[K12OSN] Block internet access on thinclient side

James P. Kinney III jkinney at localnetsolutions.com
Tue Apr 1 11:52:04 UTC 2008


Sorry. sleep deprivation. change REDIRECT to DNAT

For a full discussion of all the parts of iptables, man iptables tells
all. But it is quite overwhelming :)

For a great book on Linux Security, get Real World Linux Security by Bob
Toxen (I know him personally - he was one of the small team that ported
unix to the SGI MIPS platform back when dinosaurs...). 
On Tue, 2008-04-01 at 10:36 +0100, Brian Chivers wrote:
> Just tried this and got the error below
> 
> iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j REDIRECT --to-destination 
> 192.168.0.80:8080
> 
> iptables v1.3.5: Unknown arg `--to-destination'
> Try `iptables -h' or 'iptables --help' for more information.
> 
> 
> Help :-)
> Brian
> 
> 
> James P. Kinney III wrote:
> > Hi Brian,
> > 
> > It is quite easy to do what you need. The thin clients all run their web
> > browser on the server so only the thin client servers need to be
> > adjusted. iptables is the correct way to do it because proxy settings in
> > user configs can be changed.
> > 
> > iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j
> > REDIRECT --to-destination <ip of proxy>:<port of proxy>
> > 
> > Repeat that for all other port traffic you need by just changing the 80.
> > 
> > You can save the final configuration with iptables-save >
> > iptables-saved-file
> > and restore with iptables-restore iptables-saved-file
> > On Mon, 2008-03-31 at 12:09 +0100, Brian Chivers wrote:
> >> I'd like to block all access to the outside network / internet from our thinclients unless they go 
> >> via the our proxy server. I have installed a global extension for firefox that has setup it up how I 
> >> want with proxy's and bookmarks etc for all users but if you change the connection setting to 
> >> "direct" you go straight out bypassing everything.
> >>
> >> I could setup our main firewall to block the thinclient server completely but it is very useful to 
> >> have full connectivity on it for things like freenx and updates.
> >>
> >> Is it possible to setup the iptables on the k12ltsp box itself to drop or redirect all connects from 
> >> the thinclient side and only allow the important ones for things like the initial booting ?
> >>
> >> I've never played with iptables before any useful pointers would be gratefully received.
> >>
> >> Thanks
> >> Brian Chivers
> >> Portsmouth College
> >>
> >> ------------------------------------------------------------------------------------------------
> >>     The views expressed here are my own and not necessarily
> >>  
> >>                 the views of Portsmouth College    
> >>
> >> _______________________________________________
> >> K12OSN mailing list
> >> K12OSN at redhat.com
> >> https://www.redhat.com/mailman/listinfo/k12osn
> >> For more info see <http://www.k12os.org>
> >>
> 
> 
> ------------------------------------------------------------------------------------------------
>     The views expressed here are my own and not necessarily
>  
>                 the views of Portsmouth College    
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the K12OSN mailing list