Re: I want to have my cake and eat it too

To: Ian Johnstone <ianj@westnet.com.au>, debian-firewall@lists.debian.org
Subject: Re: I want to have my cake and eat it too
From: Nick 'Zaf' Clifford <zaf@nrc.co.nz>
Date: Tue, 1 Apr 2003 19:50:39 +1200
Message-id: <[🔎] 200304011950.45900.zaf@nrc.co.nz>
In-reply-to: <5.1.0.14.2.20030331174528.00accb48@mail.westnet.com.au>
References: <5.1.0.14.2.20030331174528.00accb48@mail.westnet.com.au>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 31 Mar 2003 22:10, Ian Johnstone wrote:
> Hi
>
> At my work we have the need to allow visitors to connect to the Internet
> from around our building.
>
> We do not use DHCP internally.  However, I'd like to configure DHCP for
> visitors and assign them addresses in the 192.168.0.xxx space with a
> gateway address of a Linux Server 192.168.0.10.  I don't want visitors to
> know of our internal network

Since the visitors will be pluging into the same physical network as your 
internal machines, then there is very little way to really make sure they 
can't access internal machines.
If you truely want visitors to be able to jack in at various points around the 
building and not be able to access internal machines, then you will need to 
run two physical networks (or a VLAN). 
However do note that if they plugged into a "internal" jack, they'd have 
access. The only real way to stop that would be to run a secure VPN over the 
top of the normal LAN for internal machines (rather like is done with 
Wireless LANs).

Ok, so lets now assume that you just want to stop people idlely accessing 
internal machines, and not let them see the windows machines via SMB easily.

> The server runs Debian and a 2.4 kernel and has a single physical interface
> eth0.   I have configured a virtual interface, so that eth0 answers on two
> IP addresses
> 	135.90.195.10  (eth0)
> 	192.168.0.10  (eth0:1)
>
> I had planned to use iptables to do NAT translations on the packets
> received on eth0:1 and then forward them to eth0 for access to the
> Internet.
>
> I've now learnt that this won't work since iptables deals with physical
> interfaces, so if I put a second ethernet card in the server then I could
> iptables as I foolishly planned :-)

Well, you can do this actually. First realize that there is no "one" IP 
address for a network card (or machine for that mater). Usualy a machine has 
one IP address assigned to it, and if it has others, usually the first IP 
address is the standard one. However this isn't nessarily the case, so on 
with the show.

Just setup NAT as usual, specifying -s 192.168.0.0/255.255.255.0 as the source 
address, as follows:
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE
This will (should) nat any packets being forwarded from an address in the 
192.168.0.* range.
You will also probably want to add a block rule so they can't access certain 
(or all 135.90.195.* addresses)
You will also need to set ip_forwarding to 1 in /proc/sys/net (iirc)

I think you have overthought the problem, and think it is more difficult than 
it really is.

This is of course assuming that you don't want the security I mentioned far 
earlier in my reply.
- -- 
Nick 'Zaf' Clifford <zaf@nrc.co.nz> GnuPG: 0x61C6A931
The only "intuitive" interface is the nipple. After that, it's all 
learned.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: public key: http://www.nrc.co.nz/Zaf/pubkey.txt

iD8DBQE+iUTR63G2ImHGqTERAiXMAJ4o3CcUDKsvVXNlk6Za64cqidzJTwCgr+wo
+6QNOKt1OXtVL77SXTwGSIU=
=11bL
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: I want to have my cake and eat it too
  - From: Nathan E Norman <nnorman@incanus.net>

Prev by Date: unsubscribe
Next by Date: RE: I want to have my cake and eat it too
Previous by thread: Re: I want to have my cake and eat it too
Next by thread: Re: I want to have my cake and eat it too
Index(es):
- Date
- Thread