Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables allow access to one site
Special Forums IP Networking iptables allow access to one site Post 302892538 by wa1ed on Thursday 13th of March 2014 10:45:35 AM
Old 03-13-2014
I need help writing iptables rules that will allow a certain range of private address (192.168.0.80-100) outgoing access to one or two specific named sites and nothing else.

Here is my current setup
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited


I do not know the exact domain names as of yet, will know soon, they are for a credit card processor.

but....

we could use any site as an example:
so 192.168.0.80-100 are allowed to go to google.com and no where else?

A proxy server is not a viable alternative right now

Thank you
 

9 More Discussions You Might Find Interesting

1. IP Networking

port access to site to site VPN

Setup a site to site VPN between two cisco routers. One of the site locations is unable to access ports such as https://example.com:9001 How do I let them go into port 9001? They can ssh, ftp, telnet and everything else. Is this a VPN issue or ACL access issue? I put permit ip host... (0 Replies)
Discussion started by: photon
0 Replies

2. Shell Programming and Scripting

How to check site access in shell script

Hello every one, I have a little issue that has been killing me now for the past couple of days, I have tried to find solutions online, but its been hard to, ok here it goes... I have created a site that is based on amount of user that have access at a time, based on cookie. So if the browser... (1 Reply)
Discussion started by: heman007
1 Replies

3. Shell Programming and Scripting

Unable to access http site using wget through proxy

Hi there I am currently trying to access an http site using the wget utility from a solaris box. I am going through proxies to do this and we have two types of proxies. For the first one, which is a netcache proxy, I am able to use the wget command to export the proxy information export... (2 Replies)
Discussion started by: memonks
2 Replies

4. Programming

Unable to use libcurl to access a site requiring client authentication

I’m using the below snipped for setting the certificate and key for client authentication. curl_easy_setopt(curl,CURLOPT_SSLCERT,"clientCert.pem"); curl_easy_setopt(curl,CURLOPT_SSLCERTPASSWD,"changeit"); curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"PEM"); ... (2 Replies)
Discussion started by: old_as_a_fossil
2 Replies

5. Solaris

Access Sharepoint site using SOAP request in unix

Hi, We are using a java application (Java 6 , Using JAX-WS 2.0 to Create a Simple Web Service) that accesses SharePoint API through web services. We were able to get the data in windows and do all operations the API allows. When we deploy this application on UNIX environment (Solaris 10)... (0 Replies)
Discussion started by: johninweb
0 Replies

6. UNIX for Advanced & Expert Users

squid: Allow access to only one site and only via 80 or 443

Can someone please give me the conf file line to allow access to myexample.com and only that site, and only through http and https? So far I have only that site accessible via http, but all https sites are opened. Squid 3.1 on Cent 6 ---------- Post updated at 12:06 PM ---------- Previous... (0 Replies)
Discussion started by: glev2005
0 Replies

7. IP Networking

Does cisco 1921 router support site to site VPNs using IPSec?

Q: "Does Cisco 1921 router support,, act as an endpoint for, site to site VPNs using IPSec? If so, how many? " A: If you get the Cisco 1921/k9 with the security services bundle then it will have built in security features. Cisco, typically includes IP Sec tunnels I believe as part of that... (0 Replies)
Discussion started by: Ayaerlee
0 Replies

8. Cybersecurity

A little iptables help for Guest Access

Hey folks, I've setup a wifi guest network on an E2500 router running TomatoUSB, that I only want to have internet access provided for. Did this by creating a separate bridge (br1), then putting it in it's own VLAN, created a virtual wifi interface, then set some firewall rules to isolate... (0 Replies)
Discussion started by: mcaramb
0 Replies

9. Post Here to Contact Site Administrators and Moderators

Regarding not able to access UNIX.com site

Hello MODs/Admins, Could you please help me here as from last 6 to 7 days I(and checked with my fellow friends too) am not able to access unix.com site at all. It is very very slow, it never loads completely. Even I checked with different people and different computers it results same only,... (8 Replies)
Discussion started by: RavinderSingh13
8 Replies

LEARN ABOUT DEBIAN

shorewall-exclusion

SHOREWALL-EXCLUSION(5)						  [FIXME: manual]					    SHOREWALL-EXCLUSION(5)

NAME

       exclusion - Exclude a set of hosts from a definition in a shorewall configuration file.

SYNOPSIS

       !address-or-range[,address-or-range]...

       !zone-name[,zone-name]...

DESCRIPTION

       The first form of exclusion is used when you wish to exclude one or more addresses from a definition. An exclaimation point is followed by
       a comma-separated list of addresses. The addresses may be single host addresses (e.g., 192.168.1.4) or they may be network addresses in
       CIDR format (e.g., 192.168.1.0/24). If your kernel and iptables include iprange support, you may also specify ranges of ip addresses of the
       form lowaddress-highaddress

       No embedded whitespace is allowed.

       Exclusion can appear after a list of addresses and/or address ranges. In that case, the final list of address is formed by taking the first
       list and then removing the addresses defined in the exclusion.

       Beginning in Shorewall 4.4.13, the second form of exclusion is allowed after all and any in the SOURCE and DEST columns of
       /etc/shorewall/rules. It allows you to omit arbitrary zones from the list generated by those key words.

	   Warning
	   If you omit a sub-zone and there is an explicit or explicit CONTINUE policy, a connection to/from that zone can still be matched by the
	   rule generated for a parent zone.

	   For example:

	   /etc/shorewall/zones:

	       #ZONE	      TYPE
	       z1	      ip
	       z2:z1	      ip
	       ...

	   /etc/shorewall/policy:

	       #SOURCE	       DEST	     POLICY
	       z1	       net	     CONTINUE
	       z2	       net	     REJECT

	   /etc/shorewall/rules:

	       #ACTION	       SOURCE	     DEST	 PROTO	       DEST
	       #						       PORT(S)
	       ACCEPT	       all!z2	     net	 tcp	       22

	   In this case, SSH connections from z2 to net will be accepted by the generated z1 to net ACCEPT rule.

       In most contexts, ipset names can be used as an address-or-range. Beginning with Shorewall 4.4.14, ipset lists enclosed in +[...] may also
       be included (see shorewall-ipsets[1] (5)). The semantics of these lists when used in an exclusion are as follows:

       o   !+[set1,set2,...setN] produces a packet match if the packet does not match at least one of the sets. In other words, it is like NOT
	   match set1 OR NOT match set2 ... OR NOT match setN.

       o   +[!set1,!set2,...!setN] produces a packet match if the packet does not match any of the sets. In other words, it is like NOT match set1
	   AND NOT match set2 ... AND NOT match setN.

EXAMPLES

       Example 1 - All IPv4 addresses except 192.168.3.4
	   !192.168.3.4

       Example 2 - All IPv4 addresses except the network 192.168.1.0/24 and the host 10.2.3.4
	   !192.168.1.0/24,10.1.3.4

       Example 3 - All IPv4 addresses except the range 192.168.1.3-192.168.1.12 and the network 10.0.0.0/8
	   !192.168.1.3-192.168.1.12,10.0.0.0/8

       Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3 and 192.168.1.9
	   192.168.1.0/24!192.168.1.3,192.168.1.9

       Example 5 - All parent zones except loc
	   any!loc

FILES

       /etc/shorewall/hosts

       /etc/shorewall/masq

       /etc/shorewall/rules

       /etc/shorewall/tcrules

SEE ALSO

       shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
       shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
       shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
       shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
       shorewall-tunnels(5), shorewall-zones(5)

NOTES

	1. shorewall-ipsets
	   http://www.shorewall.net/manpages/shorewall-ipsets.html

[FIXME: source] 						    06/28/2012						    SHOREWALL-EXCLUSION(5)
All times are GMT -4. The time now is 08:09 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy