split/isolate network
Rashkae
ubuntu at tigershaunt.com
Sat Nov 20 08:56:57 UTC 2010
> R> There is no reason you can't have both 192.168.... and 10.0.... but it's
> R> not really necessary for this task. You can simply use two 192.168
> R> subnets.. ex: 192.168.1.0 for Eth1, 192.168.2.0 for Eth2 and use Eth0
> R> for Internet
>
> I thought I'd need that to keep the isolation possible. As you
> describe it, it seems as though I could let the IP addresses be
> anything, with no problems. Is that correct, or am I missing
> something?
>
>
I was probably not explaining this well.. You were right, you do have to
keep both networks on separate subnets. However, with the 192.168.
range, the netmask is usually 255.255.255.0 That means that the address
has to start with 192.168. But each number in the 3rd byte is a
subnet. So in my example, I used .1 and .2. The last number (the 0 in
the netmask) is the host address, (1 unique number per computer.
> R> need. Do you know how to set up a script so that it run on start-up or
> R> as part of the network set-up?
>
> No, but it sounds like the kind of thing one could find info on how to
> do that. Not sure what is needed in the script, though. Is this
> necessary, or can the info to make it work be put in as a 'permanent'
> thing?
>
>
A script is how you would make it permanent. (vs. typing in the command
on every boot.)
On this machine, the complex part is that you will probably be writing
your own firewall rules. There are examples and reading.. Wraping your
mind around iptables will be the complex part of this porject.
A gentle guide can be found here:
https://help.ubuntu.com/community/IptablesHowTo
You'll also want to read up on NAT
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html
And here's an example of a firewall script:
#!/bin/sh
# Eth0 Local Network
# Eth1 Internet
/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P FORWARD DROP
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
#Sanity Settings
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A FORWARD -p tcp ! --syn -j ACCEPT
#Accept SSH
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
#Reject Ident
/sbin/iptables -A INPUT -p tcp --dport 113 -j REJECT
#Accept all connections from local network
#Note, this is a lazy hack and would be considered a target for
vulnerability by firewall experts
#A properly configured firewall would have any ports that local hosts
need access to listed rather
#than opening all network traffic.
/sbin/iptables -A INPUT -i eth0 -j ACCEPT
/sbin/ip6tables -A INPUT -i eth0 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -j ACCEPT
/sbin/ip6tables -A FORWARD -i eth0 -j ACCEPT
#Block port 25 FORWARD, except for 10.0.0.6 and rogers smtp
#Probably making this example more complicated, but I left it here
regardless.
#This rule prevents botnet infected pc's from relaying spam e-mail.
#and thus, hopefully, keeps my network off real time block lists.
/sbin/iptables -I FORWARD -p tcp --dport 25 -j REJECT
/sbin/ip6tables -I FORWARD -p tcp --dport 25 -j REJECT
/sbin/iptables -I FORWARD -p tcp -d 206.190.36.18 --dport 25 -j ACCEPT
/sbin/iptables -I FORWARD -s 10.0.0.6 -p tcp --dport 25 -j ACCEPT
# Internet Sharing
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
More information about the ubuntu-users
mailing list