[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: looking for suggestions

--- Mike Mestnik <cheako911@yahoo.com> wrote:
> Maybe, thought if you install
> (dnsmasq,resolvconf,ntp) you are set.
> dnsmasq has a build in dhcp server, just edit the
> config file to turn it
> on.  ntp sets the time for the clock, oviously not
> needed.  If you
> want/need a gui ther is x11
> (xserver-xfree86,menu,gnome-core) or webbased
> (webmin,<whatever mods you want>).
> --- Edward Chase <echase@postoffice.providence.edu>
> wrote:
> > Thanks to those who've already helped me getting
> dual NICs working in my
> > newly setup woody box.
> > 
> > I want to setup this box to sit between our
> colleges internal network
> > and a
> > switch that our tech guys use in their "chop
> shop".  There have been
> > several
> > instances where they have plugged in a virused
> computer into our
> > network.
> > What I'm looking to avoid is having any
> unnecessary traffic pass thru
> > the
> > box.  Pretty much I'd like to block all traffic
> heading into the switch.
> >  I
> > don't want virused machines infecting potentially
> unpatched machines in
> > the
> > tech room.  It really stinks when you reset up a
> machine and it's
> > virused
> > even before you get the patches on it to protect
> it.  The tech guys do
> > need
> > some internet connectivity do download patches and
> the sort.
> > 
> > I was thinking iptables (that's the one for kernel
> 2.4, yes?) and
> > ipmasq.  I
> > was going to have the machine be a caching DNS
> server and dhcpd server
> > as
> > well for the machines on the tech bench.
> > 
> > One person suggested ipcop.
> > 
> > Am I just reinventing the wheel here when I could
> just DL the ipcop iso
> > and
> > be done with everything I'm looking for?
> > 
> > All feedback is appreciated.
> > 

Hello Edward,

I'm a big noob to this Iptables thing but I think I
might be able to suggest a thing or two... just
because your situation is kind of simple.

>From what I have read, you would only have to make a
couples of INPUT rules:
1. deny NEW connections 
2. ACCEPT either ESTABLISHED or RELATED depending on
the kinds of out going connections your techs might
want to make (e.g. Active FTP for RELATED)

That is it.

Your OUTPUT rules would be pretty simple as well:
1. ALLOW only outgoing connections to your proxy
server, if you have one that is... or only to an
external network address.

So, "I think" *stress* the input rules would prevent
viruses on your internal network connecting to
machines on the Chop Shop side.
The output rules would prevent any virus in the Chop
Shop connecting to an internal network machine.

The output rule also prevents your techs from
intentianialy connecting to any internal computers as
well, this might prevent them from doing there job in
some cases.

Would love some "constructive critisisum" here from
the pros if they have some.


Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  

Reply to: