Solved

Routing/Firewall

Posted on 2000-04-29
5
267 Views
Last Modified: 2013-12-16
I am systems administrator in a high school who is jumping on the linux band wagon. I have three NT networks in my school address ranges 192.168.100.x, 192.168.101.x and 10.10.x.x. I intend to use linux to act as a router and firewall between these networks. The two 192.x.x.x networks need to be able to ping each other (for e-mail) and i would like for selected machines on these networks to be able to access the 10.10.x.x network (this is our administration network) and the 10.10.x.x network needs to be able to access the 192.x.x.x networks for internet access. I am currently installing red hat 6.1 on my machine and have successfuly set up routing between two networks (much better than microsoft) but I am unsure how to deny access to some machines. Any help would be appreciated.

Also when I set it up I set up the GUI as well and this starts automatically. Is there any way of stopping this.


Thanks
Craig
0
Comment
Question by:cwbourne
5 Comments
 
LVL 2

Expert Comment

by:bernardh
Comment Utility
to deny other hosts' access to your system, add hostnames on /etc/hosts.deny

to disable gui to startup automatically after booting your box. edit /etc/inittab. look for the line:

id:5:initdefault:        

replace 5 with 3 to boot in full multi user mode.



0
 

Author Comment

by:cwbourne
Comment Utility
I made a mistake, I want to know how to only allow certain machines access to a network. eg 192.168.100.x and 192.168.101.x can ping each other but only set machines on these networks can get access to the 10.x.x.x network, But the 10.x.x.x network should be able to ping anyone.

Thanks
0
 

Accepted Solution

by:
castleinfo earned 50 total points
Comment Utility
What you want is a firewall !
Luckily linux has one built in...
It's called IPCHAINS.

IPCHAINS -L will show you the current rule set.

Basicaly you set up a file called rc.firewall in /etc/rc.d/
Put any instructions you want in this file including routing ones if you want...
then modify rc.local.. at the end put something like /etc/rc.d/rc.firewall
i.e. every time we boot run the firewall.

You'll need to read the howto about ipchains but it's not to tricky...

here's my rc.firewall file :

#!/bin/sh
#
# /etc/rc.d/rc.firewall
# Enable simple firewall forwarding and MASQ
# 20/11/1999
# Malcolm Turnbull
#
# Firewall2 between 192.9.202.x and 192.168.21.x

## Flush everything, start from scratch  
/sbin/ipchains -F input
/sbin/ipchains -F output  
/sbin/ipchains -F forward

# Load the modules shouldn't be needed
#/sbin/depmod -a

# Proper FTP MASQ is it enabled any way ?
#/sbin/modprobe ip_masq_ftp

# IP forwarding should allready be enabled
# echo "1" > /proc/sys/net/ipv4/ip_forward

# Apply simple forward REJECT rule
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward REJECT

# Don't allow NETBIOS ?
#/sbin/ipchains -A forward -p --dport 168 -s 192.168.21.0/24 -j REJECT

# Allow FTP access
/sbin/ipchains -A forward -p 21 -j ACCEPT
/sbin/ipchains -A forward -p 20 -j ACCEPT

# Allow non-root ports
/sbin/ipchains -A forward -p TCP --dport 1024:6000 -j ACCEPT
/sbin/ipchains -A forward -p UDP --dport 1024:6000 -j ACCEPT

# MASQ our side
/sbin/ipchains -A forward -s 192.9.202.0/24 -j MASQ

# local to local are OK
/sbin/ipchains -A input -i lo -j ACCEPT

# Prevent Spoofing on either network
/sbin/ipchains -A input -i eth0 -s ! 192.168.21.0/24 -j REJECT
/sbin/ipchains -A input -i ! eth0 -s 192.168.21.0/24 -j REJECT
/sbin/ipchains -A input -i eth1 -s ! 192.9.202.0/24 -j  REJECT
/sbin/ipchains -A input -i ! eth1 -s 192.9.202.0/24 -j REJECT
0
 
LVL 2

Expert Comment

by:ksemat
Comment Utility
Only problem there is that you don't seem to have set your default rule to deny do that and you'll be in business.
Also it doesn't address how to allow selected hosts to access the 10.x.x.x network while the 10.x.x.x.accesses all of them unlimited.
I would think that this means that he has to set a firewall host on each of these networks and configure a firewall that would allow certains hosts while banning the rest and all that I suggest that you go to http://firewall.langistix.com and get that firewall don't just install it and use but rather read it especially the section on banned networks and on friends and use a similar setup to configure the firewalls on your network.
0
 

Expert Comment

by:castleinfo
Comment Utility
Um I'm using a REJECT rather than a DENY it's more polite :

# Apply simple forward REJECT rule
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward REJECT

I'm also using MASQ which hides one network from the other completely.

It looks like you just want to apply a simple REJECT or DENY rule and then explicitly allow certain IP address's on certain ports NB. This is not as secure as MASQ.

As far as I know IPCHAINS can't use MASQ and  let certain clients been seen through it. (except for trivial port forwarding i.e. everything on port 80 to one client..)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Network Interface Card (NIC) bonding, also known as link aggregation, NIC teaming and trunking, is an important concept to understand and implement in any environment where high availability is of concern. Using this feature, a server administrator …
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now