Re: I want to have my cake and eat it too
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 31 Mar 2003 22:10, Ian Johnstone wrote:
> At my work we have the need to allow visitors to connect to the Internet
> from around our building.
> We do not use DHCP internally. However, I'd like to configure DHCP for
> visitors and assign them addresses in the 192.168.0.xxx space with a
> gateway address of a Linux Server 192.168.0.10. I don't want visitors to
> know of our internal network
Since the visitors will be pluging into the same physical network as your
internal machines, then there is very little way to really make sure they
can't access internal machines.
If you truely want visitors to be able to jack in at various points around the
building and not be able to access internal machines, then you will need to
run two physical networks (or a VLAN).
However do note that if they plugged into a "internal" jack, they'd have
access. The only real way to stop that would be to run a secure VPN over the
top of the normal LAN for internal machines (rather like is done with
Ok, so lets now assume that you just want to stop people idlely accessing
internal machines, and not let them see the windows machines via SMB easily.
> The server runs Debian and a 2.4 kernel and has a single physical interface
> eth0. I have configured a virtual interface, so that eth0 answers on two
> IP addresses
> 22.214.171.124 (eth0)
> 192.168.0.10 (eth0:1)
> I had planned to use iptables to do NAT translations on the packets
> received on eth0:1 and then forward them to eth0 for access to the
> I've now learnt that this won't work since iptables deals with physical
> interfaces, so if I put a second ethernet card in the server then I could
> iptables as I foolishly planned :-)
Well, you can do this actually. First realize that there is no "one" IP
address for a network card (or machine for that mater). Usualy a machine has
one IP address assigned to it, and if it has others, usually the first IP
address is the standard one. However this isn't nessarily the case, so on
with the show.
Just setup NAT as usual, specifying -s 192.168.0.0/255.255.255.0 as the source
address, as follows:
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE
This will (should) nat any packets being forwarded from an address in the
You will also probably want to add a block rule so they can't access certain
(or all 135.90.195.* addresses)
You will also need to set ip_forwarding to 1 in /proc/sys/net (iirc)
I think you have overthought the problem, and think it is more difficult than
it really is.
This is of course assuming that you don't want the security I mentioned far
earlier in my reply.
Nick 'Zaf' Clifford <firstname.lastname@example.org> GnuPG: 0x61C6A931
The only "intuitive" interface is the nipple. After that, it's all
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: public key: http://www.nrc.co.nz/Zaf/pubkey.txt
-----END PGP SIGNATURE-----