Hi,
I have two pc using centos 4, these machines need only access to the (big, class b) local network. Because of security reasons the network access should be restricted to this local network - mainly the users of these pc should not be able to access webpages outside of the local network. My problem is, that I have no own centos repository and therefore these two pc need access to the centos mirrors to get updates. What would be the best way to restrict the network access to the local network and allow the access to some external addresses (a centos mirror and maybe some other servers/websites). I was thinking about iptables but I'm not very experienced in this questions - maybe there is an easier way. The configuration with iptables seems to be very complex, I was skimming through some tutorials and the man pages.
In thanks and with best reagrds, Arne
Arne Pelka ha scritto:
Hi,
I have two pc using centos 4, these machines need only access to the (big, class b) local network. Because of security reasons the network access should be restricted to this local network - mainly the users of these pc should not be able to access webpages outside of the local network. My problem is, that I have no own centos repository and therefore these two pc need access to the centos mirrors to get updates. What would be the best way to restrict the network access to the local network and allow the access to some external addresses (a centos mirror and maybe some other servers/websites). I was thinking about iptables but I'm not very experienced in this questions - maybe there is an easier way. The configuration with iptables seems to be very complex, I was skimming through some tutorials and the man pages.
In thanks and with best reagrds, Arne
I would setup a box with a proxy (eg. squid) and grant full internet access only to that box. On the other boxes either remove the default route, or block on the router/firewall internet access. On the proxy you can easily configure proxies for other services too (eg. pop3/imap) and filter out traffic from/to Internet at will (dansguardian/squidguard); on the pc's you just need to setup the proxy on yum.conf to enable yum updates and (if needed) configure the proxy on your browser, you email-client and so on. I'm still on my way to figure out how to implement a simple yum cache/proxy; as soon as I have news I'll let you know, as in that case you don't need anymore to setup squid and the proxy box will be really trivial to setup.
Regards
Lorenzo Quatrini
Lorenzo Quatrini schrieb:
I would setup a box with a proxy (eg. squid) and grant full internet access only to that box. On the other boxes either remove the default route, or block on the router/firewall internet access. On the proxy you can easily configure proxies for other services too (eg. pop3/imap) and filter out traffic from/to Internet at will (dansguardian/squidguard); on the pc's you just need to setup the proxy on yum.conf to enable yum updates and (if needed) configure the proxy on your browser, you email-client and so on. I'm still on my way to figure out how to implement a simple yum cache/proxy; as soon as I have news I'll let you know, as in that case you don't need anymore to setup squid and the proxy box will be really trivial to setup.
Thanks for your response, I'm trying to avoid to use a third machine (proxy or own repository) for my two machines - this would be too much effort. Both PC are in a university network, I will try to find out if there is already a proxy I can use.
Salam,
Squid actually Proxy will do the trick....
Regards,
Umair Shakil ETD
On 10/19/07, Arne Pelka lists@arnepelka.de wrote:
Hi,
I have two pc using centos 4, these machines need only access to the (big, class b) local network. Because of security reasons the network access should be restricted to this local network - mainly the users of these pc should not be able to access webpages outside of the local network. My problem is, that I have no own centos repository and therefore these two pc need access to the centos mirrors to get updates. What would be the best way to restrict the network access to the local network and allow the access to some external addresses (a centos mirror and maybe some other servers/websites). I was thinking about iptables but I'm not very experienced in this questions - maybe there is an easier way. The configuration with iptables seems to be very complex, I was skimming through some tutorials and the man pages.
In thanks and with best reagrds, Arne
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
umair shakil wrote:
Salam,
Squid actually Proxy will do the trick....
Nope. Not if they are installed on those PCs.
Regards,
Umair Shakil ETD
On 10/19/07, *Arne Pelka* < lists@arnepelka.de mailto:lists@arnepelka.de> wrote:
Hi, I have two pc using centos 4, these machines need only access to the (big, class b) local network. Because of security reasons the network access should be restricted to this local network - mainly the users of these pc should not be able to access webpages outside of the local network. My problem is, that I have no own centos repository and therefore these two pc need access to the centos mirrors to get updates. What would be the best way to restrict the network access to the local network and allow the access to some external addresses (a centos mirror and maybe some other servers/websites). I was thinking about iptables but I'm not very experienced in this questions - maybe there is an easier way. The configuration with iptables seems to be very complex, I was skimming through some tutorials and the man pages.
Just block outgoing connections to all webservers but those that are allowed.
iptables -A OUTPUT -p tcp --dport 80 -d allowedip -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -d centosmirror -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -j DROP or REJECT
Or to be more complete:
iptables -P OUTPUT DROP or REJECT iptables -A OUTPUT -d localnet -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -d centosmirror -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -d allowedip -j ACCEPT and so on.
Squid actually Proxy will do the trick....
Nope. Not if they are installed on those PCs.
Just block outgoing connections to all webservers but those that are allowed.
iptables -A OUTPUT -p tcp --dport 80 -d allowedip -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -d centosmirror -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -j DROP or REJECT
Or to be more complete:
iptables -P OUTPUT DROP or REJECT iptables -A OUTPUT -d localnet -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -d centosmirror -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -d allowedip -j ACCEPT and so on.
I found out that there is a proxy in our network and I can use a private network address, I configured yum to use the proxy and everything is working fine for the moment. But maybe this solution will be not flexible enough in future - then I gonna check your suggestions and will try to get deeper in the iptables configuration. Can anybody tell me what ip or domain i would have to allow to get access to the centos mirrors with yum for getting updates properly. TIA!
-Arne
-
Arne Pelka -
Christopher Chan -
Lorenzo Quatrini -
umair shakil