Find the answer to your Linux question:
Results 1 to 6 of 6
Hi, newbie to Linux and probably biting off more than I can chew but....I' ve a situation where I have been asked to put in a linux installation and only ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2003
    Posts
    39

    Accessing only one website and securing linux?


    Hi, newbie to Linux and probably biting off more than I can chew but....I' ve a situation where I have been asked to put in a linux installation and only have the user access one website.
    I intend to change the login for that user so that they login graphically and then Mozilla starts automatically and only go to one website. I'm currently reading up on the security policies but any pointers would be useful.
    I am intending to lockdown the connection using IPtables - is this a good one to go for or should I chose something else?
    What other considerations should I be thinking of? Things like hosts.allow and deny?
    It would be useful if I can remote access this device - I operate from behind a firewall/gateway with a fixed IP
    It will be connecting to the internet via broadband with a fixed IP address on a USB router - will there be any problems here?
    Any pointers on any of this greatly received.
    Thanks

  2. #2
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    First off, welcome to Linux and the forums.

    A secure IPTables setup is definately the way to go. With that setup properly, hosts.allow and hosts.deny don't really do anything, but redundancy is always good.

    For the rest of the setup, just make sure you don't have anything running that shouldn't be (to keep the server quick and have more hassle-free maintainence). Also, make sure to have your servers chrooted or setup to run w/o suid.

    And can you explain the whole networking setup a little more clearly? It doesn't make a lot of sense to me...
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  3. #3
    Just Joined!
    Join Date
    Dec 2003
    Posts
    39
    Hi there, thanks for the reply.
    What I'm doing is setting up an internet 'kiosk' in a shop so that the shop manager can access our opnline catalgue and order goods for the customer that may not be in store.
    To do this, I thought I could use Linux.
    So far, I have a RH9 installation and have created a new user.
    I've set the bash_profile so that X starts when that user logs on.
    At the moment I'm looking at the mozilla kiosk project as this seems a good way to go to only let the user access the one website (tho I'm trying to efit mozilla prefs.js but can't fid it!)
    The PC will be connected to the internet via a USB DSL modem and I have been given a fixed IP by the ISP (BT). There is a USB PCI card in the PC. The drivers for the modem are only for PC and Mac but I have been told this shouldn't really matter?
    I haven't tested this yet tho so am not sure whether this will work.
    Should this work, I will be in a situation where I have a PC connected to the internet 'always on'. I'm thinking I can edit IPtables so that only my external IP and the website IP can communicate. Would I need to add any more entries?
    I've kept the installation as small as I can possible think and have no servers running. I've also disabled service I don't need tho I need to check on this in greater detail.
    The only downer is I need to get this installed today! My fall back/ backup is that I have dual booted to W98 so if I can't get this working in time (looking more likely) I can use W98 (tho I would like to avoid this!)

  4. #4
    Linux Newbie
    Join Date
    Jan 2004
    Location
    Belgrade, S&M
    Posts
    177
    Hi ! I don't know whether you will be able to setup that modem to work under linux, but if you do configuring iptables shouldn't be hard. Maybe you would like to read some articels about it on netfilter.org but here is what you should do : if I understood correctly the ONLY permitted address for comunication should be that website ? Ok:
    Code:
    iptables -F
    iptables -X
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    
    iptables -A INPUT -s ip.of.that.site -j ACCEPT
    iptables -A INPUT -s ip.of.your.DNS -j ACCEPT
    iptables -A INPUT -s ! ip.of.that.site -j DROP
    
    
    iptables -A OUTPUT -d ip.of.that.site -j ACCEPT
    iptables -A OUTPUT -d ip.of.your.DNS -j ACCEPT
    iptables -A OUTPUT -d ! ip.of.that.site -j DROP
    You should permit other addresses that you know the computer needs - like the remote address of the ISP or something. If this is not what you asked for then sorry. I just want to help

  5. #5
    Just Joined!
    Join Date
    Dec 2003
    Posts
    39
    Hi Goran, that looks really really useful - thanks v much.
    I'll have a look at the site you mentioned too and give those entries a try (if I can get the modem working!)
    thanks

  6. #6
    Linux Newbie
    Join Date
    Jan 2004
    Location
    Belgrade, S&M
    Posts
    177
    I am glad I could help. You could also try Guarddog currently version 2.2.0 I think. It can be found at www.simonzone.com. It is a front-end tu ip-tables, so if you don't like issuing commands in the console - you can easily configure that firewall by making two zones - one with the web site and the dns with their ip addresses and another with the ip address 0.0.0.0/0 which marks all the computers on the internet.

    Anyway, I wish You luck .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •