The easiest way to do this is to keep things simple.
Put these consultants in a separate subnet, and build your chains in
ipchains to allow traffic to the internet via a certain interface.
Your firewall should have 2 or more ethernet cards in it. For example:
eth0 is connected to the inside
eth1 is connected to the internet or your internet router/proxy.
Assuming the intranet's addresses are in the 192.168.0.x/24 subnet.
Assuming these consultants are on the inside of the firewall, you should put
them in a separate subnet, say 192.168.2.0/24, and deny traffic to the
intranet servers that they are not supposed to access. If there are 100
they are not supposed to access, and only 1 they are allowed to access, you
could build your chain to deny traffic from their subnet, then allow from
the 2.x subnet to the 0.y address.
Also be sure your proxy is truly on the outside and is not "reflecting"
traffic back onto the LAN and masquerading traffic to the servers they are
not supposed to access.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jim Roland, RHCE (RedHat Certified Engineer)
Owner, Roland Internet Services
"Never settle with words what you can settle with a flamethrower"
-- Anonymous
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
----- Original Message -----
From: "XingFei" <xing.fei@fujixerox.co.jp>
To: <linux-net@vger.kernel.org>
Sent: Sunday, March 11, 2001 7:12 PM
Subject: Urgent! Firewall and Proxy
> Hello, all
> I have got a big problem about Firewall and Proxy.
> I am in a big Company intranet, and my boss told me that there are a group
> of consultants in a small local network, which should be behind a
firewall,
> need to access a Web server, in the big company intranet, or to say in the
> outside of the small localnet. it is a cumbersome Requirement that they
can
> not access any other Web server in the intranet except the given one, but
at
> the same time they can access Internet site, say Yahoo.com or hotmail.com.
>
> So I used a Linux server as firewall, with Redhat 6.2, to separate those
> consultants in a local network from the outside company intranet. As there
> have been some other firewall rules in Input and Forward Chains to filter
> network packages, I added two rules in the Output Chain:
>
> output -s the_external_IP_of _Linux_server/24 -d the_IP_of_the_site/32
> 80:80 -p ! TCP -i eth0 -j ACCEPT
> output -s the_external_IP_of _Linux_server/24 -d
> the_network_IP_of_the_intranet/16 80:80 -p ! TCP -i eth0 -j DENY
>
> In the place of source IpAddr, I used the_external_IP_of _Linux_server not
> the internal local network ip address because the Firewall should take up
> the function of IP_Masquerading.
>
> and it worked.
>
> But the real problem is when I set the client machine in the local network
> with a Proxy which is outside of the Linux Firewall, in order to enable
> those consultants to surf in internet. Note the Proxy is in the Big
company
> intranet, and even the Linux Firewall should use it as proxy if it want to
> access to internet.
> I found that the Proxy seemed have the power can invalid the rules I have
> set, ie. those consultants can access to the intranet web servers should
be
> forbidden.
>
> So, what should I do, If the client machines use Proxy, does it matter to
> the IP header, I mean the source or destination address?
> Could Anybody give me some farther advices?
> Thanx
> Regards
> Charles
>
>
> -
> : send the line "unsubscribe linux-net" in
> the body of a message to majordomo@vger.kernel.org
>
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
