Results 1 to 5 of 5
Hello,
Can someone help me, please.
Here is the scenario:
i have an internal network that has no access to the internet.
And i need to grant access to only ...
- 12-10-2009 #1Just Joined!
- Join Date
- Feb 2009
- Posts
- 6
Grant access to a single website with IPtables
Hello,
Can someone help me, please.
Here is the scenario:
i have an internal network that has no access to the internet.
And i need to grant access to only one website.
Can this be done?
eth1 = 192.168.0.1/24 -- internal
eth0 = 222.222.222.222 -- external
This is what i did so far:
echo 1 > /proc/sys/net/ipv4/ip_forward
i know i have to setup NAT and than a restriction...
But how what i go about doing that?
Thank you in advance.
- 12-10-2009 #2Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,281
Here is a TUTORIAL for setting up IPTABLES.
I am going to assume the WEB server is on the inside of your network and you want to allow external connections to it since you didn't say this.
This is very basic so you will have to read the tutorial and change as needed for your setup. You will need something like this.
When reading the tutorial you should read up on DNAT, ESTABLISHED/RELATED connections, MASQUERADE and FORWARDing for the above. You should look at POLICY settings also and locking down all ports you don't need to have access to. The best setup is to lock down everything and then start opening port that you need.Code:iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination <ip of web server> iptables -A FORWARD -m state --state EASTBLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -p TCP -dport 80 -m state --state NEW -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- 12-10-2009 #3Just Joined!
- Join Date
- Feb 2009
- Posts
- 6
Thank you Lazydog,
Sorry for not being specific enough.
My internal network shouldn't have any access to the internet except to that one specific website.
The webserver is outside that network. i am aware that can't get to the website through the FQDN, but only through the direct IP address.
I will look into the tutorial and try to understand the rules you posted.
- 12-11-2009 #4Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,281
If I understand you now then this is the setup:
<LAN> -> <Firewall> -> <Internet>
Nothing is to access web on the inside.
In this case you would only need the following:
If you need a secure connection (433) also then you could copy the above forward line and replace the --dport 80 with --dport 443 or just replace the 80 with 443 if it is only secure connection..Code:iptables -A FORWARD -m state --state EASTBLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -p TCP -d <IP of Web Server> --dport 80 -m state --state NEW -j ACCEPT iptables -A FORWARD -j DROP iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- 12-31-2009 #5Just Joined!
- Join Date
- Feb 2009
- Posts
- 6
Thank you so much, Lazydog.
This helped a lot...
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts