From: Grant <ema...@gm...> - 2009-01-17 19:31:57
|
>>>>>>> I'd like to block port 80 and 443 traffic to a certain system on my >>>>>>> network if the domain isn't one of the two approved domains and the >>>>>>> user isn't root. Does anyone know how to do this in shorewall? I'm >>>>>>> told it is done along these lines, but I've never used iptables >>>>>>> directly: >>>>>>> >>>>>>> iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT >>>>>> You are mis-informed. >>>>> What you are asking isn't possible to accomplish with a packet filter. >>>> Is there any way to limit a system's website access to two domains >>>> with shorewall? I wanted to allow http access to root for downloading >>>> new packages via Portage, but it sounds like I won't be able to do >>>> that. >>> Grant -- We really have no idea of what you are trying to do. Your >>> questions don't indicate where the clients are, relative to the fireall, >>> and where the servers are. So I have been answering your questions based >>> on the following principles: >>> >>> a) NO PACKET FILTERING FIREWALL (which includes Shorewall) has any >>> notion of domains. So filterinG by domain is a non-starter. >>> >>> b) When referring to packet filters, filtering by user id (e.g., root) >>> can only be done for connections originating from the firewall. See "man >>> shoreall-rules" and read about the USER/GROUP column. >> >> OK, how about rejecting all http/https traffic from a certain system >> behind my firewall except that which is headed to a certain website? >> I tried this in the rules file: >> >> ACCEPT loc:192.168.0.3 loc:web.site.i.p tcp 80 >> ACCEPT loc:192.168.0.3 loc:web.site.i.p tcp 443 > > The DEST column should be "net:web.site.i.p" I'm sorry, I was thinking loc=location instead of local. Thanks a lot. - Grant |