Gateway using a single NIC

Hi!

Is it possible to set up a Linux machine with a single NIC to act
as a "fake gateway" inside a LAN?

The LAN already have a real gateway to internet, but I'd like
the "fake gateway" to sit on the LAN, and all packets towards
internet should first have to pass through the "fake gateway".
In the "fake gateway" I could then have filter rules that allows
me to control which hosts on the LAN can access internet.
And this is the purpose of all this, to be able to block internet
access for selected hosts on the LAN. I don't want to make any
physical changes to the network. I just want to add this "fake
gateway" and configure the hosts to point to it, instead of the
real one.

I've browsed through various Linux networking docs and howtos
but I'm too newbie at this... can anyone give me any hints?


Any help appreciated.

Mats

Mats Byggmastar wrote:

>
> Hi!
>
> Is it possible to set up a Linux machine with a single NIC to act
> as a "fake gateway" inside a LAN?
>
> The LAN already have a real gateway to internet, but I'd like
> the "fake gateway" to sit on the LAN, and all packets towards
> internet should first have to pass through the "fake gateway".
> In the "fake gateway" I could then have filter rules that allows
> me to control which hosts on the LAN can access internet.
> And this is the purpose of all this, to be able to block internet
> access for selected hosts on the LAN. I don't want to make any
> physical changes to the network. I just want to add this "fake
> gateway" and configure the hosts to point to it, instead of the
> real one.
>
> I've browsed through various Linux networking docs and howtos
> but I'm too newbie at this... can anyone give me any hints?

It won't work. When Linux determines that both sides are on the same wire,
it will send an ICMP redirect, telling the computer to talk directly to the
modem etc. Remember, local communications don't use an IP. They use a mac
address, so your firewall will become invisible.

Can you use .1q vlans? If you can, you can make that one interface look
like several interfaces and then do what you want. Setup a trunk from your
switch to the fake gateway trunking a vlan from your clients to the
fake gateway and then a second vlan from the fake gateway connected to
the real gateway. Just make sure that the subnet between the fake gateway
and the real gateway is different then the subnet between the fake gateway
and the hosts. You'll need to select .1q trunking in your linux kernel
config and download the vconfig user tools in order to create your vlan
interfaces.

On Thu, 11 Nov 2004 23:13:11 +0200, Mats Byggmastar wrote:

>
> Hi!
>
> Is it possible to set up a Linux machine with a single NIC to act
> as a "fake gateway" inside a LAN?
>
> The LAN already have a real gateway to internet, but I'd like
> the "fake gateway" to sit on the LAN, and all packets towards
> internet should first have to pass through the "fake gateway".
> In the "fake gateway" I could then have filter rules that allows
> me to control which hosts on the LAN can access internet.
> And this is the purpose of all this, to be able to block internet
> access for selected hosts on the LAN. I don't want to make any
> physical changes to the network. I just want to add this "fake
> gateway" and configure the hosts to point to it, instead of the
> real one.
>
> I've browsed through various Linux networking docs and howtos
> but I'm too newbie at this... can anyone give me any hints?
>
>
> Any help appreciated.
>
> Mats

"James Knott" <(E-Mail Removed)> wrote in message news:7P-dnQRSK5ITeg7cRVn-(E-Mail Removed)...
>
> It won't work. When Linux determines that both sides are on the same wire,
> it will send an ICMP redirect, telling the computer to talk directly to the
> modem etc. Remember, local communications don't use an IP. They use a mac
> address, so your firewall will become invisible.

OK.

I found a bridge/firewall setup at http://www.shorewall.net
If I understood it correctly, a bridge basically works as a
switch inside the LAN. So with a bridge I would not even have
to reconfigure the hosts on the LAN, just stick the bridge
in between somewhere. And if the bridge stops working for some
reason, (or some admin doesn't like it,) it can simply be
unplugged and bypassed with a cable.


Mats

Mats Byggmastar wrote:

>
> "James Knott" <(E-Mail Removed)> wrote in message
> news:7P-dnQRSK5ITeg7cRVn-(E-Mail Removed)...
>>
>> It won't work. When Linux determines that both sides are on the same
>> wire, it will send an ICMP redirect, telling the computer to talk
>> directly to the
>> modem etc. Remember, local communications don't use an IP. They use a
>> mac address, so your firewall will become invisible.
>
> OK.
>
> I found a bridge/firewall setup at http://www.shorewall.net
> If I understood it correctly, a bridge basically works as a
> switch inside the LAN. So with a bridge I would not even have
> to reconfigure the hosts on the LAN, just stick the bridge
> in between somewhere. And if the bridge stops working for some
> reason, (or some admin doesn't like it,) it can simply be
> unplugged and bypassed with a cable.

Whatever you use, you'll still need two NICs in it.

Jason Clark wrote:

> Can you use .1q vlans?**If*you*can,*you*can*make*that*one*interface*look
> like several interfaces and then do what you want. Setup a trunk from your
> switch to the fake gateway trunking a vlan from your clients to the
> fake gateway and then a second vlan from the fake gateway connected to
> the real gateway. Just make sure that the subnet between the fake gateway
> and the real gateway is different then the subnet between the fake gateway
> and the hosts.**You'll*need*to*select*.1q*trunking*in*your*linux*kernel
> config and download the vconfig user tools in order to create your vlan
> interfaces.

If you try to use the same interface for two IPs, ICMP redirects will cause
the the "gateway" to be ignored.

"James Knott" <(E-Mail Removed)> wrote in message news:7oSdnX2aEMriTAncRVn-(E-Mail Removed)...
> Mats Byggmastar wrote:
>
> >
> > "James Knott" <(E-Mail Removed)> wrote in message
> > news:7P-dnQRSK5ITeg7cRVn-(E-Mail Removed)...
> >>
> >> It won't work. When Linux determines that both sides are on the same
> >> wire, it will send an ICMP redirect, telling the computer to talk
> >> directly to the
> >> modem etc. Remember, local communications don't use an IP. They use a
> >> mac address, so your firewall will become invisible.
> >
> > OK.
> >
> > I found a bridge/firewall setup at http://www.shorewall.net
> > If I understood it correctly, a bridge basically works as a
> > switch inside the LAN. So with a bridge I would not even have
> > to reconfigure the hosts on the LAN, just stick the bridge
> > in between somewhere. And if the bridge stops working for some
> > reason, (or some admin doesn't like it,) it can simply be
> > unplugged and bypassed with a cable.
>
> Whatever you use, you'll still need two NICs in it.

Yes.
This bridge thing has two NICs, but the LAN don't have to be
reorganised in a dramatic way so it should be ok for me.


Mats