split/isolate network
rikona
rikona at sonic.net
Sat Nov 20 20:24:17 UTC 2010
Hello Rashkae,
Saturday, November 20, 2010, 12:56:57 AM, Rashkae wrote:
>> R> There is no reason you can't have both 192.168.... and 10.0.... but it's
>> R> not really necessary for this task. You can simply use two 192.168
>> R> subnets.. ex: 192.168.1.0 for Eth1, 192.168.2.0 for Eth2 and use Eth0
>> R> for Internet
>>
>> I thought I'd need that to keep the isolation possible. As you
>> describe it, it seems as though I could let the IP addresses be
>> anything, with no problems. Is that correct, or am I missing
>> something?
R> I was probably not explaining this well..
Actually, your explanations were quite good even though brief. It is
mostly my lack of understanding.
R> You were right, you do have to
R> keep both networks on separate subnets. However, with the 192.168.
R> range, the netmask is usually 255.255.255.0 That means that the address
R> has to start with 192.168. But each number in the 3rd byte is a
R> subnet. So in my example, I used .1 and .2. The last number (the 0 in
R> the netmask) is the host address, (1 unique number per computer.
This is starting to sink in. I sort of understood it before, but not
well. If I'm understanding it right, would this require a mask
different from 255.255.255.0 to work correctly[ so the 3rd byte keeps
them separate]?
>> R> need. Do you know how to set up a script so that it run on start-up or
>> R> as part of the network set-up?
>>
>> No, but it sounds like the kind of thing one could find info on how to
>> do that. Not sure what is needed in the script, though. Is this
>> necessary, or can the info to make it work be put in as a 'permanent'
>> thing?
R> A script is how you would make it permanent. (vs. typing in the command
R> on every boot.)
I didn't understand how it works. In snooping on my box, I ran into
some docs re iptables. I see the real pgm is built into the kernel,
and could not, of course, be changed [easily]. Iptables sets the
parameters each time - I see why the script is needed.
R> On this machine, the complex part is that you will probably be
R> writing your own firewall rules. There are examples and reading..
R> Wraping your mind around iptables will be the complex part of this
R> porject.
No kidding. :-)) I started by looking at man iptables - it was a
rather sobering intro to the topic. :-)
R> A gentle guide can be found here:
R> https://help.ubuntu.com/community/IptablesHowTo
Thanks for the intro. It would seem that this can get to be a VERRRRY
complex topic. Us beginners need to ease into it slowly...
R> You'll also want to read up on NAT
R> http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html
My plan is to put the box AFTER the router, which does NAT for the
local net. Doesn't this mean I won't have to address NAT in what I do?
Or do I need to know it anyway to keep from somehow getting into
trouble?
R> And here's an example of a firewall script:
Thanks! There's nothing like a well-explained script to get across
ideas, at least for me. For example, this immediately cleared up my
confusion re how to set ip6 stuff.
R> #Accept all connections from local network
R> #Note, this is a lazy hack and would be considered a target for
R> vulnerability by firewall experts
R> #A properly configured firewall would have any ports that local hosts
R> need access to listed rather
R> #than opening all network traffic.
Good comment. :-))
R> #Block port 25 FORWARD, except for 10.0.0.6 and rogers smtp
R> #Probably making this example more complicated, but I left it here
R> regardless.
R> #This rule prevents botnet infected pc's from relaying spam e-mail.
R> #and thus, hopefully, keeps my network off real time block lists.
Another very interesting comment...
R> # Internet Sharing
R> /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
As I very vaguely understand it, is this what does NAT, and what I may
not have to do if the box is behind the router?
MANY thanks for the excellent help!
--
rikona
More information about the ubuntu-users
mailing list