Topic: ipchains setup

[cryblood]

I've been reading up on ipchains a bit for the purpose of allowing/disallowing certian people on my lan access to the internet. (referance prev "... users like e-smith too much)  and have a ??? about where e-smith put the scripts to set the rules for ipchains.  I found 3 lines in /etc/rc.d/init.d/masq that seem to setup forwarding rules for the ip masq.  Is that it? or are there other script that also have rules for ipchains in them?

BTW... because Y2K went so easily, the boss is happy enough to give me a short extention on getting this all set up.  (He didn't say how long so I have to assume he ment yesturday instead of last week!)   besides, with end of year business stuff nobody has had time to goof off arround here.  if only I could get rid of that pesky nudy screen saver that's going arround.  grrr...

[Charlie Brady]

cryblood wrote:

>
> I've been reading up on ipchains a bit for the purpose of
> allowing/disallowing certian people on my lan access to the
> internet.

That'd be easier if you were using e-smith's DHCP server - then
you'd be co-ordinating in the one place which IPs had unrestricted net access.

> I found 3 lines in
> /etc/rc.d/init.d/masq that seem to setup forwarding rules for
> the ip masq.  Is that it?

Yep.

What you want to do is to disable ip masq access to port 80.

You then need to create a squid redirect script. There are
a number of advertising blocking redirectors around - you don't
want to block ads, but you do want to block accesses to blacklisted sites from particular IPs. The redirector script is passed the requesting IP along with the requested URL, so it
will be able to make that decision. If you really want to disciminate by person and not by IP, then you will also need to write an authentication script, and correlate the IP-person
relationship between the two scripts.

Have fun

Charlie

[Colin Mattoon]

I have sort of a similar problem...I need to restrict one user to one website.  

Actually, it's not one person, but one login name.  We have about 15 people who need to be able to send alphanumeric pages via the Internet.  The most convenient, "intuitive," method I've found is via Netscape -- visit the paging company website -- and input the paging message there.

Problem is, a few of these weasels decided to spend most of their time surfing the porno sites and playing online games, instead of returning to work.  This being the 21st Century, it is considered poor form to threaten them with a taste of cold steel, so I had to come up with another fix before the company got hit with a sexual harassment lawsuit.

Since these people have physical access to only one computer, I installed Linux and the Lynx browser only.  Nudie sites offer few "sights" with a text only browser.  I quickly bored them into submission, and in the process of bringing things down to a dull roar, found some sites that had some truly remarkable adult content...did you know, for example -- oh, sorry.

But anyway, it would be a useful feature (for future releases) if the e-smith server could restrict certain boxes or users to a few predefined sites -- rather than trying to filter out certain types of sites and content in a continually changing Internet environment.

That way, I could let these guys have a gui and Netscape, without having to worry about them acting like caged monkeys, and users that have a legitimate need for unrestricted Internet access could have it.

Since I'm not skilled enough to write the scripts myself, I nominate that feature as being of value in a new release (along with a pre-configured MySQL server).

Colin Mattoon

[cryblood]

Here's what I've come up with so far.  Please pick it appart and let me know if I'm not as smart as I hope I am!   :')

The current lines are as follows:

ipchains --flush forward
ipchains --policy forward DENY
ipchains --append forward -j MASQ --source 172.16.0.0/255.255.0.0 --destination 0.0.0.0/0

what I thought would work is removing the last line and appending the following:

ipchains --append forward -j MASQ --source 172.16.0.0/255.255.0.0 --destination aaa.aaa.aaa.aaa/0

where aaa.aaa.aaa.aaa is the address of a sight that the boss wants people to be able to see.  I would put such a line in for each site that is approved.

Then, I would add the following:

ipchains --append forward -j MASQ --source 172.16.0.bbb/255.255.0.0 --destination 0.0.0.0/0

where bbb completes the static IP of the lucky ppl who will still have (gulp... I hope) Full Internet access.

Thanx again for all the help, I know this may be pushing it a bit as far as what you guys really should have to support, I hope you don't mind too much. (please let me know if I am being a pest)

On a side note to Colin Mattoon,  I grew up near a town in Illinois that bears the name "Mattoon".  I just thought you might find that interesting.  If anyone knows of a town named cryblood.... oh... nevermind...

[Colin Mattoon]

I once passed through that town on a train about 6:00AM.  The bar car was open pretty late the night before so I don't remember much except that the sun is far too bright there.

COLIN

[cryblood]

Interestingly enough, I have an alergy to the sun... I found it too bright there most days myself.  (yes, I really do get sick if I'm in direct sun light for very long, and no, it has nothing to do with my name :')

[Charlie Brady]

cryblood wrote:

> what I thought would work is removing the last line and
> appending the following:
>
> ipchains --append forward -j MASQ --source
> 172.16.0.0/255.255.0.0 --destination aaa.aaa.aaa.aaa/0
>
> where aaa.aaa.aaa.aaa is the address of a sight that the boss
> wants people to be able to see.  I would put such a line in
> for each site that is approved.

what you want is:

... --destination aaa.aaa.aaa.aaa 80

And you will need to add some rules

ipchains --append forward -j MASQ --source  172.16.0.0/255.255.0.0 --destination 0.0.0.0/0 ! 80

so that email, etc will continue to work.

> Thanx again for all the help, I know this may be pushing it a
> bit as far as what you guys really should have to support....

Don't forget to ask for help other places. Your squid stuff you should ask on a squid list or newsgroup, and there are other places to get ipchains advice too. Your questions aren't really e-smith specific...

Charlie

[cryblood]

Thanx fer the help!  because of the mission critical nature of (some of) the internet access at work, the boss has decided to cut me some slack, I'm setting a system up at home and playing with it for a few weeks untill I am sure I get it right!  My xDSL modem should be here in a few days then I can REALLY get started!

again, Thanx for all the help!

[Tim Litwiller]

what you need is an acl (access control list) in squid and then turn on the option that make you login to the proxy.  Idealy  you would use webmin to setup your acl but then you would need to update your e-smith config files for squid.   HMM what we need is an adaption to webmin that uses the e-smith config files instead of the real files and then has a custom action to activate the changes.