[K12OSN] Block internet access on thinclient side

Peter Scheie peter at scheie.homedns.org
Tue Apr 1 13:43:51 UTC 2008 

I think 'iptables --list' defaults to only showing the filter table.  Try 
'iptables -t nat --list'.

Peter

Brian Chivers wrote:
> OK being really stupid today :-(
> 
> I've done
> 
> iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j 
> DNAT --to-destination 192.168.0.80:8080
> 
> If I then do a
> 
> iptables --list
> 
> Nothing shows up, do I have to save it in some way ??
> 
> In /etc/sysconfig there is a file called iptables, can I just add it to 
> that ??
> 
> Sorry I'm being really slow about this :-/
> 
> Brian
> 
> James P. Kinney III wrote:
>> Sorry. sleep deprivation. change REDIRECT to DNAT
>>
>> For a full discussion of all the parts of iptables, man iptables tells
>> all. But it is quite overwhelming :)
>>
>> For a great book on Linux Security, get Real World Linux Security by Bob
>> Toxen (I know him personally - he was one of the small team that ported
>> unix to the SGI MIPS platform back when dinosaurs...). On Tue, 
>> 2008-04-01 at 10:36 +0100, Brian Chivers wrote:
>>> Just tried this and got the error below
>>>
>>> iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 
>>> -j REDIRECT --to-destination 192.168.0.80:8080
>>>
>>> iptables v1.3.5: Unknown arg `--to-destination'
>>> Try `iptables -h' or 'iptables --help' for more information.
>>>
>>>
>>> Help :-)
>>> Brian
>>>
>>>
>>> James P. Kinney III wrote:
>>>> Hi Brian,
>>>>
>>>> It is quite easy to do what you need. The thin clients all run their 
>>>> web
>>>> browser on the server so only the thin client servers need to be
>>>> adjusted. iptables is the correct way to do it because proxy 
>>>> settings in
>>>> user configs can be changed.
>>>>
>>>> iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j
>>>> REDIRECT --to-destination <ip of proxy>:<port of proxy>
>>>>
>>>> Repeat that for all other port traffic you need by just changing the 
>>>> 80.
>>>>
>>>> You can save the final configuration with iptables-save >
>>>> iptables-saved-file
>>>> and restore with iptables-restore iptables-saved-file
>>>> On Mon, 2008-03-31 at 12:09 +0100, Brian Chivers wrote:
>>>>> I'd like to block all access to the outside network / internet from 
>>>>> our thinclients unless they go via the our proxy server. I have 
>>>>> installed a global extension for firefox that has setup it up how I 
>>>>> want with proxy's and bookmarks etc for all users but if you change 
>>>>> the connection setting to "direct" you go straight out bypassing 
>>>>> everything.
>>>>>
>>>>> I could setup our main firewall to block the thinclient server 
>>>>> completely but it is very useful to have full connectivity on it 
>>>>> for things like freenx and updates.
>>>>>
>>>>> Is it possible to setup the iptables on the k12ltsp box itself to 
>>>>> drop or redirect all connects from the thinclient side and only 
>>>>> allow the important ones for things like the initial booting ?
>>>>>
>>>>> I've never played with iptables before any useful pointers would be 
>>>>> gratefully received.
>>>>>
>>>>> Thanks
>>>>> Brian Chivers
>>>>> Portsmouth College
>>>>>
>>>>> ------------------------------------------------------------------------------------------------ 
>>>>>
>>>>>     The views expressed here are my own and not necessarily
>>>>>  
>>>>>                 the views of Portsmouth College   
>>>>> _______________________________________________
>>>>> K12OSN mailing list
>>>>> K12OSN at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>>> For more info see <http://www.k12os.org>
>>>>>
>>>
>>> ------------------------------------------------------------------------------------------------ 
>>>
>>>     The views expressed here are my own and not necessarily
>>>  
>>>                 the views of Portsmouth College   
>>> _______________________________________________
>>> K12OSN mailing list
>>> K12OSN at redhat.com
>>> https://www.redhat.com/mailman/listinfo/k12osn
>>> For more info see <http://www.k12os.org>
>>>
> 
> 
> ------------------------------------------------------------------------------------------------ 
> 
>    The views expressed here are my own and not necessarily
> 
>                the views of Portsmouth College   
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>

More information about the K12OSN mailing list