[CentOS] restrict network access

Mon Oct 22 06:46:58 UTC 2007
Christopher Chan <christopher at ias.com.hk>

umair shakil wrote:
> Salam,
> 
> Squid actually Proxy will do the trick....

Nope. Not if they are installed on those PCs.

> 
> Regards,
> 
> Umair Shakil
> ETD
> 
> On 10/19/07, *Arne Pelka* < lists at arnepelka.de 
> <mailto:lists at arnepelka.de>> wrote:
> 
>     Hi,
> 
>     I have two pc using centos 4, these machines need only access to the
>     (big, class b) local network. Because of security reasons the network
>     access should be restricted to this local network - mainly the users
>     of these pc should not be able to access webpages outside of the local
>     network. My problem is, that I have no own centos repository and
>     therefore these two pc need access to the centos mirrors to get updates.
>     What would be the best way to restrict the network access to the local
>     network and allow the access to some external addresses (a centos
>     mirror and maybe some other servers/websites).
>     I was thinking about iptables but I'm not very experienced in this
>     questions - maybe there is an easier way. The configuration with
>     iptables seems to be very complex, I was skimming through some
>     tutorials and the man pages.
> 

Just block outgoing connections to all webservers but those that are 
allowed.

iptables -A OUTPUT -p tcp --dport 80 -d allowedip -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -d centosmirror -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j DROP or REJECT

Or to be more complete:

iptables -P OUTPUT DROP or REJECT
iptables -A OUTPUT -d localnet -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -d centosmirror -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -d allowedip -j ACCEPT
and so on.