[K12OSN] Block internet access on thinclient side

Brian Chivers brian at portsmouth-college.ac.uk
Tue Apr 1 13:12:08 UTC 2008 

OK being really stupid today :-(

I've done

iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j DNAT --to-destination 
192.168.0.80:8080

If I then do a

iptables --list

Nothing shows up, do I have to save it in some way ??

In /etc/sysconfig there is a file called iptables, can I just add it to that ??

Sorry I'm being really slow about this :-/

Brian

James P. Kinney III wrote:
> Sorry. sleep deprivation. change REDIRECT to DNAT
> 
> For a full discussion of all the parts of iptables, man iptables tells
> all. But it is quite overwhelming :)
> 
> For a great book on Linux Security, get Real World Linux Security by Bob
> Toxen (I know him personally - he was one of the small team that ported
> unix to the SGI MIPS platform back when dinosaurs...). 
> On Tue, 2008-04-01 at 10:36 +0100, Brian Chivers wrote:
>> Just tried this and got the error below
>>
>> iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j REDIRECT --to-destination 
>> 192.168.0.80:8080
>>
>> iptables v1.3.5: Unknown arg `--to-destination'
>> Try `iptables -h' or 'iptables --help' for more information.
>>
>>
>> Help :-)
>> Brian
>>
>>
>> James P. Kinney III wrote:
>>> Hi Brian,
>>>
>>> It is quite easy to do what you need. The thin clients all run their web
>>> browser on the server so only the thin client servers need to be
>>> adjusted. iptables is the correct way to do it because proxy settings in
>>> user configs can be changed.
>>>
>>> iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j
>>> REDIRECT --to-destination <ip of proxy>:<port of proxy>
>>>
>>> Repeat that for all other port traffic you need by just changing the 80.
>>>
>>> You can save the final configuration with iptables-save >
>>> iptables-saved-file
>>> and restore with iptables-restore iptables-saved-file
>>> On Mon, 2008-03-31 at 12:09 +0100, Brian Chivers wrote:
>>>> I'd like to block all access to the outside network / internet from our thinclients unless they go 
>>>> via the our proxy server. I have installed a global extension for firefox that has setup it up how I 
>>>> want with proxy's and bookmarks etc for all users but if you change the connection setting to 
>>>> "direct" you go straight out bypassing everything.
>>>>
>>>> I could setup our main firewall to block the thinclient server completely but it is very useful to 
>>>> have full connectivity on it for things like freenx and updates.
>>>>
>>>> Is it possible to setup the iptables on the k12ltsp box itself to drop or redirect all connects from 
>>>> the thinclient side and only allow the important ones for things like the initial booting ?
>>>>
>>>> I've never played with iptables before any useful pointers would be gratefully received.
>>>>
>>>> Thanks
>>>> Brian Chivers
>>>> Portsmouth College
>>>>
>>>> ------------------------------------------------------------------------------------------------
>>>>     The views expressed here are my own and not necessarily
>>>>  
>>>>                 the views of Portsmouth College    
>>>>
>>>> _______________________________________________
>>>> K12OSN mailing list
>>>> K12OSN at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>> For more info see <http://www.k12os.org>
>>>>
>>
>> ------------------------------------------------------------------------------------------------
>>     The views expressed here are my own and not necessarily
>>  
>>                 the views of Portsmouth College    
>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>>


------------------------------------------------------------------------------------------------
    The views expressed here are my own and not necessarily
 
                the views of Portsmouth College

More information about the K12OSN mailing list