Gentoo Archives: gentoo-user

From: Harry Putnam <reader@×××××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] [Iptables related] How to make one machine only talk on loc lan
Date: Sat, 12 Nov 2005 22:41:54
Message-Id: 871x1lsamp.fsf@newsguy.com
1 Hopefully somehere can direct me to where this should be posted or
2 answer it directly. I'm looking to my Gentoo box to solve the problem
3 described below:
4
5 First:
6 My home lan looks like:
7
8
9 INTERNET
10 |
11 DSLMODEM
12 |
13 ------------- NETGEAR FVS318 fw/router---------------
14 | | | | |
15
16 Mch1 Mch2 mch3 mch4 mch5
17 Lin win win win win
18 Gentoo
19
20 Machines 3-5 are heavy hitters for graphics work and are heavily
21 loaded with such things as Photoshop, vegas, canopus Edius, Adobe
22 Illustrator and the like.
23
24 I don't want to have to worry about spyware,adware,virus prevention
25 firewall stuff competing for resources with the graphics tools.
26 Instead I'd like to prevent those three from contacting the internet.
27
28 I want to isolate mch3-5 to only the local network.
29
30 That is, only mch 1 (a linux) machine and mch2 (a winxp pro) machine,
31 should be able to freely access the internet. (Making those secure
32 while doing so is not dicussed here) 3-5 should only be able
33 to talk to/from the local net.
34
35 I realize this would not be true isolation as anyone getting to 1-2
36 would have access to 3-5, so all bets are off if that should happen.
37
38 Its more about having to worry about downloads or link clicks etc with
39 unwanted results.
40
41 The Netgear FVS318 appears not to be able to do this for me. But I
42 could be wrong there. I see no options that look usefull for it.
43 Blocking of sites might do it but appears it would be a long process
44 setting it up.
45
46 I'd happily hear that the router can do this.
47
48 =====================================================
49
50 I'm turning to my gentoo box for a solution.
51
52 However, I'm not interested in setting it up as the router for
53 everthing and ditching the NETGEAR. Its to convenient having
54 something the size of a medium book that makes no noise or heat but
55 can keep all but the most dedicated of script kiddies of my network.
56
57 I'm thinking I could route machines 3-5 thru it as gateway.
58 The way I work, the gentoo box is always running. I would never be
59 using the others without it running, its just how I work.
60
61 I know already that Iptables can handle the rulesets needed to get
62 what I want. I'm not sure of the exact rules yet but believe it is at
63 least possible.
64
65 Now for the questions:
66
67 Can I route 3-5 thru the Gentoo box without changing the subnet
68 setup? That is, all still remain 192.168.0.0/24. And simply set
69 gateway on 3-5 to point at the gentoo box. Then setup IPtables to
70 prevent those machines from talking beyond local lan in or out.
71
72 Something like deny everything, then allow only a list of `safe' IPs
73 on the local lan.
74
75 So again:
76 Can I do all this without hardwiring 3-5 direct to the Gentoo box.
77 That is, just by setting it as gateway on each of them.
78
79 --
80 gentoo-user@g.o mailing list

Replies