[gentoo-user] [Iptables related] How to make one machine only talk on loc lan

[gentoo-user] [Iptables related] How to make one machine only talk on loc lan

[Harry Putnam]

Hopefully somehere can direct me to where this should be posted or
answer it directly.  I'm looking to my Gentoo box to solve the problem
described below:

First:
My home lan looks like:


                 INTERNET
                    |
                 DSLMODEM
                    |
------------- NETGEAR FVS318 fw/router---------------
 |       |        |        |       |

Mch1    Mch2     mch3    mch4     mch5      
Lin      win     win     win      win
Gentoo

Machines 3-5 are heavy hitters for graphics work and are heavily
loaded with such things as Photoshop, vegas, canopus Edius, Adobe
Illustrator and the like.

I don't want to have to worry about spyware,adware,virus prevention
firewall stuff competing for resources with the graphics tools.
Instead I'd like to prevent those three from contacting the internet.

I want to isolate mch3-5 to only the local network.

That is, only mch 1 (a linux) machine and mch2 (a winxp pro) machine,
should be able to freely access the internet. (Making those secure
while doing so is not dicussed here)  3-5 should only be able
to talk to/from the local net.

I realize this would not be true isolation as anyone getting to 1-2
would have access to 3-5, so all bets are off if that should happen.

Its more about having to worry about downloads or link clicks etc with
unwanted results.

The Netgear FVS318 appears not to be able to do this for me.  But I
could be wrong there.  I see no options that look usefull for it.
Blocking of sites might do it but appears it would be a long process
setting it up. 

I'd happily hear that the router can do this.

=====================================================

I'm turning to my gentoo box for a solution.  

However, I'm not interested in setting it up as the router for
everthing and ditching the NETGEAR.  Its to convenient having
something the size of a medium book that makes no noise or heat but
can keep all but the most dedicated of script kiddies of my network.

I'm thinking I could route machines 3-5 thru it as gateway.  
The way I work, the gentoo box is always running.  I would never be
using the others without it running, its just how I work.

I know already that Iptables can handle the rulesets needed to get
what I want.  I'm not sure of the exact rules yet but believe it is at
least possible.

Now for the questions:

Can I route 3-5 thru the Gentoo box without changing the subnet
setup?  That is, all still remain 192.168.0.0/24.  And simply set
gateway on 3-5 to point at the gentoo box.  Then setup IPtables to
prevent those machines from talking beyond local lan in or out.

Something like deny everything, then allow only a list of `safe' IPs
on the local lan.

So again:
Can I do all this without hardwiring 3-5 direct to the Gentoo box.
That is, just by setting it as gateway on each of them.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [Iptables related] How to make one machine only talk on loc lan

[John Jolet]

The netgear will do it.  you can give it ip addresses to block.  look at the 
schedule setups.  set them up only to be able to access the internet for, say 
a second on sunday at 3 am, and not for the rest of the time....

On Saturday 12 November 2005 17:35, Harry Putnam wrote:
> Hopefully somehere can direct me to where this should be posted or
> answer it directly.  I'm looking to my Gentoo box to solve the problem
> described below:
>
> First:
> My home lan looks like:
>
>
>                  INTERNET
>
>                  DSLMODEM
>
> ------------- NETGEAR FVS318 fw/router---------------
>
>
> Mch1    Mch2     mch3    mch4     mch5
> Lin      win     win     win      win
> Gentoo
>
> Machines 3-5 are heavy hitters for graphics work and are heavily
> loaded with such things as Photoshop, vegas, canopus Edius, Adobe
> Illustrator and the like.
>
> I don't want to have to worry about spyware,adware,virus prevention
> firewall stuff competing for resources with the graphics tools.
> Instead I'd like to prevent those three from contacting the internet.
>
> I want to isolate mch3-5 to only the local network.
>
> That is, only mch 1 (a linux) machine and mch2 (a winxp pro) machine,
> should be able to freely access the internet. (Making those secure
> while doing so is not dicussed here)  3-5 should only be able
> to talk to/from the local net.
>
> I realize this would not be true isolation as anyone getting to 1-2
> would have access to 3-5, so all bets are off if that should happen.
>
> Its more about having to worry about downloads or link clicks etc with
> unwanted results.
>
> The Netgear FVS318 appears not to be able to do this for me.  But I
> could be wrong there.  I see no options that look usefull for it.
> Blocking of sites might do it but appears it would be a long process
> setting it up.
>
> I'd happily hear that the router can do this.
>
> =====================================================
>
> I'm turning to my gentoo box for a solution.
>
> However, I'm not interested in setting it up as the router for
> everthing and ditching the NETGEAR.  Its to convenient having
> something the size of a medium book that makes no noise or heat but
> can keep all but the most dedicated of script kiddies of my network.
>
> I'm thinking I could route machines 3-5 thru it as gateway.
> The way I work, the gentoo box is always running.  I would never be
> using the others without it running, its just how I work.
>
> I know already that Iptables can handle the rulesets needed to get
> what I want.  I'm not sure of the exact rules yet but believe it is at
> least possible.
>
> Now for the questions:
>
> Can I route 3-5 thru the Gentoo box without changing the subnet
> setup?  That is, all still remain 192.168.0.0/24.  And simply set
> gateway on 3-5 to point at the gentoo box.  Then setup IPtables to
> prevent those machines from talking beyond local lan in or out.
>
> Something like deny everything, then allow only a list of `safe' IPs
> on the local lan.
>
> So again:
> Can I do all this without hardwiring 3-5 direct to the Gentoo box.
> That is, just by setting it as gateway on each of them.

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
www.jolet.net
john@jolet.net
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Harry Putnam]

John Jolet <john@jolet.net> writes:

> The netgear will do it.  you can give it ip addresses to block.
> look at the schedule setups.  set them up only to be able to access
> the internet for, say a second on sunday at 3 am, and not for the
> rest of the time....

Do you mean to bock every address on the internet?  I'm not following
you hear.  Further I don't see an option to block ip addresses in the
blocking section at all.  Only by keywords.

Are we looking at the same router?
(here is it FVS318)
I see:

# Security Logs
# Block Sites
# Block Service
# Add Service
# Schedule
# E-mail

On left 

(others are below but not of interest here unless you tell me
you mean some other section)


I see no way to block by IP number in any of those sections.  One
could block by keyword and use `com' `net' `org' etc as the keywords I
suppose but it seems really hackish and prone to unexpected results.

No kind of control like is possible with Iptables.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[John Jolet]

On Saturday 12 November 2005 18:56, Harry Putnam wrote:
> John Jolet <john@jolet.net> writes:
> > The netgear will do it.  you can give it ip addresses to block.
> > look at the schedule setups.  set them up only to be able to access
> > the internet for, say a second on sunday at 3 am, and not for the
> > rest of the time....
>
> Do you mean to bock every address on the internet?  I'm not following
> you hear.  Further I don't see an option to block ip addresses in the
> blocking section at all.  Only by keywords.
>
> Are we looking at the same router?
> (here is it FVS318)
> I see:
>
> # Security Logs
> # Block Sites
> # Block Service
> # Add Service
> # Schedule
here.  you set a schedule, then limit certain ip addresses to access only at 
certain times...you make the time slice small enough, you've effectively 
blocked them.
> # E-mail
>
> On left
>
> (others are below but not of interest here unless you tell me
> you mean some other section)
>
>
> I see no way to block by IP number in any of those sections.  One
> could block by keyword and use `com' `net' `org' etc as the keywords I
> suppose but it seems really hackish and prone to unexpected results.
>
> No kind of control like is possible with Iptables.
no, not really, but to do that you have to put a gentoo box BETWEEN the 
netgear router and these boxes.  for http/ftp control, you could put squid 
and direct the machine's proxies to it, but you won't be able to force that.
-- 
John Jolet
Your On-Demand IT Department
512-762-0729
www.jolet.net
john@jolet.net
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Harry Putnam]

John Jolet <john@jolet.net> writes:

> On Saturday 12 November 2005 18:56, Harry Putnam wrote:
>> John Jolet <john@jolet.net> writes:
>> > The netgear will do it.  you can give it ip addresses to block.
>> > look at the schedule setups.  set them up only to be able to access
>> > the internet for, say a second on sunday at 3 am, and not for the
>> > rest of the time....
>>
>> Do you mean to bock every address on the internet?  I'm not following
>> you hear.  Further I don't see an option to block ip addresses in the
>> blocking section at all.  Only by keywords.
>>
>> Are we looking at the same router?
>> (here is it FVS318)
>> I see:
>>
>> # Security Logs
>> # Block Sites
>> # Block Service
>> # Add Service
>> # Schedule
> here.  you set a schedule, then limit certain ip addresses to access only at 
> certain times...you make the time slice small enough, you've effectively 
> blocked them.
>> # E-mail


Willie Wong <wwong@Princeton.EDU> writes:


>> # Block Service
>
> This is the one. Block service allow you to specify which LOCAL ip
> addresses you want to limit the service for. 
>
> Just set up static ip for machines 3-5 (or DHCP with fixed ip
> addresses for those machines based on hardware address). Set the
> blocking schedule to always. For ALL services you find in the list,
> supply the ips for those three machines. 

Apparently you too are not looking at the router I've specified:
NETGEAR FVS318

In the schedule section there is only one place to put an IP address
and that is for an ntp server if you want one.

http://home.jtan.com/~reader/exp/web_ready/dispimg.cgi

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Willie Wong]

On Sun, Nov 13, 2005 at 01:09:54AM -0600, Harry Putnam wrote:
> Apparently you too are not looking at the router I've specified:
> NETGEAR FVS318
> 
> In the schedule section there is only one place to put an IP address
> and that is for an ntp server if you want one.
> 

Apparently you didn't RTFM. (Of course, since you didn't read my
comment either. I said: "Click on BLOCK SERVICES" and you clicked on
"Schedule", well no shit Sherlock, of course what I told you won't be
there.) Here: I found it for you:

ftp://downloads.netgear.com/files/fvs318_ref_manual_14.pdf

Chapter 4, page 5. 

Poorly written, but understandable. Of course, that is for firmware
version 1.4, which has been out since January 2004, hopefully I am not
making an undue assumption that your router has the most up-to-date
firmware.

Hope THAT helps </sarcasm>

W
-- 
Pintsize: You don't have my raw electro-magnetism.
Sortir en Pantoufles: up 1 day, 59 min
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Harry Putnam]

Willie Wong <wwong@Princeton.EDU> writes:

> Apparently you didn't RTFM. (Of course, since you didn't read my
> comment either. I said: "Click on BLOCK SERVICES" and you clicked on
> "Schedule", well no shit Sherlock, of course what I told you won't be
> there.) Here: I found it for you:
>
> ftp://downloads.netgear.com/files/fvs318_ref_manual_14.pdf
>
> Chapter 4, page 5. 
>
> Poorly written, but understandable. Of course, that is for firmware
> version 1.4, which has been out since January 2004, hopefully I am not
> making an undue assumption that your router has the most up-to-date
> firmware.
>
> Hope THAT helps </sarcasm>

You have a fast smart mouth on you Mr.  Wong.  But thanks just the
same.  I got in my head you both were talking about the scheduling
area.  My mistake.  I noticed it soon after posting and found the
place to make these settings shortly thereafter.

There is a problem with it I'll explain in a minute but first let me
ask if you are actually using your router to do something similar to
what I described?

Reason I ask is here it appears it would be a very shaky way to go.
In the blocking area there is a list of 11 services to block.
Services can be added in a differernt area but even then one is just
guessing  and hoping any attacker doesn't use a port for which
there is no service or one you forgot to add.

It appears there is no global setting to just block everything.

I thought of doing something similar with the keywords blocking by
selecting com, org, net, edu etc as the keywords, but again one is
just hoping you didn't overlook something.  Again, no way to just say
`block all incoming/outgoing'.

If you've been doing this overtime it would be encouraging to hear it
has worked with no problems

Getting back to using the gentoo box for this:

One poster mentioned, he thought it would require hard wiring the win
boxes to run thru the gentoo first.

I'm wondering if it would work to just set the gentoo box as gateway
for them even though they are coming in thru the router first.
Haven't tried any of that since I need an undisturrbed internet
connection for a while more yet.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Willie Wong]

On Sun, Nov 13, 2005 at 11:44:31AM -0600, Harry Putnam wrote:
> You have a fast smart mouth on you Mr.  Wong.  But thanks just the
> same.  I got in my head you both were talking about the scheduling
> area.  My mistake.  I noticed it soon after posting and found the
> place to make these settings shortly thereafter.

=) Willie is fine.  "Mr. Wong" doesn't become me. 

> There is a problem with it I'll explain in a minute but first let me
> ask if you are actually using your router to do something similar to
> what I described?

Yes and no.... I firewall off some access for wireless devices around
home. Mostly so people who are "visiting" with their computers won't
cause heavy disruption (by, for example, getting a spyware/spambot
infected machine onto my network and pissing off my ISP). But I do not
block off all services. 

> Reason I ask is here it appears it would be a very shaky way to go.
> In the blocking area there is a list of 11 services to block.
> Services can be added in a differernt area but even then one is just
> guessing  and hoping any attacker doesn't use a port for which
> there is no service or one you forgot to add.

True. That's one question I've been wondering. Since I do *not*
actually have a FSV318 (like I said, I have a way lower end Netgear
router), I was wondering about what I saw in the manual. The page I
referred you to had a sample screen that says something akin to
"Clicking here enables ALL services for ALL local LAN addresses". (I
hope you know which screencap I am talking about.) So
  1) Does such screen exist?
  2) If it does, if you only enable OUTBOUND service for the two
  computers you want, does it do the job? 
The other consideration is that: so long as your computer has no way
of initiating outbound HTTP/S, FTP, TELNET, SSH, etc. access (those in
the list), I highly doubt there's a way for the computer to get
_passively_ infected by malware. What I mean is that there are
basically two ways for the attack to happen:
  1) The attacker puts his stuff on the 'web and waits for people to
  click on it (software that bundles spyware, malformed webpages).
  2) The attacker actively attacks you. 
For case 1), blocking outbound services on those 11 ports should be
sufficient (especially if you administer your own small network and
not let random strangers off the street play with your boxes). 

For case 2), that is what a firewall is for. Judging by your setup I
am assuming you have NAT setup (of course, you could have 5 ips from
the ISP, but in principle you won't need a router then...). In that
case without explicitly forwarding ports or setting up a DMZ, there
really isn't a way for the attacker to attack your computers without
the router/firewall being seriously compromised. 

> just hoping you didn't overlook something.  Again, no way to just say
> `block all incoming/outgoing'.

Again (sorry if I sound redundant), you only need to block all
OUTGOING at the router level. incoming is blocked by assumption unless
you setup port forwarding. That is what a firewall means afterall. 

> If you've been doing this overtime it would be encouraging to hear it
> has worked with no problems

sorry... no way to tell: different models of router, different level
of security we are talking about here. I put my linux box on the DMZ
and run iptables on it... I've seen scripted attacks hitting my DMZ
box, but nothing has ever hit computers behind the router's firewall.
So I guess I must be doing something right. =)
> 
> Getting back to using the gentoo box for this:
> 
> One poster mentioned, he thought it would require hard wiring the win
> boxes to run thru the gentoo first.

That's the only way to be safe. 

> I'm wondering if it would work to just set the gentoo box as gateway
> for them even though they are coming in thru the router first.
> Haven't tried any of that since I need an undisturrbed internet
> connection for a while more yet.

If the windows boxes are wired to the router, then it would be
possible to change a setting in windows and make them use the router
as the gateway. And if the router is not setup to block services, they
would have direct access to the internet. 

If blocking (finite number of) services sound shaky to you, then I
think only hard-wiring the boxes to pass through the gentoo box would
be secure enough for you. 

If you have some budget: get a second NIC for your gentoo box, hook it
directly up to the internet. Point the second NIC to your netgear
router, and setup the router to function only as switch (no address
translation, no dhcp, nothing). Follow the gentoo home networking
guide http://www.gentoo.org/doc/en/home-router-howto.xml to setup your
gentoo box as a router/firewall. And then you can explicitly block all
outbound connections from the three machines in question. 

So....

                                               / Windows 1
 Internet ----  Gentoo box ---- Netgear Router - Windows 2
                                               \ Windows 3
					        \Windows 4
W
-- 
Why don't you just jack the hubble?
    ~Alex MacDonald
Sortir en Pantoufles: up 1 day, 10:17
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Harry Putnam]

Willie Wong wrote:
> =) Willie is fine.  "Mr. Wong" doesn't become me. 

Willie it is then...

>>There is a problem with it I'll explain in a minute but first let me
>>ask if you are actually using your router to do something similar to
>>what I described?

[snip] reasoning about blocking only services by name

> True. That's one question I've been wondering. Since I do *not*
> actually have a FSV318 (like I said, I have a way lower end Netgear
> router), I was wondering about what I saw in the manual. The page I
> referred you to had a sample screen that says something akin to
> "Clicking here enables ALL services for ALL local LAN addresses". (I
> hope you know which screencap I am talking about.) So
>   1) Does such screen exist?

Yes, the manual you cited is for v1.4 by your message and my router is 
running v2.4 so there may be some differences but there is such a page 
yes.  Your manual shows an `any' choice in the services box whereas I 
only see a list of 11, no `any' choice.  That isn't what we're 
discussing but just added for reference....for my actual screen see:
     http://www.jtan.com/~reader/exp/web_ready/dispimg.cgi

>   2) If it does, if you only enable OUTBOUND service for the two
>   computers you want, does it do the job? 

I suspect it would, and yes there is the possibility to ALLOW on that 
screen too.  So one could turn it around and allow whatever machines I 
want internet capable rather than denying the ones I don't.

But if you mean to disable services for the other 3. That does work, and 
I've tried it now, but is the exact thing I called shakey.

Your further comments on that have caused me to clean up my thinking 
about it a bit.  And as you say the router/fw is already blocking all 
incoming to those computers, since they are natted and no port 
forwarding on those.  I do have a port forwarded from the gentoo box for 
ssh access.

[snip] cleaner thinking about what is really happening at the router.

[snip] discussion of doing it with gentoo box

=================
[An aside but sort of an answer to your diagram too]:
I got the netgear a couple of years ago to avoid doing what you laid out 
with the gentoo box.  Only then it was a lean mean install of openbsd on 
an old x86 computer.

But I think the same draw back would apply eventually, that is, that it 
is too labor intensive to keep up with updates, patches, noise heat etc 
since I'd not want to use my main desktop (my gentoo box) in that 
capacity since its not really wise to run a hardened firewall on a 
production machine.

I'd end up setting up a second Gentoo box as very configurable FW or 
really I'd probly install latest Openbsd and set it up as hardened and 
highly configurable router/fw, using the NETGEAR as you describe.... as 
a switch.

Its hard to argue with something the size of a medium book that 
generates no heat or noise yet keeps all but the most dedicated of 
script kiddies out of my network with ease.  And need almost no attention.
==============

Getting back to other things that might be tried:
I'm thinking now, after you comments on the subject that blocking the 
services would be all I need to do.  I'm currently doing the isolating 
by running a sw firewall called Kerio on each of the 3 machines.

That isn't much fun either and if kerio wasn't started or was turned off 
the instant machine would be in harms way right away, as you mentioned 
somewhere in your replies.

No telling how much internet access happens when running a bunch of 
graphic manip programs.  Probably not particualry dangerous but still 
all those update mechanisms would only need someone with bad intent to 
do harm with them.

I'm wondering now if there is a way to do something like setup a squid 
proxy on the gentoo and somehow force any attemts to go online from the 
3 isolated mchs, toward it?

Someone already mentioned squid and said it could not be forced but not 
sure I understood what that meant.

But also if I were to set the gateway which is now the NETGEAR router, 
to the gentoo box, wouldn't all outgoing traffic automatically head for 
the gateway?  Would they really need to be wired to a second nic?

Can the gentoo box be made to handle that local lan based traffic, and 
head it toward the internet without a second nic and all?

My feeble understanding of setting a default gateway is that it then 
becomes the only route used without setting static routes in the routing 
table of the winboxes.

I intend to experiment with this a bit later, tracerouting different 
setups and such.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Willie Wong]

On Sun, Nov 13, 2005 at 03:13:35PM -0600, Harry Putnam wrote:
<big big big snip of things I can't answer for you>
> I'm wondering now if there is a way to do something like setup a squid 
> proxy on the gentoo and somehow force any attemts to go online from the 
> 3 isolated mchs, toward it?

Two ways exist (AFAIK) of using squid:
  1) Run it as a proxy server. In the Internet Options for your
  web browser, you point the proxy toward the proxy server. You submit
  a request, it gets relayed to the internet, the response comes back,
  squid passes it backs to your computer. 

  2) Run it transparently on the _router_. This is the important part:
  on the router, you can force all traffic intended for HTTP traffic
  to go through squid. There are many howtos on the web detailing how
  this work, so I will not go into details and only say that it
  involves intercepting the traffic halfway with iptables and pass
  them to squid. 

Clearly, 1 cannot be forced: if you just unset the proxy setting from
the web browser, your computer will connect to the internet directly. 
2 cannot be implemented in your case, since it requires that
internet-bound traffic must pass through your gentoo box. If you try
to forward all traffic from the router toward your gentoo box, you get
an infinite loop since the gentoo box is behind the router. 
> 
> Someone already mentioned squid and said it could not be forced but not 
> sure I understood what that meant.
> 
> But also if I were to set the gateway which is now the NETGEAR router, 
> to the gentoo box, wouldn't all outgoing traffic automatically head for 
> the gateway?  Would they really need to be wired to a second nic?

Yes... theoretically. But as far as I can see it, 
  1) The complexity of that setup will be at least as large as setting
  up a custom, dedicated gentoo/openbsd box as a firewall.
  2) It can be circumvented trivially by setting the gateway manually
  to your netgear router. 
Having a second NIC makes the circumvention method of 2 is not
possible. 

> My feeble understanding of setting a default gateway is that it then 
> becomes the only route used without setting static routes in the routing 
> table of the winboxes.

Yes, but default gateway can be changed on the fly. Since you
expressed doubts about the reliability of third party firewall
software, I don't think you would be terribly comfortable with the
idea of a protection method that can be trivially by-passed on the
software level. 

W
-- 
3.1415926535897932384626433832795028841971693993751058209749445923078164062862
089986280348253421170679821480865132823066470938446095505822317253594081284811
174502841027019385211055596446229489549303819644288109756659334461284756482337
Sortir en Pantoufles: up 1 day, 13:38
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Harry Putnam]

Willie Wong <wwong@Princeton.EDU> writes:

> Two ways exist (AFAIK) of using squid:
>   1) Run it as a proxy server. In the Internet Options for your
>   web browser, you point the proxy toward the proxy server. You submit
>   a request, it gets relayed to the internet, the response comes back,
>   squid passes it backs to your computer. 
>
>   2) Run it transparently on the _router_. This is the important part:
>   on the router, you can force all traffic intended for HTTP traffic
>   to go through squid. There are many howtos on the web detailing how
>   this work, so I will not go into details and only say that it
>   involves intercepting the traffic halfway with iptables and pass
>   them to squid. 
>
> Clearly, 1 cannot be forced: if you just unset the proxy setting from
> the web browser, your computer will connect to the internet directly. 

In the different scenarios we've been discussing though, I'm thinking
I've blocked internet access for several machines.  If those machines
are then set to proxy thru a local lan address (The gentoo box running
squid).  They would be able to contact that address.  As I understand
it, that is the only address they would see.

And if the proxy were turned off in software they would then not be
able to go to internet either since that avenue is already blocked.
So the browser would stall and show no internet connection.

> 2 cannot be implemented in your case, since it requires that
> internet-bound traffic must pass through your gentoo box. If you try
> to forward all traffic from the router toward your gentoo box, you
> get an infinite loop since the gentoo box is behind the router.

I'm not sure what you mean here about the infinite loop.  Thats what
routers do is foward traffic to machines behind them.

What I'm thinking when I talk about setting default route to the
gentoo box is that the router is also a switch.  I'm wondering if
internet bound packets can:

o start on a win box behind the router
o get to the router/switch
o be switched to the gentoo box since it is the gateway listed
o be sent back to the router by the gentoo box on its journey to
  INET. 

Is that even possible without another subnet, nic etc?

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Willie Wong]

On Sun, Nov 13, 2005 at 05:35:27PM -0600, Harry Putnam wrote:
> In the different scenarios we've been discussing though, I'm thinking
> I've blocked internet access for several machines.  If those machines
> are then set to proxy thru a local lan address (The gentoo box running
> squid).  They would be able to contact that address.  As I understand
> it, that is the only address they would see.

So you are thinking:
  1) Block internet access of all kinds for the three windows boxes.
  2) Leave the internet access open for the Gentoo box. 
  3) Have squid running on the Gentoo box. 
So that if the Windows boxes want to access the internet, it goes
through the Gentoo box? 

Yes it would work. A pretty good idea from what I can see. 
> 
> And if the proxy were turned off in software they would then not be
> able to go to internet either since that avenue is already blocked.
> So the browser would stall and show no internet connection.
> 


> I'm not sure what you mean here about the infinite loop.  Thats what
> routers do is foward traffic to machines behind them.
> 
> What I'm thinking when I talk about setting default route to the
> gentoo box is that the router is also a switch.  I'm wondering if
> internet bound packets can:
> 
> o start on a win box behind the router
> o get to the router/switch
> o be switched to the gentoo box since it is the gateway listed
> o be sent back to the router by the gentoo box on its journey to
>   INET. 
> 
> Is that even possible without another subnet, nic etc?
> 
The question is: when you say the gateway listed, do you mean the
gateway listed for the router or the gateway listed for the win box?
If for the win box, it is trivial to change the gateway to the router,
and since the router speaks to the internet, you are down to no
protection. If you mean the gateway for the router.... imagine: the
gentoo box passes a packet to the router, the router things the
gateway is the gentoo box, and passes the packet back...

Unless, of course, your router does forwarding per host, and my guess
is that your router can't do that (though I might very well be wrong).

I think you are trying to make it more complicated than it actually
is. If you just take the one method you suggested above: block of
services on the netgear and mandate internet access from the win boxes
go through squid on gentoo, I think it should be fine for what you
want. 

W
-- 
Seen in LINAC @ Fermi National Accelerator Laboratory:
  (A series of signs, each with a different "name")
 This 7833 Power Amplifier Tube is to be Called:
       Gassy
       Sparky
       Leaky
       Old Number 9
       Just Plain Dead
       Nick O'Tyme
Sortir en Pantoufles: up 1 day, 21:49
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Harry Putnam]

Willie Wong wrote:

> Poorly written, but understandable. Of course, that is for firmware
> version 1.4, which has been out since January 2004, hopefully I am not
> making an undue assumption that your router has the most up-to-date
> firmware.

You've got an earlier firmware.  The latest is 2.4 also from mid 2004, 
don't recall exact date.   But it appears to be the same anyway.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Holly Bostick]

Harry Putnam schreef:
> Apparently you too are not looking at the router I've specified: 
> NETGEAR FVS318
> 

Not to mix in (not having a Netgear router), but I wonder if perhaps the
reason you are not seeing the ability to block IPs (which several people
have said exists) is because you have not enabled it by setting a schedule:


> John Jolet <john@jolet.net> writes (twice):
>>> 
>>>> look at the schedule setups.  set them up only to be able to
>>>> access the internet for, say a second on sunday at 3 am, and
>>>> not for the rest of the time....
>>> 
>> 
>> here.  you set a schedule, then limit certain ip addresses

As I said, I'm not familiar with this router, but I am familiar with the
concept of options not becoming enable-able (and often even visible)
until some precondition has been met (in this case setting a schedule).

Certainly it would not seem logical for a high-end router *not* to be
able to block IPs (and fairly thoroughly), especially if lower-end
models of the same brand are capable of doing so; certainly it seems
possible that such a device would not be "interested" in knowing what
you want it to do (ip blocks) if it didn't have a category under
which to perform the series of actions (the schedule).

Just an idea,
Holly
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Willie Wong]

On Sat, Nov 12, 2005 at 06:56:46PM -0600, Harry Putnam wrote:
> Do you mean to bock every address on the internet?  I'm not following
> you hear.  Further I don't see an option to block ip addresses in the
> blocking section at all.  Only by keywords.

Yes, the netgear will do it. My crappy netgear router will, so your
much higher end machines will too. 
> 
> Are we looking at the same router?
> (here is it FVS318)
> I see:
> 
> # Security Logs
> # Block Sites
> # Block Service

This is the one. Block service allow you to specify which LOCAL ip
addresses you want to limit the service for. 

Just set up static ip for machines 3-5 (or DHCP with fixed ip
addresses for those machines based on hardware address). Set the
blocking schedule to always. For ALL services you find in the list,
supply the ips for those three machines. 

W

-- 
"The last time anybody made a list of the top hundred 
character attributes of New Yorkers, common sense snuck in 
at number 79. ....
When it's fall in New York, the air smells as if someone's 
been frying goats in it, and if you are keen to breathe the 
best plan is to open a window and stick your head in a 
building." 

- Nuff said?? 
Sortir en Pantoufles: up 20:10
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [Iptables related] How to make one machine only talk on loc lan

[A. Khattri]

On Sat, 12 Nov 2005, Harry Putnam wrote:

> Machines 3-5 are heavy hitters for graphics work and are heavily
> loaded with such things as Photoshop, vegas, canopus Edius, Adobe
> Illustrator and the like.
>
> I don't want to have to worry about spyware,adware,virus prevention
> firewall stuff competing for resources with the graphics tools.
> Instead I'd like to prevent those three from contacting the internet.
>
> I want to isolate mch3-5 to only the local network.

Any simple off-the-shelf NAT router will do that.

But preventing updates (espec. if they're Windoze boxes) seems like a bad
idea to me.


-- 

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: [Iptables related] How to make one machine only talk on loc lan

[Harry Putnam]

"A. Khattri" <ajai@bway.net> writes:

> But preventing updates (espec. if they're Windoze boxes) seems like a bad
> idea to me.

It can be done by running IE thru a proxy on my linux box.  Then it
only sees local address.

-- 
gentoo-user@gentoo.org mailing list