split/isolate network

[rikona]

Hello Rashkae,

Friday, November 19, 2010, 1:53:37 PM, Rashkae wrote:

R> On 10-11-19 04:24 PM, rikona wrote:
>> I'd like to split my local net into two parts which are completely
>> isolated, with no possibility of direct communication between them.
>> I'm wondering how to do this with a linux box, perhaps as follows:
>>
>>   cable modem ->  router ->  linux box ->  2 isolated net connections
>>
>>   I'm not sure what this might be called, and google was not my friend
>>   re this problem, so I thought I'd ask here. The linux box would be
>>   dedicated, not used for other purposes, and would be an older, much-
>>   less-capable-hdwe box.
>>
>>   One of the net connections [side 1] would have several fixed-IP boxes
>>   on it, with NO other box addresses allowed. The other [side 2] would
>>   need DHCP, with one or more boxes connected, whose address range does
>>   NOT overlap that of side 1. [I'm thinking 192.168... and 10.0... for
>>   example.]
>>
>>   I'm not sure how to do this, but am assuming it is likely possible.
>>   Any suggestions for how to do this, or where to find out on the net,
>>   would be appreciated.
>>    

R> Actually very easy to do.

As you describe it, it looks like it is. Perhaps it is so simple that
nobody has written a google-able article describing how to do it. :-)

R> However, in this case, you would need a box with 3 Ethernet cards.

Not a problem - still low cost.

R> To isolate the two subnets, you need only create a iptables rule that
R> fordis forwarding between those two.

[assuming that is 'forbids'...]

R> iptables -A FORWARD -i eth1 -o eth2 -j REJECT
R> iptables -A FORWARD -i eth2 -o eth1 -j REJECT

I was picturing that it would be a MUCH more complex process to do
it!! That IS simple.

R> And do the same with ip6tables

I'll probably need some help if it is rather different...

<slight reorder below>

R> There is no reason you can't have both 192.168.... and 10.0.... but it's
R> not really necessary for this task.  You can simply use two 192.168 
R> subnets.. ex: 192.168.1.0 for Eth1, 192.168.2.0 for Eth2 and use Eth0 
R> for Internet

I thought I'd need that to keep the isolation possible. As you
describe it, it seems as though I could let the IP addresses be
anything, with no problems. Is that correct, or am I missing
something?

I have no control over the boxes on side 2, which need DHCP. My worry
was that there might be a 'collision' in IP addresses. But, if I put
all the fixed IPs on side 1 as 192.168.10.n [say], perhaps it is
unlikely enough that the router would assign a box on side 2 with one
of those addresses. Would that work OK? Would it be a good idea to
have the router reserve IPs by MAC address to avoid any DHCP
'collisions'?

R> You say you aren't a linux guru, but I don't know how much help you 
R> need. Do you know how to set up a script so that it run on start-up or
R> as part of the network set-up?

No, but it sounds like the kind of thing one could find info on how to
do that. Not sure what is needed in the script, though. Is this
necessary, or can the info to make it work be put in as a 'permanent'
thing?

R> Do you know how to write scripts at all?

Very little. I have written a couple to do very simple tasks, such as
making a file of file names that are in in a dir, but nothing complex.

Maybe I need to change my original comment to: 'very' far from being a
linux/network guru. :-))

Thanks VERY much for the help...

-- 

 rikona