At 15:47 3/6/2002 +0100, Paal Marker wrote: >I work in a public library, and we have in one of our subdidvisions set up >a pc for browsing in our database, wich is also public on our website. ( ><http://www.ourdomain.no/cgi-bin>http://www.ourdomain.no/cgi-bin) This pc >we want to only be used for searching in the database, and close for all >other internet browsing, by only permit browsing on our domain. > >The pc will be connected in the LAN of the subdivision and communicate >with the main server by frame relay net. So I can not do anything with the >default route. According to the deliveror of our firewall, there is >nothing to do there either for limit the browsing for one specific >workstation in the LAN.
Run ntsysv and make sure ipchains is running. Then create a firewall script that limits outgoing connections to your subnet. The script might look like this: # # ipchains firewall script. # # This script may be run by calling it from within rc.local. The goal is to only # allow packets to/from the local machine and the local subnet. # # Flush all existing rules. ipchains --flush input ipchains --flush output ipchains --flush forward # Set default policy. ipchains --policy input ACCEPT ipchains --policy output ACCEPT ipchains --policy forward REJECT # Set the network/netmask of the local network. lan=192.168.1.0/255.255.255.0 # Set the IP address of the interface that is connected to the local subnet. myip=192.168.1.2 # Allow packets on the local machine. ipchains --append input --source 127.0.0.1 \ --destination 127.0.0.1 --jump ACCEPT ipchains --append output --source 127.0.0.1 \ --destination 127.0.0.1 --jump ACCEPT # Limit incoming packets to web servers on the LAN. ipchains --append input --protocol tcp --source $lan http \ --destination $myip 1024: --jump ACCEPT ipchains --append input --protocol tcp --source $lan https \ --destination $myip 1024: --jump ACCEPT # Limit outgoing packets to web servers on the LAN. ipchains --append output --protocol tcp --source $myip 1024: \ --destination $lan http --jump ACCEPT ipchains --append output --protocol tcp --source $myip 1024: \ --destination $lan https --jump ACCEPT # Reject all other incoming and outgoing packets. ipchains --append input --source ! $lan --jump REJECT ipchains --append output --destination ! $lan --jump REJECT You could also edit /etc/host.conf to remove "bind" so that the resolver only looks in the hosts file to resolve hostnames to addresses. Then you would have to add the hostname and IP address for all your servers to the hosts file. A smart user could get around this by typing in the IP address of the server they're trying to reach. This solution is easy to understand, but it's imperfect and will require maintenance if any server IP addresses or hostnames change. Tony -- Anthony E. Greene <mailto:[EMAIL PROTECTED]> OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D AOL/Yahoo Chat: TonyG05 HomePage: <http://www.pobox.com/~agreene/> Linux. The choice of a GNU generation. <http://www.linux.org/> _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
