Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Routing/Firewall

Posted on 2000-04-29
5
Medium Priority
?
313 Views
Last Modified: 2013-12-16
I am systems administrator in a high school who is jumping on the linux band wagon. I have three NT networks in my school address ranges 192.168.100.x, 192.168.101.x and 10.10.x.x. I intend to use linux to act as a router and firewall between these networks. The two 192.x.x.x networks need to be able to ping each other (for e-mail) and i would like for selected machines on these networks to be able to access the 10.10.x.x network (this is our administration network) and the 10.10.x.x network needs to be able to access the 192.x.x.x networks for internet access. I am currently installing red hat 6.1 on my machine and have successfuly set up routing between two networks (much better than microsoft) but I am unsure how to deny access to some machines. Any help would be appreciated.

Also when I set it up I set up the GUI as well and this starts automatically. Is there any way of stopping this.


Thanks
Craig
0
Comment
Question by:cwbourne
5 Comments
 
LVL 2

Expert Comment

by:bernardh
ID: 2766587
to deny other hosts' access to your system, add hostnames on /etc/hosts.deny

to disable gui to startup automatically after booting your box. edit /etc/inittab. look for the line:

id:5:initdefault:        

replace 5 with 3 to boot in full multi user mode.



0
 

Author Comment

by:cwbourne
ID: 2768378
I made a mistake, I want to know how to only allow certain machines access to a network. eg 192.168.100.x and 192.168.101.x can ping each other but only set machines on these networks can get access to the 10.x.x.x network, But the 10.x.x.x network should be able to ping anyone.

Thanks
0
 

Accepted Solution

by:
castleinfo earned 100 total points
ID: 2787586
What you want is a firewall !
Luckily linux has one built in...
It's called IPCHAINS.

IPCHAINS -L will show you the current rule set.

Basicaly you set up a file called rc.firewall in /etc/rc.d/
Put any instructions you want in this file including routing ones if you want...
then modify rc.local.. at the end put something like /etc/rc.d/rc.firewall
i.e. every time we boot run the firewall.

You'll need to read the howto about ipchains but it's not to tricky...

here's my rc.firewall file :

#!/bin/sh
#
# /etc/rc.d/rc.firewall
# Enable simple firewall forwarding and MASQ
# 20/11/1999
# Malcolm Turnbull
#
# Firewall2 between 192.9.202.x and 192.168.21.x

## Flush everything, start from scratch  
/sbin/ipchains -F input
/sbin/ipchains -F output  
/sbin/ipchains -F forward

# Load the modules shouldn't be needed
#/sbin/depmod -a

# Proper FTP MASQ is it enabled any way ?
#/sbin/modprobe ip_masq_ftp

# IP forwarding should allready be enabled
# echo "1" > /proc/sys/net/ipv4/ip_forward

# Apply simple forward REJECT rule
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward REJECT

# Don't allow NETBIOS ?
#/sbin/ipchains -A forward -p --dport 168 -s 192.168.21.0/24 -j REJECT

# Allow FTP access
/sbin/ipchains -A forward -p 21 -j ACCEPT
/sbin/ipchains -A forward -p 20 -j ACCEPT

# Allow non-root ports
/sbin/ipchains -A forward -p TCP --dport 1024:6000 -j ACCEPT
/sbin/ipchains -A forward -p UDP --dport 1024:6000 -j ACCEPT

# MASQ our side
/sbin/ipchains -A forward -s 192.9.202.0/24 -j MASQ

# local to local are OK
/sbin/ipchains -A input -i lo -j ACCEPT

# Prevent Spoofing on either network
/sbin/ipchains -A input -i eth0 -s ! 192.168.21.0/24 -j REJECT
/sbin/ipchains -A input -i ! eth0 -s 192.168.21.0/24 -j REJECT
/sbin/ipchains -A input -i eth1 -s ! 192.9.202.0/24 -j  REJECT
/sbin/ipchains -A input -i ! eth1 -s 192.9.202.0/24 -j REJECT
0
 
LVL 2

Expert Comment

by:ksemat
ID: 2863953
Only problem there is that you don't seem to have set your default rule to deny do that and you'll be in business.
Also it doesn't address how to allow selected hosts to access the 10.x.x.x network while the 10.x.x.x.accesses all of them unlimited.
I would think that this means that he has to set a firewall host on each of these networks and configure a firewall that would allow certains hosts while banning the rest and all that I suggest that you go to http://firewall.langistix.com and get that firewall don't just install it and use but rather read it especially the section on banned networks and on friends and use a similar setup to configure the firewalls on your network.
0
 

Expert Comment

by:castleinfo
ID: 3084037
Um I'm using a REJECT rather than a DENY it's more polite :

# Apply simple forward REJECT rule
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward REJECT

I'm also using MASQ which hides one network from the other completely.

It looks like you just want to apply a simple REJECT or DENY rule and then explicitly allow certain IP address's on certain ports NB. This is not as secure as MASQ.

As far as I know IPCHAINS can't use MASQ and  let certain clients been seen through it. (except for trivial port forwarding i.e. everything on port 80 to one client..)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month11 days, 2 hours left to enroll

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question