Tuning access to the internet

Lea Gris lea.gris at noiraude.net
Tue Dec 18 15:22:23 UTC 2007 

Pol a écrit :
> How to tune access to the internet, to allow only certain users, or to limit
> access to certain hours of the day?

Have your ubuntu box as the router to the LAN.

Require two network devices :
1 - to the WAN (internet, DSL/Cable modem ...)
2 - to the LAN your local network (ethernet, Wifi ...)

Install a firewall (Shorewall, but there are many others) :
Don't configure NAT (Address translation) as you won't route traffic
directly between WAN and LAN at IP level.
Redirect incoming packets from LAN to any destination port 80 and 443 to
local IP 127.0.0.1 port 3128 (squid proxy)
Block traffic incomming from LAN interface to WAN interface and vice-versa.
Configure traffic shaping and accounting if needed.

Install a proxy (preferably Squid and maybe Squidguard)
Configure Squid so it does transparent proxying from redirected port 80
and 443.
Disallow CONNECT to any other destinations except POP, IMAP and any
other absolutely needed) prefer disallowing CONNECT to SMTP (TCP 25)
Add access policies based on date/time and even users if you like.
Configure SquidGuard for allowed/banned websites if needed.

Install local email relay (Posftix) !
Allow relay from LAN IP only.

Result for LAN workstations :
Will access the web transparently though the proxy. No proxy
configuration needed. Based on access policies, it will be limited to
time frame and permitted users.
Will send mail though the LAN SMTP relay and won't be able to connect
directly to outside SMTP relays.
Will connect POP and IMAP though the proxy (allowed CONNECT)
Will not connect to any other not allowed destinations.

-- 
     Léa Gris - http://www.noiraude.net/
()   Campagne du ruban texte brut contre les courriels en HTML,
/\   contre les pièces jointes dans un format propriétaire.
     Contre les DRMs appelez le : 09f911029d74e35bd84156c5635688c0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20071218/3f656589/attachment.sig>

More information about the ubuntu-users mailing list