• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 316
  • Last Modified:


I am systems administrator in a high school who is jumping on the linux band wagon. I have three NT networks in my school address ranges 192.168.100.x, 192.168.101.x and 10.10.x.x. I intend to use linux to act as a router and firewall between these networks. The two 192.x.x.x networks need to be able to ping each other (for e-mail) and i would like for selected machines on these networks to be able to access the 10.10.x.x network (this is our administration network) and the 10.10.x.x network needs to be able to access the 192.x.x.x networks for internet access. I am currently installing red hat 6.1 on my machine and have successfuly set up routing between two networks (much better than microsoft) but I am unsure how to deny access to some machines. Any help would be appreciated.

Also when I set it up I set up the GUI as well and this starts automatically. Is there any way of stopping this.

1 Solution
to deny other hosts' access to your system, add hostnames on /etc/hosts.deny

to disable gui to startup automatically after booting your box. edit /etc/inittab. look for the line:


replace 5 with 3 to boot in full multi user mode.

cwbourneAuthor Commented:
I made a mistake, I want to know how to only allow certain machines access to a network. eg 192.168.100.x and 192.168.101.x can ping each other but only set machines on these networks can get access to the 10.x.x.x network, But the 10.x.x.x network should be able to ping anyone.

What you want is a firewall !
Luckily linux has one built in...
It's called IPCHAINS.

IPCHAINS -L will show you the current rule set.

Basicaly you set up a file called rc.firewall in /etc/rc.d/
Put any instructions you want in this file including routing ones if you want...
then modify rc.local.. at the end put something like /etc/rc.d/rc.firewall
i.e. every time we boot run the firewall.

You'll need to read the howto about ipchains but it's not to tricky...

here's my rc.firewall file :

# /etc/rc.d/rc.firewall
# Enable simple firewall forwarding and MASQ
# 20/11/1999
# Malcolm Turnbull
# Firewall2 between 192.9.202.x and 192.168.21.x

## Flush everything, start from scratch  
/sbin/ipchains -F input
/sbin/ipchains -F output  
/sbin/ipchains -F forward

# Load the modules shouldn't be needed
#/sbin/depmod -a

# Proper FTP MASQ is it enabled any way ?
#/sbin/modprobe ip_masq_ftp

# IP forwarding should allready be enabled
# echo "1" > /proc/sys/net/ipv4/ip_forward

# Apply simple forward REJECT rule
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward REJECT

# Don't allow NETBIOS ?
#/sbin/ipchains -A forward -p --dport 168 -s -j REJECT

# Allow FTP access
/sbin/ipchains -A forward -p 21 -j ACCEPT
/sbin/ipchains -A forward -p 20 -j ACCEPT

# Allow non-root ports
/sbin/ipchains -A forward -p TCP --dport 1024:6000 -j ACCEPT
/sbin/ipchains -A forward -p UDP --dport 1024:6000 -j ACCEPT

# MASQ our side
/sbin/ipchains -A forward -s -j MASQ

# local to local are OK
/sbin/ipchains -A input -i lo -j ACCEPT

# Prevent Spoofing on either network
/sbin/ipchains -A input -i eth0 -s ! -j REJECT
/sbin/ipchains -A input -i ! eth0 -s -j REJECT
/sbin/ipchains -A input -i eth1 -s ! -j  REJECT
/sbin/ipchains -A input -i ! eth1 -s -j REJECT
Only problem there is that you don't seem to have set your default rule to deny do that and you'll be in business.
Also it doesn't address how to allow selected hosts to access the 10.x.x.x network while the 10.x.x.x.accesses all of them unlimited.
I would think that this means that he has to set a firewall host on each of these networks and configure a firewall that would allow certains hosts while banning the rest and all that I suggest that you go to http://firewall.langistix.com and get that firewall don't just install it and use but rather read it especially the section on banned networks and on friends and use a similar setup to configure the firewalls on your network.
Um I'm using a REJECT rather than a DENY it's more polite :

# Apply simple forward REJECT rule
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward REJECT

I'm also using MASQ which hides one network from the other completely.

It looks like you just want to apply a simple REJECT or DENY rule and then explicitly allow certain IP address's on certain ports NB. This is not as secure as MASQ.

As far as I know IPCHAINS can't use MASQ and  let certain clients been seen through it. (except for trivial port forwarding i.e. everything on port 80 to one client..)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Build your data science skills into a career

Are you ready to take your data science career to the next step, or break into data science? With Springboard’s Data Science Career Track, you’ll master data science topics, have personalized career guidance, weekly calls with a data science expert, and a job guarantee.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now