1 |
Hopefully somehere can direct me to where this should be posted or |
2 |
answer it directly. I'm looking to my Gentoo box to solve the problem |
3 |
described below: |
4 |
|
5 |
First: |
6 |
My home lan looks like: |
7 |
|
8 |
|
9 |
INTERNET |
10 |
| |
11 |
DSLMODEM |
12 |
| |
13 |
------------- NETGEAR FVS318 fw/router--------------- |
14 |
| | | | | |
15 |
|
16 |
Mch1 Mch2 mch3 mch4 mch5 |
17 |
Lin win win win win |
18 |
Gentoo |
19 |
|
20 |
Machines 3-5 are heavy hitters for graphics work and are heavily |
21 |
loaded with such things as Photoshop, vegas, canopus Edius, Adobe |
22 |
Illustrator and the like. |
23 |
|
24 |
I don't want to have to worry about spyware,adware,virus prevention |
25 |
firewall stuff competing for resources with the graphics tools. |
26 |
Instead I'd like to prevent those three from contacting the internet. |
27 |
|
28 |
I want to isolate mch3-5 to only the local network. |
29 |
|
30 |
That is, only mch 1 (a linux) machine and mch2 (a winxp pro) machine, |
31 |
should be able to freely access the internet. (Making those secure |
32 |
while doing so is not dicussed here) 3-5 should only be able |
33 |
to talk to/from the local net. |
34 |
|
35 |
I realize this would not be true isolation as anyone getting to 1-2 |
36 |
would have access to 3-5, so all bets are off if that should happen. |
37 |
|
38 |
Its more about having to worry about downloads or link clicks etc with |
39 |
unwanted results. |
40 |
|
41 |
The Netgear FVS318 appears not to be able to do this for me. But I |
42 |
could be wrong there. I see no options that look usefull for it. |
43 |
Blocking of sites might do it but appears it would be a long process |
44 |
setting it up. |
45 |
|
46 |
I'd happily hear that the router can do this. |
47 |
|
48 |
===================================================== |
49 |
|
50 |
I'm turning to my gentoo box for a solution. |
51 |
|
52 |
However, I'm not interested in setting it up as the router for |
53 |
everthing and ditching the NETGEAR. Its to convenient having |
54 |
something the size of a medium book that makes no noise or heat but |
55 |
can keep all but the most dedicated of script kiddies of my network. |
56 |
|
57 |
I'm thinking I could route machines 3-5 thru it as gateway. |
58 |
The way I work, the gentoo box is always running. I would never be |
59 |
using the others without it running, its just how I work. |
60 |
|
61 |
I know already that Iptables can handle the rulesets needed to get |
62 |
what I want. I'm not sure of the exact rules yet but believe it is at |
63 |
least possible. |
64 |
|
65 |
Now for the questions: |
66 |
|
67 |
Can I route 3-5 thru the Gentoo box without changing the subnet |
68 |
setup? That is, all still remain 192.168.0.0/24. And simply set |
69 |
gateway on 3-5 to point at the gentoo box. Then setup IPtables to |
70 |
prevent those machines from talking beyond local lan in or out. |
71 |
|
72 |
Something like deny everything, then allow only a list of `safe' IPs |
73 |
on the local lan. |
74 |
|
75 |
So again: |
76 |
Can I do all this without hardwiring 3-5 direct to the Gentoo box. |
77 |
That is, just by setting it as gateway on each of them. |
78 |
|
79 |
-- |
80 |
gentoo-user@g.o mailing list |