[K12OSN] Block internet access on thinclient side
James P. Kinney III
jkinney at localnetsolutions.com
Wed Apr 2 12:26:00 UTC 2008
Ugh. Still blinked and missed the foobar.
iptables -A PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j
DNAT --to-destination 192.168.0.80:8080
The -I means to "insert" a rule and a required rule number must be next.
Without the rule number, nothing happens (as you have seen :-) -A means
to append to the list. I've spent the last several day doing inserts and
that is the current personal default :) sorry for the slip.
On Tue, 2008-04-01 at 14:12 +0100, Brian Chivers wrote:
> OK being really stupid today :-(
>
> I've done
>
> iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j DNAT --to-destination
> 192.168.0.80:8080
>
> If I then do a
>
> iptables --list
>
> Nothing shows up, do I have to save it in some way ??
>
> In /etc/sysconfig there is a file called iptables, can I just add it to that ??
>
> Sorry I'm being really slow about this :-/
>
> Brian
>
> James P. Kinney III wrote:
> > Sorry. sleep deprivation. change REDIRECT to DNAT
> >
> > For a full discussion of all the parts of iptables, man iptables tells
> > all. But it is quite overwhelming :)
> >
> > For a great book on Linux Security, get Real World Linux Security by Bob
> > Toxen (I know him personally - he was one of the small team that ported
> > unix to the SGI MIPS platform back when dinosaurs...).
> > On Tue, 2008-04-01 at 10:36 +0100, Brian Chivers wrote:
> >> Just tried this and got the error below
> >>
> >> iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j REDIRECT --to-destination
> >> 192.168.0.80:8080
> >>
> >> iptables v1.3.5: Unknown arg `--to-destination'
> >> Try `iptables -h' or 'iptables --help' for more information.
> >>
> >>
> >> Help :-)
> >> Brian
> >>
> >>
> >> James P. Kinney III wrote:
> >>> Hi Brian,
> >>>
> >>> It is quite easy to do what you need. The thin clients all run their web
> >>> browser on the server so only the thin client servers need to be
> >>> adjusted. iptables is the correct way to do it because proxy settings in
> >>> user configs can be changed.
> >>>
> >>> iptables -I PREROUTING -t nat -s 127.0.0.1 -m tcp -p tcp --dport 80 -j
> >>> REDIRECT --to-destination <ip of proxy>:<port of proxy>
> >>>
> >>> Repeat that for all other port traffic you need by just changing the 80.
> >>>
> >>> You can save the final configuration with iptables-save >
> >>> iptables-saved-file
> >>> and restore with iptables-restore iptables-saved-file
> >>> On Mon, 2008-03-31 at 12:09 +0100, Brian Chivers wrote:
> >>>> I'd like to block all access to the outside network / internet from our thinclients unless they go
> >>>> via the our proxy server. I have installed a global extension for firefox that has setup it up how I
> >>>> want with proxy's and bookmarks etc for all users but if you change the connection setting to
> >>>> "direct" you go straight out bypassing everything.
> >>>>
> >>>> I could setup our main firewall to block the thinclient server completely but it is very useful to
> >>>> have full connectivity on it for things like freenx and updates.
> >>>>
> >>>> Is it possible to setup the iptables on the k12ltsp box itself to drop or redirect all connects from
> >>>> the thinclient side and only allow the important ones for things like the initial booting ?
> >>>>
> >>>> I've never played with iptables before any useful pointers would be gratefully received.
> >>>>
> >>>> Thanks
> >>>> Brian Chivers
> >>>> Portsmouth College
> >>>>
> >>>> ------------------------------------------------------------------------------------------------
> >>>> The views expressed here are my own and not necessarily
> >>>>
> >>>> the views of Portsmouth College
> >>>>
> >>>> _______________________________________________
> >>>> K12OSN mailing list
> >>>> K12OSN at redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/k12osn
> >>>> For more info see <http://www.k12os.org>
> >>>>
> >>
> >> ------------------------------------------------------------------------------------------------
> >> The views expressed here are my own and not necessarily
> >>
> >> the views of Portsmouth College
> >>
> >> _______________________________________________
> >> K12OSN mailing list
> >> K12OSN at redhat.com
> >> https://www.redhat.com/mailman/listinfo/k12osn
> >> For more info see <http://www.k12os.org>
> >>
>
>
> ------------------------------------------------------------------------------------------------
> The views expressed here are my own and not necessarily
>
> the views of Portsmouth College
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
--
James P. Kinney III
CEO & Director of Engineering
Local Net Solutions,LLC
770-493-8244
http://www.localnetsolutions.com
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the K12OSN
mailing list