split/isolate network

Rashkae ubuntu at tigershaunt.com
Sat Nov 20 08:56:57 UTC 2010

> R>  There is no reason you can't have both 192.168.... and 10.0.... but it's
> R>  not really necessary for this task.  You can simply use two 192.168
> R>  subnets.. ex: for Eth1, for Eth2 and use Eth0
> R>  for Internet
> I thought I'd need that to keep the isolation possible. As you
> describe it, it seems as though I could let the IP addresses be
> anything, with no problems. Is that correct, or am I missing
> something?

I was probably not explaining this well.. You were right, you do have to 
keep both networks on separate subnets.  However, with the 192.168.  
range, the netmask is usually  That means that the address 
has to start with 192.168.  But each number in the 3rd byte is a 
subnet.  So in my example, I used .1 and .2.  The last number (the 0 in 
the netmask) is the host address, (1 unique number per computer.

> R>  need. Do you know how to set up a script so that it run on start-up or
> R>  as part of the network set-up?
> No, but it sounds like the kind of thing one could find info on how to
> do that. Not sure what is needed in the script, though. Is this
> necessary, or can the info to make it work be put in as a 'permanent'
> thing?

A script is how you would make it permanent.  (vs. typing in the command 
on every boot.)

On this machine, the complex part is that you will probably be writing 
your own firewall rules.  There are examples and reading.. Wraping your 
mind around iptables will be the complex part of this porject.

A gentle guide can be found here:


You'll also want to read up on NAT


And here's an example of a firewall script:


# Eth0 Local Network
# Eth1 Internet

/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P FORWARD DROP

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP

#Sanity Settings
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A FORWARD -p tcp ! --syn -j ACCEPT

#Accept SSH
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

#Reject Ident

/sbin/iptables -A INPUT -p tcp --dport 113 -j REJECT

#Accept all connections from local network
#Note, this is a lazy hack and would be considered a target for 
vulnerability by firewall experts
#A properly configured firewall would have any ports that local hosts 
need access to listed rather
#than opening all network traffic.

/sbin/iptables -A INPUT -i eth0 -j ACCEPT
/sbin/ip6tables -A INPUT -i eth0 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -j ACCEPT
/sbin/ip6tables -A FORWARD -i eth0 -j ACCEPT

#Block port 25 FORWARD, except for and rogers smtp
#Probably making this example more complicated, but I left it here 
#This rule prevents botnet infected pc's from relaying spam e-mail.
#and thus, hopefully, keeps my network off real time block lists.

/sbin/iptables -I FORWARD -p tcp  --dport 25 -j REJECT
/sbin/ip6tables -I FORWARD -p tcp  --dport 25 -j REJECT
/sbin/iptables -I FORWARD -p tcp -d --dport 25 -j ACCEPT
/sbin/iptables -I FORWARD -s -p tcp --dport 25 -j ACCEPT

# Internet Sharing
/sbin/iptables -t nat -A POSTROUTING  -o eth1 -j MASQUERADE

More information about the ubuntu-users mailing list