Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 318
  • Last Modified:

Secure P2P with a Linux/XP network. Mad?


I am not looking for detailed help on the following, rather advice on wheteher the concept itself is sound or
somehow flawed. Or even to know if there is a simpler way to do what I want (probably!) ;)

I want to set up a 2 PC home network consisting of a Linux box connected one way to the WWW via a NIC and DSL modem
and the other way via a NIC/crossover cable to a Win XP Pro machine. I have a fair degree of XP experiwnce but very
little with Linux. My motivation is partly to learn more about Linux, networking and firewalls but also to run a P2P
client (Limewire or similar) on the Linux machine. I am very keen to keep P2P off the XP box itself.

The Linux 'gateway' machine would have 3 'states', interchangeable without a reboot if possible.

State 1
Linux box used as sole machine for all web browsing, email, FTP and P2P applications. Network to XP disabled.
Firewall on Linux box compatible with P2P client and single shared P2P folder with appropriate permissions. All
other files/folders logged on user only. Appropriate trojan/av soft.

State 2
NIC/DSL connection disabled. No firewall. XP/Linux network enabled. XP machine can see appropriate folders (x2) on
Linux box with permissions to transfer files. Virus/trojan checking on XP box.

Required to enable 'live update' of AV/OS and other soft on XP box.
Linux box 'bridges' DSL connection, via firewall, to appropriate named services on XP machine. P2P disabled (either
via firewall or kill client).

Linux box does not need to share other XP resources. No need for remote access.

I have a broad idea how to achieve the above (or where to find out how) from the configuration standpoint.

I hope from the above it's clear what I am trying to achieve. At no point do I want a 'live' connection to the XP
box when the Linux P2P client is active and any direct XP box connection to the WWW must be tightly controlled. No XP web browsing or email, just a handful of live update services.

Paranoia? Maybe.


Is this reasonable or way, way out? If OK, is anyone aware of any specifically relevant FAQs or HOWTOs?

Is this same level of security achievable another (simpler) way?

Will a standard Linux distro (mandrake, RH, Suse) suffice or do I need a 'hardened' kernel?

Thank you all very much for your time and opinions. Really.


  • 2
1 Solution
I don't know of any FAQs or HOW-TOs for your specific request, but it certainly can be done.    Two ways I can think of off-hand are a) use different runlevels for each of these profiles.. for example in runlevel 3 you can have your #1 setup.. runlevel 4 will be your #2 setup and so on.

Alternatively, and probably easier, would be to just write scripts to turn things on/off as necessary.

You really don't need a "hardened" kernel/distro to do what you're doing, no.  Just make sure you secure the machine properly.  IMHO, your main weakness is going to be possible vulnerabilities in your P2P client (assuming you don't run any external services, as I didn't see mention of any).

I am a very paranoid individual myself, if it were my setup I think I'd prefer to have a single "trusted" box and _not_ run the P2P client, or anything else dangerous, on it and instead do all that stuff on a sacrificial machine that I wouldn't cry over if it got compromised.  But everyone wants different things, so I'm just putting some food for thought on the table. :)
Oh one more comment, you mentioned "bridge."  If you literally mean ethernet bridging, I'm not sure what the status of that is with the 2.4 kernel and Netfilter.  It may not work without patching the kernel.

If you just want to forward some ports to the XP box though, you can do that without bridging.
babysnakeAuthor Commented:

Bridging is covered by a miniHOWTO I found somewhere. U have to patch the kernel first.

I'll probably use scripts for it all

Nice 2 know I've not totally lost it!! :>)


Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now