Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Willie Wong <wwong@Princeton.EDU>]

On Sun, Nov 13, 2005 at 05:35:27PM -0600, Harry Putnam wrote:
> In the different scenarios we've been discussing though, I'm thinking
> I've blocked internet access for several machines.  If those machines
> are then set to proxy thru a local lan address (The gentoo box running
> squid).  They would be able to contact that address.  As I understand
> it, that is the only address they would see.

So you are thinking:
  1) Block internet access of all kinds for the three windows boxes.
  2) Leave the internet access open for the Gentoo box. 
  3) Have squid running on the Gentoo box. 
So that if the Windows boxes want to access the internet, it goes
through the Gentoo box? 

Yes it would work. A pretty good idea from what I can see. 
> 
> And if the proxy were turned off in software they would then not be
> able to go to internet either since that avenue is already blocked.
> So the browser would stall and show no internet connection.
> 


> I'm not sure what you mean here about the infinite loop.  Thats what
> routers do is foward traffic to machines behind them.
> 
> What I'm thinking when I talk about setting default route to the
> gentoo box is that the router is also a switch.  I'm wondering if
> internet bound packets can:
> 
> o start on a win box behind the router
> o get to the router/switch
> o be switched to the gentoo box since it is the gateway listed
> o be sent back to the router by the gentoo box on its journey to
>   INET. 
> 
> Is that even possible without another subnet, nic etc?
> 
The question is: when you say the gateway listed, do you mean the
gateway listed for the router or the gateway listed for the win box?
If for the win box, it is trivial to change the gateway to the router,
and since the router speaks to the internet, you are down to no
protection. If you mean the gateway for the router.... imagine: the
gentoo box passes a packet to the router, the router things the
gateway is the gentoo box, and passes the packet back...

Unless, of course, your router does forwarding per host, and my guess
is that your router can't do that (though I might very well be wrong).

I think you are trying to make it more complicated than it actually
is. If you just take the one method you suggested above: block of
services on the netgear and mandate internet access from the win boxes
go through squid on gentoo, I think it should be fine for what you
want. 

W
-- 
Seen in LINAC @ Fermi National Accelerator Laboratory:
  (A series of signs, each with a different "name")
 This 7833 Power Amplifier Tube is to be Called:
       Gassy
       Sparky
       Leaky
       Old Number 9
       Just Plain Dead
       Nick O'Tyme
Sortir en Pantoufles: up 1 day, 21:49
-- 
gentoo-user@gentoo.org mailing list