[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: I want to have my cake and eat it too

Hash: SHA1

On Mon, 31 Mar 2003 22:10, Ian Johnstone wrote:
> Hi
> At my work we have the need to allow visitors to connect to the Internet
> from around our building.
> We do not use DHCP internally.  However, I'd like to configure DHCP for
> visitors and assign them addresses in the 192.168.0.xxx space with a
> gateway address of a Linux Server  I don't want visitors to
> know of our internal network

Since the visitors will be pluging into the same physical network as your 
internal machines, then there is very little way to really make sure they 
can't access internal machines.
If you truely want visitors to be able to jack in at various points around the 
building and not be able to access internal machines, then you will need to 
run two physical networks (or a VLAN). 
However do note that if they plugged into a "internal" jack, they'd have 
access. The only real way to stop that would be to run a secure VPN over the 
top of the normal LAN for internal machines (rather like is done with 
Wireless LANs).

Ok, so lets now assume that you just want to stop people idlely accessing 
internal machines, and not let them see the windows machines via SMB easily.

> The server runs Debian and a 2.4 kernel and has a single physical interface
> eth0.   I have configured a virtual interface, so that eth0 answers on two
> IP addresses
>  (eth0)
>  (eth0:1)
> I had planned to use iptables to do NAT translations on the packets
> received on eth0:1 and then forward them to eth0 for access to the
> Internet.
> I've now learnt that this won't work since iptables deals with physical
> interfaces, so if I put a second ethernet card in the server then I could
> iptables as I foolishly planned :-)

Well, you can do this actually. First realize that there is no "one" IP 
address for a network card (or machine for that mater). Usualy a machine has 
one IP address assigned to it, and if it has others, usually the first IP 
address is the standard one. However this isn't nessarily the case, so on 
with the show.

Just setup NAT as usual, specifying -s as the source 
address, as follows:
iptables -t nat -A POSTROUTING -s -j MASQUERADE
This will (should) nat any packets being forwarded from an address in the 
192.168.0.* range.
You will also probably want to add a block rule so they can't access certain 
(or all 135.90.195.* addresses)
You will also need to set ip_forwarding to 1 in /proc/sys/net (iirc)

I think you have overthought the problem, and think it is more difficult than 
it really is.

This is of course assuming that you don't want the security I mentioned far 
earlier in my reply.
- -- 
Nick 'Zaf' Clifford <zaf@nrc.co.nz> GnuPG: 0x61C6A931
The only "intuitive" interface is the nipple. After that, it's all 

Version: GnuPG v1.2.1 (GNU/Linux)
Comment: public key: http://www.nrc.co.nz/Zaf/pubkey.txt


Reply to: