split/isolate network

rikona rikona at sonic.net
Sat Nov 20 20:24:17 UTC 2010

Hello Rashkae,

Saturday, November 20, 2010, 12:56:57 AM, Rashkae wrote:

>> R>  There is no reason you can't have both 192.168.... and 10.0.... but it's
>> R>  not really necessary for this task.  You can simply use two 192.168
>> R>  subnets.. ex: for Eth1, for Eth2 and use Eth0
>> R>  for Internet
>> I thought I'd need that to keep the isolation possible. As you
>> describe it, it seems as though I could let the IP addresses be
>> anything, with no problems. Is that correct, or am I missing
>> something?

R> I was probably not explaining this well..

Actually, your explanations were quite good even though brief. It is
mostly my lack of understanding.

R> You were right, you do have to
R> keep both networks on separate subnets.  However, with the 192.168.  
R> range, the netmask is usually  That means that the address
R> has to start with 192.168.  But each number in the 3rd byte is a 
R> subnet.  So in my example, I used .1 and .2.  The last number (the 0 in
R> the netmask) is the host address, (1 unique number per computer.

This is starting to sink in. I sort of understood it before, but not
well. If I'm understanding it right, would this require a mask
different from to work correctly[ so the 3rd byte keeps
them separate]?

>> R>  need. Do you know how to set up a script so that it run on start-up or
>> R>  as part of the network set-up?
>> No, but it sounds like the kind of thing one could find info on how to
>> do that. Not sure what is needed in the script, though. Is this
>> necessary, or can the info to make it work be put in as a 'permanent'
>> thing?

R> A script is how you would make it permanent.  (vs. typing in the command
R> on every boot.)

I didn't understand how it works. In snooping on my box, I ran into
some docs re iptables. I see the real pgm is built into the kernel,
and could not, of course, be changed [easily]. Iptables sets the
parameters each time - I see why the script is needed.

R> On this machine, the complex part is that you will probably be
R> writing your own firewall rules. There are examples and reading..
R> Wraping your mind around iptables will be the complex part of this
R> porject.

No kidding. :-)) I started by looking at man iptables - it was a
rather sobering intro to the topic. :-)

R> A gentle guide can be found here:

R> https://help.ubuntu.com/community/IptablesHowTo

Thanks for the intro. It would seem that this can get to be a VERRRRY
complex topic. Us beginners need to ease into it slowly...

R> You'll also want to read up on NAT

R> http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html

My plan is to put the box AFTER the router, which does NAT for the
local net. Doesn't this mean I won't have to address NAT in what I do?
Or do I need to know it anyway to keep from somehow getting into

R> And here's an example of a firewall script:

Thanks! There's nothing like a well-explained script to get across
ideas, at least for me. For example, this immediately cleared up my
confusion re how to set ip6 stuff.

R> #Accept all connections from local network
R> #Note, this is a lazy hack and would be considered a target for 
R> vulnerability by firewall experts
R> #A properly configured firewall would have any ports that local hosts 
R> need access to listed rather
R> #than opening all network traffic.

Good comment. :-))

R> #Block port 25 FORWARD, except for and rogers smtp
R> #Probably making this example more complicated, but I left it here 
R> regardless.
R> #This rule prevents botnet infected pc's from relaying spam e-mail.
R> #and thus, hopefully, keeps my network off real time block lists.

Another very interesting comment...

R> # Internet Sharing
R> /sbin/iptables -t nat -A POSTROUTING  -o eth1 -j MASQUERADE

As I very vaguely understand it, is this what does NAT, and what I may
not have to do if the box is behind the router?

MANY thanks for the excellent help!



More information about the ubuntu-users mailing list