filter traffic between computers on the same subnet

Lets say i have 1 network of 3 computers mixed os (winxp and linux)

Im wondering how to filter traffic between computer on the same subnet
using single firewall on linux

is that possible via iptables ?

Lets say subnet is 192.168.0.0 (dhcp server is running on linux)

Thanks!

On Oct 16, 10:02 am, tremmarc <tremm...@tiscali.it> wrote:
> Lets say i have 1 network of 3 computers mixed os (winxp and linux)
>
> Im wondering how to filter traffic between computer on the same subnet
> using single firewall on linux
>
> is that possible via iptables ?
>
> Lets say subnet is 192.168.0.0 (dhcp server is running on linux)
>
> Thanks!

I would use filtered bridging and ebtables.

DS

On Oct 17, 9:32 am, David Schwartz <dav...@webmaster.com> wrote:
> On Oct 16, 10:02 am, tremmarc <tremm...@tiscali.it> wrote:
>
> > Lets say i have 1 network of 3 computers mixed os (winxp and linux)
>
> > Im wondering how to filter traffic between computer on the same subnet
> > using single firewall on linux
>
> > is that possible via iptables ?
>
> > Lets say subnet is 192.168.0.0 (dhcp server is running on linux)
>
> > Thanks!
>
> I would use filtered bridging and ebtables.
>
> DS

thanks, is there a solution to use ebtables when have external switch?

tremmarc wrote:
> On Oct 17, 9:32 am, David Schwartz <dav...@webmaster.com> wrote:
>
>>On Oct 16, 10:02 am, tremmarc <tremm...@tiscali.it> wrote:
>>
>>
>>>Lets say i have 1 network of 3 computers mixed os (winxp and linux)
>>
>>>Im wondering how to filter traffic between computer on the same subnet
>>>using single firewall on linux
>>
>>>is that possible via iptables ?
>>
>>>Lets say subnet is 192.168.0.0 (dhcp server is running on linux)
>>
>>>Thanks!
>>
>>I would use filtered bridging and ebtables.
>>
>>DS
>
>
> thanks, is there a solution to use ebtables when have external switch?

There is no way to limit the traffic between
two computers physically connected directly
together (or via a non-VLAN switch). You
have to physically force the only path for
the traffic to be through your filter.

The filtering with ebtables is only effective
if the other computers are connected to different
Ethernet ports of the filter computer, and the
Ethernet interface are configured into a
bridge.

--

Tauno Voipio
tauno voipio (at) iki fi

On Oct 17, 6:18 am, tremmarc <tremm...@tiscali.it> wrote:

> thanks, is there a solution to use ebtables when have external switch?

It depends upon a lot of details you haven't given us. There are many
different ways to pull this off and some of them may apply to your
situation. Basically, you have to segment your network somehow so that
the only way for some computers to reach some other computers is
through your filtering box.

If your switch supports VLANs, for example, you can create a separate
VLAN for each port on your switch and configure each VLAN as a
separate bridging interface on the firewall. If there's only one
machine that's always the source or destination of the packets you
want to filter, you can connect that machine directly to your
filtering box and another network interface of that box to a switch
that you connect all the other machines too.

There are other ways. It depends.

DS

David Schwartz <(E-Mail Removed)> wrote:
> There are other ways. It depends.

I haven't tried this, but maybe you can do this:

Machine A is your filtering machine
Machine B and C are Windows boxes

Your subnet Mask is 255.255.255.0

B has IP address 10.0.2.2 default gateway 10.0.2.1
C has IP address 10.0.3.2 default gateway 10.0.3.1

A is configured with three IP addresses against its single interface card:
10.0.0.1, 10.0.2.1 and 10.0.3.1

B and C are on separate network addresses, and the only way to communicate
with each other is via the filtering gateway.

I haven't tried any of this stuff, and I don't know off the top of my head
what changes would need to be made to the gateway machine, but I am sure that
you can assign more than one IP address to a network interface card, so I
think you are half way to a solution.

Mark.

--
Mark Hobley
393 Quinton Road West
QUINTON
Birmingham
B32 1QE

Email: markhobley at hotpop dot donottypethisbit com

http://markhobley.yi.org/