Solved

Routing/Firewall

Posted on 2000-04-29
5
273 Views
Last Modified: 2013-12-16
I am systems administrator in a high school who is jumping on the linux band wagon. I have three NT networks in my school address ranges 192.168.100.x, 192.168.101.x and 10.10.x.x. I intend to use linux to act as a router and firewall between these networks. The two 192.x.x.x networks need to be able to ping each other (for e-mail) and i would like for selected machines on these networks to be able to access the 10.10.x.x network (this is our administration network) and the 10.10.x.x network needs to be able to access the 192.x.x.x networks for internet access. I am currently installing red hat 6.1 on my machine and have successfuly set up routing between two networks (much better than microsoft) but I am unsure how to deny access to some machines. Any help would be appreciated.

Also when I set it up I set up the GUI as well and this starts automatically. Is there any way of stopping this.


Thanks
Craig
0
Comment
Question by:cwbourne
5 Comments
 
LVL 2

Expert Comment

by:bernardh
ID: 2766587
to deny other hosts' access to your system, add hostnames on /etc/hosts.deny

to disable gui to startup automatically after booting your box. edit /etc/inittab. look for the line:

id:5:initdefault:        

replace 5 with 3 to boot in full multi user mode.



0
 

Author Comment

by:cwbourne
ID: 2768378
I made a mistake, I want to know how to only allow certain machines access to a network. eg 192.168.100.x and 192.168.101.x can ping each other but only set machines on these networks can get access to the 10.x.x.x network, But the 10.x.x.x network should be able to ping anyone.

Thanks
0
 

Accepted Solution

by:
castleinfo earned 50 total points
ID: 2787586
What you want is a firewall !
Luckily linux has one built in...
It's called IPCHAINS.

IPCHAINS -L will show you the current rule set.

Basicaly you set up a file called rc.firewall in /etc/rc.d/
Put any instructions you want in this file including routing ones if you want...
then modify rc.local.. at the end put something like /etc/rc.d/rc.firewall
i.e. every time we boot run the firewall.

You'll need to read the howto about ipchains but it's not to tricky...

here's my rc.firewall file :

#!/bin/sh
#
# /etc/rc.d/rc.firewall
# Enable simple firewall forwarding and MASQ
# 20/11/1999
# Malcolm Turnbull
#
# Firewall2 between 192.9.202.x and 192.168.21.x

## Flush everything, start from scratch  
/sbin/ipchains -F input
/sbin/ipchains -F output  
/sbin/ipchains -F forward

# Load the modules shouldn't be needed
#/sbin/depmod -a

# Proper FTP MASQ is it enabled any way ?
#/sbin/modprobe ip_masq_ftp

# IP forwarding should allready be enabled
# echo "1" > /proc/sys/net/ipv4/ip_forward

# Apply simple forward REJECT rule
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward REJECT

# Don't allow NETBIOS ?
#/sbin/ipchains -A forward -p --dport 168 -s 192.168.21.0/24 -j REJECT

# Allow FTP access
/sbin/ipchains -A forward -p 21 -j ACCEPT
/sbin/ipchains -A forward -p 20 -j ACCEPT

# Allow non-root ports
/sbin/ipchains -A forward -p TCP --dport 1024:6000 -j ACCEPT
/sbin/ipchains -A forward -p UDP --dport 1024:6000 -j ACCEPT

# MASQ our side
/sbin/ipchains -A forward -s 192.9.202.0/24 -j MASQ

# local to local are OK
/sbin/ipchains -A input -i lo -j ACCEPT

# Prevent Spoofing on either network
/sbin/ipchains -A input -i eth0 -s ! 192.168.21.0/24 -j REJECT
/sbin/ipchains -A input -i ! eth0 -s 192.168.21.0/24 -j REJECT
/sbin/ipchains -A input -i eth1 -s ! 192.9.202.0/24 -j  REJECT
/sbin/ipchains -A input -i ! eth1 -s 192.9.202.0/24 -j REJECT
0
 
LVL 2

Expert Comment

by:ksemat
ID: 2863953
Only problem there is that you don't seem to have set your default rule to deny do that and you'll be in business.
Also it doesn't address how to allow selected hosts to access the 10.x.x.x network while the 10.x.x.x.accesses all of them unlimited.
I would think that this means that he has to set a firewall host on each of these networks and configure a firewall that would allow certains hosts while banning the rest and all that I suggest that you go to http://firewall.langistix.com and get that firewall don't just install it and use but rather read it especially the section on banned networks and on friends and use a similar setup to configure the firewalls on your network.
0
 

Expert Comment

by:castleinfo
ID: 3084037
Um I'm using a REJECT rather than a DENY it's more polite :

# Apply simple forward REJECT rule
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward REJECT

I'm also using MASQ which hides one network from the other completely.

It looks like you just want to apply a simple REJECT or DENY rule and then explicitly allow certain IP address's on certain ports NB. This is not as secure as MASQ.

As far as I know IPCHAINS can't use MASQ and  let certain clients been seen through it. (except for trivial port forwarding i.e. everything on port 80 to one client..)
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Linux Mint 18 31 77
We cannot find the source of the spam emails on our Debian 7 server 10 122
Sendmail STARTTLS error 37 84
Remove a folder in Linux 9 91
rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now