how I
>>>>>> want with proxy's and bookmarks etc for all users but if you change the connection setting to
>>>>>> "direct" you go straight out bypassing everything.
>>>>>>
>>>>>> I could setup our main firewall to block the thinclient server completely but it is very useful to
>>>>>> have full connectivity on it for things like freenx and updates.
>>>>>>
>>>>>> Is it possible to setup the iptables on the k12ltsp box itself to drop or redirect all connects from
>>>>>> the thinclient side and only allow the important ones for things like the initial booting ?
>>>>>>
>>>>>> I've never played with iptables before any useful pointers would be gratefully received.
>>>>>>
>>>>>> Thanks
>>>>>> Brian Chivers
>>>>>> Portsmouth College
>>>>>>
>>>>>> ------------------------------------------------------------------------------------------------
>>>>>> The views expressed here are my own and not necessarily
>>>>>>
>>>>>> the views of Portsmouth College
>>>>>>
>>>>>> _______________________________________________
>>>>>> K12OSN mailing list
>>>>>> K12OSN at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>>>> For more info see <http://www.k12os.org>
>>>>>>
>>>> ------------------------------------------------------------------------------------------------
>>>> The views expressed here are my own and not necessarily
>>>>
>>>> the views of Portsmouth College
>>>>
>>>> _______________________________________________
>>>> K12OSN mailing list
>>>> K12OSN at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>> For more info see <http://www.k12os.org>
>>>>
>>
>> ------------------------------------------------------------------------------------------------
>> The views expressed here are my own and not necessarily
>>
>> the views of Portsmouth College
>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
------------------------------------------------------------------------------------------------
The views expressed here are my own and not necessarily
the views of Portsmouth College
More information about the K12OSN
mailing list