m_ginty

Hi, newbie to Linux and probably biting off more than I can chew but....I' ve a situation where I have been asked to put in a linux installation and only have the user access one website.
I intend to change the login for that user so that they login graphically and then Mozilla starts automatically and only go to one website. I'm currently reading up on the security policies but any pointers would be useful.
I am intending to lockdown the connection using IPtables - is this a good one to go for or should I chose something else?
What other considerations should I be thinking of? Things like hosts.allow and deny?
It would be useful if I can remote access this device - I operate from behind a firewall/gateway with a fixed IP
It will be connecting to the internet via broadband with a fixed IP address on a USB router - will there be any problems here?
Any pointers on any of this greatly received.
Thanks

sarumont

First off, welcome to Linux and the forums.

A secure IPTables setup is definately the way to go. With that setup properly, hosts.allow and hosts.deny don't really do anything, but redundancy is always good.

For the rest of the setup, just make sure you don't have anything running that shouldn't be (to keep the server quick and have more hassle-free maintainence). Also, make sure to have your servers chrooted or setup to run w/o suid.

And can you explain the whole networking setup a little more clearly? It doesn't make a lot of sense to me...

__________________
"Time is an illusion. Lunchtime, doubly so."
~Douglas Adams, The Hitchhiker's Guide to the Galaxy

m_ginty

Hi there, thanks for the reply.
What I'm doing is setting up an internet 'kiosk' in a shop so that the shop manager can access our opnline catalgue and order goods for the customer that may not be in store.
To do this, I thought I could use Linux.
So far, I have a RH9 installation and have created a new user.
I've set the bash_profile so that X starts when that user logs on.
At the moment I'm looking at the mozilla kiosk project as this seems a good way to go to only let the user access the one website (tho I'm trying to efit mozilla prefs.js but can't fid it!)
The PC will be connected to the internet via a USB DSL modem and I have been given a fixed IP by the ISP (BT). There is a USB PCI card in the PC. The drivers for the modem are only for PC and Mac but I have been told this shouldn't really matter?
I haven't tested this yet tho so am not sure whether this will work.
Should this work, I will be in a situation where I have a PC connected to the internet 'always on'. I'm thinking I can edit IPtables so that only my external IP and the website IP can communicate. Would I need to add any more entries?
I've kept the installation as small as I can possible think and have no servers running. I've also disabled service I don't need tho I need to check on this in greater detail.
The only downer is I need to get this installed today! My fall back/ backup is that I have dual booted to W98 so if I can't get this working in time (looking more likely) I can use W98 (tho I would like to avoid this!)

Goran

Hi ! I don't know whether you will be able to setup that modem to work under linux, but if you do configuring iptables shouldn't be hard. Maybe you would like to read some articels about it on netfilter.org but here is what you should do : if I understood correctly the ONLY permitted address for comunication should be that website ? Ok:
You should permit other addresses that you know the computer needs - like the remote address of the ISP or something. If this is not what you asked for then sorry. I just want to help

m_ginty

Hi Goran, that looks really really useful - thanks v much.
I'll have a look at the site you mentioned too and give those entries a try (if I can get the modem working!)
thanks

Goran

I am glad I could help. You could also try Guarddog currently version 2.2.0 I think. It can be found at www.simonzone.com. It is a front-end tu ip-tables, so if you don't like issuing commands in the console - you can easily configure that firewall by making two zones - one with the web site and the dns with their ip addresses and another with the ip address 0.0.0.0/0 which marks all the computers on the internet.

Anyway, I wish You luck .