FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 11-19-2010, 08:24 PM
rikona
 
Default split/isolate network

I'd like to split my local net into two parts which are completely
isolated, with no possibility of direct communication between them.
I'm wondering how to do this with a linux box, perhaps as follows:

cable modem -> router -> linux box -> 2 isolated net connections

I'm not sure what this might be called, and google was not my friend
re this problem, so I thought I'd ask here. The linux box would be
dedicated, not used for other purposes, and would be an older, much-
less-capable-hdwe box.

One of the net connections [side 1] would have several fixed-IP boxes
on it, with NO other box addresses allowed. The other [side 2] would
need DHCP, with one or more boxes connected, whose address range does
NOT overlap that of side 1. [I'm thinking 192.168... and 10.0... for
example.]

I'm not sure how to do this, but am assuming it is likely possible.
Any suggestions for how to do this, or where to find out on the net,
would be appreciated.

Also, it looks like 10.04 will not install on the less-capable-hdwe
box. If you know of alternative S/W that might work on older hdwe,
please let me know. And, if there's a very inexpensive hardware
solution that would do the above, that might be preferred, since I'm
far from being a linux/network guru. :-)

Many thanks,

rikona


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-19-2010, 08:42 PM
Mark
 
Default split/isolate network

On Fri, Nov 19, 2010 at 1:24 PM, rikona <rikona@sonic.net> wrote:
>
> *Also, it looks like 10.04 will not install on the less-capable-hdwe
> *box. If you know of alternative S/W that might work on older hdwe,
> *please let me know. And, if there's a very inexpensive hardware
> *solution that would do the above, that might be preferred, since I'm
> *far from being a linux/network guru. :-)
>
I used to hear about older versions of CentOS being good for this.
You might want to ask there, too (see centos.org for the mailing list
info).

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-19-2010, 08:53 PM
Rashkae
 
Default split/isolate network

On 10-11-19 04:24 PM, rikona wrote:
> I'd like to split my local net into two parts which are completely
> isolated, with no possibility of direct communication between them.
> I'm wondering how to do this with a linux box, perhaps as follows:
>
> cable modem -> router -> linux box -> 2 isolated net connections
>
> I'm not sure what this might be called, and google was not my friend
> re this problem, so I thought I'd ask here. The linux box would be
> dedicated, not used for other purposes, and would be an older, much-
> less-capable-hdwe box.
>
> One of the net connections [side 1] would have several fixed-IP boxes
> on it, with NO other box addresses allowed. The other [side 2] would
> need DHCP, with one or more boxes connected, whose address range does
> NOT overlap that of side 1. [I'm thinking 192.168... and 10.0... for
> example.]
>
> I'm not sure how to do this, but am assuming it is likely possible.
> Any suggestions for how to do this, or where to find out on the net,
> would be appreciated.
>

Actually very easy to do. However, in this case, you would need a box
with 3 Ethernet cards.

There is no reason you can't have both 192.168.... and 10.0.... but it's
not really necessary for this task. You can simply use two 192.168
subnets.. ex: 192.168.1.0 for Eth1, 192.168.2.0 for Eth2 and use Eth0
for Internet

To isolate the two subnets, you need only create a iptables rule that
fordis forwarding between those two.

iptables -A FORWARD -i eth1 -o eth2 -j REJECT
iptables -A FORWARD -i eth2 -o eth1 -j REJECT

And do the same with ip6tables


You say you aren't a linux guru, but I don't know how much help you
need. Do you know how to set up a script so that it run on start-up or
as part of the network set-up? Do you know how to write scripts at all?



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-19-2010, 10:54 PM
rikona
 
Default split/isolate network

Hello Mark,

Friday, November 19, 2010, 1:42:29 PM, Mark wrote:

M> On Fri, Nov 19, 2010 at 1:24 PM, rikona <rikona@sonic.net> wrote:
>>
>> *Also, it looks like 10.04 will not install on the less-capable-hdwe
>> *box. If you know of alternative S/W that might work on older hdwe,
>> *please let me know. And, if there's a very inexpensive hardware
>> *solution that would do the above, that might be preferred, since I'm
>> *far from being a linux/network guru. :-)
>>
M> I used to hear about older versions of CentOS being good for this.
M> You might want to ask there, too (see centos.org for the mailing list
M> info).

I'll check it out. Is an old version likely to have security problems
that would be significant?

I also heard, in a separate conversation, that there are, supposedly,
special very small linux versions that are used as a separate-box
firewall, and may be quite tolerant of old hardware. Is it likely that
it might also be able to do what I need [which is not really a
firewall]?

Thanks for the reply...

--

rikona


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-20-2010, 12:30 AM
Mark
 
Default split/isolate network

On Fri, Nov 19, 2010 at 3:54 PM, rikona <rikona@sonic.net> wrote:
> Friday, November 19, 2010, 1:42:29 PM, Mark wrote:
>>
>> I used to hear about older versions of CentOS being good for this.
>> You might want to ask there, too (see centos.org for the mailing list
>> info).
>
> I'll check it out. Is an old version likely to have security problems
> that would be significant?
>
If it's still supported, no. If not, YMMV.

> I also heard, in a separate conversation, that there are, supposedly,
> special very small linux versions that are used as a separate-box
> firewall, and may be quite tolerant of old hardware. Is it likely that
> it might also be able to do what I need [which is not really a
> firewall]?
>
Probably, but since I've never needed to do that, I can't say for sure.

> Thanks for the reply...
>
Any time.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-20-2010, 04:46 AM
rikona
 
Default split/isolate network

Hello Rashkae,

Friday, November 19, 2010, 1:53:37 PM, Rashkae wrote:

R> On 10-11-19 04:24 PM, rikona wrote:
>> I'd like to split my local net into two parts which are completely
>> isolated, with no possibility of direct communication between them.
>> I'm wondering how to do this with a linux box, perhaps as follows:
>>
>> cable modem -> router -> linux box -> 2 isolated net connections
>>
>> I'm not sure what this might be called, and google was not my friend
>> re this problem, so I thought I'd ask here. The linux box would be
>> dedicated, not used for other purposes, and would be an older, much-
>> less-capable-hdwe box.
>>
>> One of the net connections [side 1] would have several fixed-IP boxes
>> on it, with NO other box addresses allowed. The other [side 2] would
>> need DHCP, with one or more boxes connected, whose address range does
>> NOT overlap that of side 1. [I'm thinking 192.168... and 10.0... for
>> example.]
>>
>> I'm not sure how to do this, but am assuming it is likely possible.
>> Any suggestions for how to do this, or where to find out on the net,
>> would be appreciated.
>>

R> Actually very easy to do.

As you describe it, it looks like it is. Perhaps it is so simple that
nobody has written a google-able article describing how to do it. :-)

R> However, in this case, you would need a box with 3 Ethernet cards.

Not a problem - still low cost.

R> To isolate the two subnets, you need only create a iptables rule that
R> fordis forwarding between those two.

[assuming that is 'forbids'...]

R> iptables -A FORWARD -i eth1 -o eth2 -j REJECT
R> iptables -A FORWARD -i eth2 -o eth1 -j REJECT

I was picturing that it would be a MUCH more complex process to do
it!! That IS simple.

R> And do the same with ip6tables

I'll probably need some help if it is rather different...

<slight reorder below>

R> There is no reason you can't have both 192.168.... and 10.0.... but it's
R> not really necessary for this task. You can simply use two 192.168
R> subnets.. ex: 192.168.1.0 for Eth1, 192.168.2.0 for Eth2 and use Eth0
R> for Internet

I thought I'd need that to keep the isolation possible. As you
describe it, it seems as though I could let the IP addresses be
anything, with no problems. Is that correct, or am I missing
something?

I have no control over the boxes on side 2, which need DHCP. My worry
was that there might be a 'collision' in IP addresses. But, if I put
all the fixed IPs on side 1 as 192.168.10.n [say], perhaps it is
unlikely enough that the router would assign a box on side 2 with one
of those addresses. Would that work OK? Would it be a good idea to
have the router reserve IPs by MAC address to avoid any DHCP
'collisions'?

R> You say you aren't a linux guru, but I don't know how much help you
R> need. Do you know how to set up a script so that it run on start-up or
R> as part of the network set-up?

No, but it sounds like the kind of thing one could find info on how to
do that. Not sure what is needed in the script, though. Is this
necessary, or can the info to make it work be put in as a 'permanent'
thing?

R> Do you know how to write scripts at all?

Very little. I have written a couple to do very simple tasks, such as
making a file of file names that are in in a dir, but nothing complex.

Maybe I need to change my original comment to: 'very' far from being a
linux/network guru. :-))

Thanks VERY much for the help...

--

rikona


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-20-2010, 04:56 AM
rikona
 
Default split/isolate network

Hello Mark,

Friday, November 19, 2010, 5:30:05 PM, Mark wrote:

M> On Fri, Nov 19, 2010 at 3:54 PM, rikona <rikona@sonic.net> wrote:
>> Friday, November 19, 2010, 1:42:29 PM, Mark wrote:
>>>
>>> I used to hear about older versions of CentOS being good for this.
>>> You might want to ask there, too (see centos.org for the mailing list
>>> info).
>>
>> I'll check it out. Is an old version likely to have security problems
>> that would be significant?
>>
M> If it's still supported, no. If not, YMMV.

>> I also heard, in a separate conversation, that there are, supposedly,
>> special very small linux versions that are used as a separate-box
>> firewall, and may be quite tolerant of old hardware. Is it likely that
>> it might also be able to do what I need [which is not really a
>> firewall]?
>>
M> Probably, but since I've never needed to do that, I can't say for sure.

From what I've seen [or, better yet, not seen] on the net, there don't
seem to be many people wanting to do that... :-)

>> Thanks for the reply...
>>
M> Any time.

& another tip of the hat...

--

rikona


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-20-2010, 07:56 AM
Rashkae
 
Default split/isolate network

> R> There is no reason you can't have both 192.168.... and 10.0.... but it's
> R> not really necessary for this task. You can simply use two 192.168
> R> subnets.. ex: 192.168.1.0 for Eth1, 192.168.2.0 for Eth2 and use Eth0
> R> for Internet
>
> I thought I'd need that to keep the isolation possible. As you
> describe it, it seems as though I could let the IP addresses be
> anything, with no problems. Is that correct, or am I missing
> something?
>
>

I was probably not explaining this well.. You were right, you do have to
keep both networks on separate subnets. However, with the 192.168.
range, the netmask is usually 255.255.255.0 That means that the address
has to start with 192.168. But each number in the 3rd byte is a
subnet. So in my example, I used .1 and .2. The last number (the 0 in
the netmask) is the host address, (1 unique number per computer.

> R> need. Do you know how to set up a script so that it run on start-up or
> R> as part of the network set-up?
>
> No, but it sounds like the kind of thing one could find info on how to
> do that. Not sure what is needed in the script, though. Is this
> necessary, or can the info to make it work be put in as a 'permanent'
> thing?
>
>

A script is how you would make it permanent. (vs. typing in the command
on every boot.)

On this machine, the complex part is that you will probably be writing
your own firewall rules. There are examples and reading.. Wraping your
mind around iptables will be the complex part of this porject.

A gentle guide can be found here:

https://help.ubuntu.com/community/IptablesHowTo

You'll also want to read up on NAT

http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html

And here's an example of a firewall script:

#!/bin/sh

# Eth0 Local Network
# Eth1 Internet


/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P FORWARD DROP

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP


#Sanity Settings
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A FORWARD -p tcp ! --syn -j ACCEPT

#Accept SSH
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

#Reject Ident

/sbin/iptables -A INPUT -p tcp --dport 113 -j REJECT


#Accept all connections from local network
#Note, this is a lazy hack and would be considered a target for
vulnerability by firewall experts
#A properly configured firewall would have any ports that local hosts
need access to listed rather
#than opening all network traffic.

/sbin/iptables -A INPUT -i eth0 -j ACCEPT
/sbin/ip6tables -A INPUT -i eth0 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -j ACCEPT
/sbin/ip6tables -A FORWARD -i eth0 -j ACCEPT

#Block port 25 FORWARD, except for 10.0.0.6 and rogers smtp
#Probably making this example more complicated, but I left it here
regardless.
#This rule prevents botnet infected pc's from relaying spam e-mail.
#and thus, hopefully, keeps my network off real time block lists.

/sbin/iptables -I FORWARD -p tcp --dport 25 -j REJECT
/sbin/ip6tables -I FORWARD -p tcp --dport 25 -j REJECT
/sbin/iptables -I FORWARD -p tcp -d 206.190.36.18 --dport 25 -j ACCEPT
/sbin/iptables -I FORWARD -s 10.0.0.6 -p tcp --dport 25 -j ACCEPT


# Internet Sharing
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-20-2010, 10:39 AM
"Joep L. Blom"
 
Default split/isolate network

On 19/11/10 22:24, rikona wrote:
> I'd like to split my local net into two parts which are completely
> isolated, with no possibility of direct communication between them.
> I'm wondering how to do this with a linux box, perhaps as follows:
>
> cable modem -> router -> linux box -> 2 isolated net connections
>
> I'm not sure what this might be called, and google was not my friend
> re this problem, so I thought I'd ask here. The linux box would be
> dedicated, not used for other purposes, and would be an older, much-
> less-capable-hdwe box.
>
> One of the net connections [side 1] would have several fixed-IP boxes
> on it, with NO other box addresses allowed. The other [side 2] would
> need DHCP, with one or more boxes connected, whose address range does
> NOT overlap that of side 1. [I'm thinking 192.168... and 10.0... for
> example.]
>
> I'm not sure how to do this, but am assuming it is likely possible.
> Any suggestions for how to do this, or where to find out on the net,
> would be appreciated.
>
> Also, it looks like 10.04 will not install on the less-capable-hdwe
> box. If you know of alternative S/W that might work on older hdwe,
> please let me know. And, if there's a very inexpensive hardware
> solution that would do the above, that might be preferred, since I'm
> far from being a linux/network guru. :-)
>
> Many thanks,
>
> rikona
>
>
Rikona,
Maybe a little OT but what you want to achieve with even the oldest
hardware you have can be done using LEAF. I use it now for over 15 years
now on a stand-alone K6-box with no disks and a minimum of memory (I
think it is 48 Mb) but I started with an old pentium I think 300 MHz.
You can use as much network cards as your motherboard permits to split
your network. It is base on Shorwall as the firewall and I have never
had any problems with it. I used to have 3 branches (Outside world,
local net and DMZ) but now I have temporarily 2 as I don't use a DMZ any
more as my website is elsewhere.
The URL is:> http://leaf.sourceforge.net/
The current active branch is Bering uclibc.
Hope it helps,
Joep



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-20-2010, 07:24 PM
rikona
 
Default split/isolate network

Hello Rashkae,

Saturday, November 20, 2010, 12:56:57 AM, Rashkae wrote:


>> R> There is no reason you can't have both 192.168.... and 10.0.... but it's
>> R> not really necessary for this task. You can simply use two 192.168
>> R> subnets.. ex: 192.168.1.0 for Eth1, 192.168.2.0 for Eth2 and use Eth0
>> R> for Internet
>>
>> I thought I'd need that to keep the isolation possible. As you
>> describe it, it seems as though I could let the IP addresses be
>> anything, with no problems. Is that correct, or am I missing
>> something?

R> I was probably not explaining this well..

Actually, your explanations were quite good even though brief. It is
mostly my lack of understanding.

R> You were right, you do have to
R> keep both networks on separate subnets. However, with the 192.168.
R> range, the netmask is usually 255.255.255.0 That means that the address
R> has to start with 192.168. But each number in the 3rd byte is a
R> subnet. So in my example, I used .1 and .2. The last number (the 0 in
R> the netmask) is the host address, (1 unique number per computer.

This is starting to sink in. I sort of understood it before, but not
well. If I'm understanding it right, would this require a mask
different from 255.255.255.0 to work correctly[ so the 3rd byte keeps
them separate]?

>> R> need. Do you know how to set up a script so that it run on start-up or
>> R> as part of the network set-up?
>>
>> No, but it sounds like the kind of thing one could find info on how to
>> do that. Not sure what is needed in the script, though. Is this
>> necessary, or can the info to make it work be put in as a 'permanent'
>> thing?

R> A script is how you would make it permanent. (vs. typing in the command
R> on every boot.)

I didn't understand how it works. In snooping on my box, I ran into
some docs re iptables. I see the real pgm is built into the kernel,
and could not, of course, be changed [easily]. Iptables sets the
parameters each time - I see why the script is needed.

R> On this machine, the complex part is that you will probably be
R> writing your own firewall rules. There are examples and reading..
R> Wraping your mind around iptables will be the complex part of this
R> porject.

No kidding. :-)) I started by looking at man iptables - it was a
rather sobering intro to the topic. :-)

R> A gentle guide can be found here:

R> https://help.ubuntu.com/community/IptablesHowTo

Thanks for the intro. It would seem that this can get to be a VERRRRY
complex topic. Us beginners need to ease into it slowly...

R> You'll also want to read up on NAT

R> http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html

My plan is to put the box AFTER the router, which does NAT for the
local net. Doesn't this mean I won't have to address NAT in what I do?
Or do I need to know it anyway to keep from somehow getting into
trouble?

R> And here's an example of a firewall script:

Thanks! There's nothing like a well-explained script to get across
ideas, at least for me. For example, this immediately cleared up my
confusion re how to set ip6 stuff.

R> #Accept all connections from local network
R> #Note, this is a lazy hack and would be considered a target for
R> vulnerability by firewall experts
R> #A properly configured firewall would have any ports that local hosts
R> need access to listed rather
R> #than opening all network traffic.

Good comment. :-))

R> #Block port 25 FORWARD, except for 10.0.0.6 and rogers smtp
R> #Probably making this example more complicated, but I left it here
R> regardless.
R> #This rule prevents botnet infected pc's from relaying spam e-mail.
R> #and thus, hopefully, keeps my network off real time block lists.

Another very interesting comment...

R> # Internet Sharing
R> /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

As I very vaguely understand it, is this what does NAT, and what I may
not have to do if the box is behind the router?

MANY thanks for the excellent help!

--

rikona


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 08:39 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org