Hi,
How can i block access to the whole internet except for a specific IP and an URL?
I’ve tried with hosts.allow and hosts.deny files (which, from what i’ve read, are deprecated - which may explain why it didn’t work) and with Gufw (which was able to block everything but i was never able to allow those two exceptions)
is there a simple and easy way to do this quickly?
Thank you so much.
You want to block outgoing traffic or incoming traffic?
I think both… i want to block 2 users from acessing the internet (and whit that block them from downloading files, from accessing facebook, youtube and everything else) however i want them to be allowed to access an internal IP (our system) and one internet website. They also must be able to use the internal network!
What is your current setup like?
Are you using an openSUSE box as a firewall/router through which all connections are made? Are the clients you wish to block from using the net using static IPs or do you want to blanket ban all external IPs from LAN -> WAN?
Hi Miuku,
the computers are all with dynamic IP connect thru a switch which get the internet from a router. So there is no dedicated box serving as a fw/server.
so, from what i understand i’ll have tio configure each computer individually (but that’s not a problem 
You could employ a simple iptables outgoing rule chain to do it, there are a few example pages you could take a look at:
http://linuxconfig.org/collection-of-basic-linux-firewall-iptables-rules
&
http://www.thegeekstuff.com/2011/03/iptables-inbound-and-outbound-rules/
They have really easy explanation as to what they do and these could be placed in the startup files of openSUSE (for example /etc/init.d/boot.local or boot.after ) and can only be modified with sudo/root permissions.
The easiest method of course would be to have a dedicated firewall box/router that manages the network traffic. I find it curious that your existing one wouldn’t have firewall functionality that would allow you to block outgoing traffic.
I’ve found a few of this toturials earlier as well but didn’t try them… they seemed too confusing…
Is this done thru GUI or thru Konsole (would prefere GUI…)?
Since gufw/ufw is based on iptables, did you create the allowed rules before the deny in the GUI?
Good question didn’t know it makes a diference.
I will try again - at least, as soon as i get back to the computer in question and after beeing able to get gufw working again (after i was only able to block all or unblock all - the app started to not run at all the few last times i tried it - after that i decided to remove gufw)
can you give me the steps to block all except on IP the field i need to config with which values?
Thanks once again
On 03/05/2015 02:16 PM, Miuku wrote:
>
> What is your current setup like?
>
> Are you using an openSUSE box as a firewall/router through which all
> connections are made? Are the clients you wish to block from using the
> net using static IPs or do you want to blanket ban all external IPs from
> LAN -> WAN?
>
>
My cheap ISP provided DSL/router can do this. Have you looked at the
settings in your router?
Ken
Hi,
Yes, that was my firt approach. Unfortunantely our not-so-cheap ISP provided router does not allow white/blacklisting sites. This would be the ideal solution because i could block it all in one place. But, beside providing internet and getting into our pockets, that router does not do anything else efficientely…
@Miuku - i’m not able to test anything today (or during the weekend) because i’m not in place. Next week i’ll drop a line about how it turned out
Thank you both for your help 
If you want something very non-technical for only a few machines you have local physical access, recommend you just Google “parental controls internet linux”
Note that typically any results from the above search requires you to “touch” every client machine. If you want to manage Internet access without touching boxes, then you need to install a “critical node” box (which can be a Linux box) inside of your ISP’s Internet Gateway device. You can then filter, manipulate, monitor and manage any traffic that passes through the box.
TSU
Hi again,
so, i’ve been trying gufw again and i still don’t get any results beside blocking all.
here’s my actual config:
Profile: Office
Status: Off (if on i would not be posting 
Incoming: Deny
Outgoing: Deny
Now, on the rules field i’ve went to:
Add a Rule (+) > Advanced and filed:
Name: Test
Insert: 0
Policy: Allow
Interface: All interfaces
Protocol: Both
From: 130.57.66.6 Port: [left blank]
To: [left blank] Port: [left blank]
Now, if i edit the rule created, i’m able to also specify the Direction.
I’ve created one for direction IN and another for direction OUT.
The intention was to block all except for this IP: 130.57.66.6 (I believe it’s the IP for this forums).
What am i missing?
Thanks
Ok… I was able to get it working.
Now, i would like to know just one last thing: how do i allow system updates?
Isn’t the 195.135.221.130 the IP for the updates?
Thanks
Patches come from the Update repos (two of them, one for OSS and one for non-OSS). And of course every other repo will be able to offer you updates of the packages you have from them. Thus there ae at least as many IP addresses involved as the number of Enabled repositories.
BTW:
henk@boven:~> host 195.135.221.130
130.221.135.195.in-addr.arpa domain name pointer stage.opensuse.org.
henk@boven:~>
I have no idea what stage.opensuse.org is providing.
On 03/13/2015 07:56 AM, hcvv wrote:
>
> SpeccyMan;2699493 Wrote:
>> Ok… I was able to get it working.
>>
>> Now, i would like to know just one last thing: how do i allow system
>> updates?
>>
>> Isn’t the 195.135.221.130 the IP for the updates?
>>
>> Thanks
> Patches come from the Update repos (two of them, one for OSS and one for
> non-OSS). And of course every other repo will be able to offer you
> updates of the packages you have from them. Thus there ae at least as
> many IP addresses involved as the number of Enabled repositories.
Shouldn’t this be:
There are at least as many ip address are there are mirrors for openSuSE.
Ken
Well, I tried to mention what I saw as the absolute minimum, but in fact my message, like your’s, must be read as: there are many, many more.