Questions Questions Questions

extremebfn · 09-01-2004, 03:17 PM

CURRENT SETUP:
===========

I have 2 networks at work.Let's name them NetworkA and NetworkB.
NetworkA has a ADSL Router.Both Networks use the router for internet.

NetworkA: 192.168.35.X (8 PC's)
NetworkB: 192.168.35.X (20 PC's)
GATEWAY: 192.168.35.1 (ADSL Router)

Ok....all PC's on NetworkA connects to a hub(obviously), and the same with NetworkB. The 2 hubs ARE Conneted VIA a UTP Cable to link the 2 networks. OK....now some users on NetworkB MAY NOT have internet Access,so i want only allow trafic to networkA for Authorised users.

WHAT I WANT TO DO:
===============

I want to place a "RED HAT 9" Box between the 2 networks...this will be done why using 2 NIC's,one for the UTP Cable of NetworkA and the other for the UTP Cable for NetworkB.I think this is the right way?Hope so.....

Anyways: The Linux box must be defualt to DROP all Trafic...and only allow access to sertain IP's. I think to the command to DROP all Trafic is:

iptables -P INPUT DROP

So now i must add rules for EACH IP that can be allowed to Enter NetworkA and het access to the internet.

Im a newbie in linux,and i have read many HOWTo's: Most commands does not work and most stuff i dont understand.I don't think that what i want to do is that hard....so if ANYBODY can help me....please do........

I want the commands and code for :

IP FORWARDING--> I think im going to use this right?
IP TABLES --> To setup Rules Ex: ALLOW TRAFIC FROM 192.168.35.20

All allowed trafic must be able to goto the ADSL Router(192.168.35.1) and access the gateway.

PLEASE HELP..............................................
THANKS!!

ppuru · 09-02-2004, 01:33 AM

Quote:

Im a newbie in linux,and i have read many HOWTo's: Most commands does not work and most stuff i dont understand.I don't think that what i want to do is that hard..

I would recommend you try to write a firewall script, post it here. We will help you out with the problems that you might encounter. It will be really dangerous to have a firewall script and not knowing what it does.

so if you write a script all by yourself first and then modify it with the suggestions of this forum, you would have better control over your network and the traffic that is moving in and out of it.

Not wanting to sound philosophical ...
... if you give a fish to a hungry (wo)man, (s)he would be happy for that day, if you teach h(er)im how to fish .... (s)he would be happy for ever.

extremebfn · 09-02-2004, 02:22 AM

Thats does NOT help one bit.

maxut · 09-02-2004, 04:28 AM

all of your network are in same subnet, right?
192.168.35.0/255.255.255.0 ?

at least u must move adsl router to another segment. so linux will be able to work as a router. you dont have to change network A and B. u can block them trou thier ip or MAC address.

imagine like this:

adsl-----(eth1) linux (eth0)-----switches/hubs----clients.

ppuru · 09-02-2004, 05:39 AM

Oh well, just trying to help you help yourself....

Quote:

IP FORWARDING--> I think im going to use this right?
IP TABLES --> To setup Rules Ex: ALLOW TRAFIC FROM 192.168.35.20

Edit /etc/sysctl.conf and add the entry
net.ipv4.ip_forward = 1

run sysctl -p to enable forwarding.

Here is a very basic script you can build upon.

Code:

#!/bin/sh
# Firewall script

IPT=/sbin/iptables

# Default deny stance; allowing filter-free OUTPUT 
$IPT -P INPUT DROP
$IPT -P FORWARD DROP


# Flush entries, zero counters.
$IPT -t filter -F
$IPT -t nat -F
$IPT -X
$IPT -Z

# Allow local traffic
$IPT -A INPUT -i lo -j ACCEPT

# Forwarding - only for 192.168.35
# Block a IPs from accesing the internet 
$IPT -A FORWARD -i eth1 -s ! 192.168.35.20 -j REJECT

# Masquerading 
$IPT -t nat -A POSTROUTING -i eth1 -j MASQUERADE

extremebfn · 09-02-2004, 11:29 AM

Hi. Thanks for your help....See im so down becuase i really TRIED to get it working on my own,and i don't succeed

Thats why i need people to help me now.

# Block a IPs from accesing the internet
$IPT -A FORWARD -i eth1 -s ! 192.168.35.20 -j REJECT

The obove: will this only block the ip: 192.168.35.20. But where do i ADD the IP's i want to ALLOW?

Won;t it be better to BLOCK ALL Trafic and only Allow lets say: 192.168.35.10 and 192.168.35.11. How would the Firewall for the look like?I can just later ADD all the IP's i want to Allow?

Thanks again...i really need this to work.

ppuru · 09-03-2004, 12:15 AM

Quote:

# Block a IPs from accesing the internet
$IPT -A FORWARD -i eth1 -s ! 192.168.35.20 -j REJECT

The obove: will this only block the ip: 192.168.35.20. But where do i ADD the IP's i want to ALLOW?

The above rule will block all traffic except the ones originating from 192.168.35.20.

-s ! 192.168.35.20 means source ip is not 192.168.35.20.

Quote:

Allow lets say: 192.168.35.10 and 192.168.35.11. Ho would the Firewall for the look like?I can just later ADD all the IP's i want to Allow?

You can either keep adding the rules like

$IPT -A FORWARD -i eth1 -s ! 192.168.35.10 -j REJECT
$IPT -A FORWARD -i eth1 -s ! 192.168.35.11 -j REJECT
$IPT -A FORWARD -i eth1 -s ! 192.168.35.21 -j REJECT

OR

take it a step further and create a new chain as in
http://www.linuxquestions.org/questi...615#post990615

That is,

$IPT -N privileged
$IPT -A privileged -s 192.168.35.20 -j RETURN
$IPT -A privileged -s 192.168.35.11 -j RETURN
$IPT -A privileged -s 192.168.35.10 -j RETURN
$IPT -A privileged ... and so on
$IPT -A privileged -j REJECT

and

$IPT -A FORWARD -i eth1 -j privileged