How would you do this ...

I have been asked to construct a machine with 2 ethernet cards to do
the following:

Interfaces/network set up:
eth0 is on our 192.168.0.* LAN
eth1 is on another 192.168.0.* LAN
(these could be adjustable so eth1 is 192.168.1.*)

1) we want to allow traffic from eth0 to eth1 but only for 3 IPs on
eth0 side to 1 IP on eth1 side
2) no machines on eth1 can send any new connections back to eth0 side,
it can only send data through already established connections
instigated from the 3 IPs on eth0.

I am unable to visualize exactly what I need to use to get this to
work.

Any help is appreciated.

bone wrote:
> I have been asked to construct a machine with 2 ethernet cards to do
> the following:
>
> Interfaces/network set up:
> eth0 is on our 192.168.0.* LAN
> eth1 is on another 192.168.0.* LAN
> (these could be adjustable so eth1 is 192.168.1.*)
>
> 1) we want to allow traffic from eth0 to eth1 but only for 3 IPs on
> eth0 side to 1 IP on eth1 side
> 2) no machines on eth1 can send any new connections back to eth0 side,
> it can only send data through already established connections
> instigated from the 3 IPs on eth0.
>
> I am unable to visualize exactly what I need to use to get this to
> work.
>
> Any help is appreciated.

You will make your life a lot easier if you number the LAN differently.
Otherwise, each computer will expect to be connecting to a machine on
its local LAN when you want it to connect to a machine on the other
LAN.

The first thing you need to do is set up a machine with two network
interfaces, one in each LAN, and capable of routing between them.

The next thing you need to do is arrange for machines on the LANs that
need to connect through your machine to send packets bound for the
other LAN to your machine.

The last thing you need to do is enforce your security rules.

There's nothing particularly difficult about each step and
documentation is easily available. Post if you run into trouble.

DS

bone <(E-Mail Removed)> wrote:
> I have been asked to construct a machine with 2 ethernet cards to do
> the following:

> eth0 is on our 192.168.0.* LAN
> eth1 is on another 192.168.0.* LAN

If the LANs are using the same network number this will /really/
complicate matters.

> (these could be adjustable so eth1 is 192.168.1.*)

Yes, do that.


> 1) we want to allow traffic from eth0 to eth1 but only for 3 IPs on
> eth0 side to 1 IP on eth1 side

You'll need to create a (static) route on at least those three hosts that
tells them they can reach 192.168.1.0/24 via your new server. Since
you're going to need firewall rules to implement your policy, it won't
matter if it's easier for you to apply the route to all hosts on your
192.168.0.0/24 network.

You will then need to create a set of three firewall rules that permits
traffic from the designated IP addresses but no other.


> 2) no machines on eth1 can send any new connections back to eth0 side,
> it can only send data through already established connections
> instigated from the 3 IPs on eth0.

You need an "established" rule that tells the iptables firewall layer to
pass traffic previously established from eth0 to eth1. Everything else
can be rejected.


For extra points, consider whether your new server will need to contact
any hosts on either of your networks. Similarly consider whether any of
your existing hosts will need to access your new server itself. Finally,
you need to determine how likely it is that other hosts on your
192.168.0.0/24 network will be able to snaffle one of the permitted IP
addresses and hence bypass your firewall security.

Chris

Hi,

1. Configure eth0 with ip address 192.168.0.x (edit the file
/etc/sysconfig/network-scripts/ifcfg-eth0)
2. Configure eth1 with ip address 192.168.1.x (edit the file
/etc/sysconfig/network-scripts/ifcfg-eth1)
3. Enable IP Forwarding
/etc/sysctl.conf:
net.ipv4.ip_forward = 1 and restart network service using command
"service network restart"
4. Configure ipchains rule and policies to excempt only three PCs' for
further reference on ipchains follow this link "
http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html"

Please let me know if u need anything more on this.

Thanks,
Sunil
http://geocities.com/sunil3112000

On Dec 6, 1:59 am, Chris Davies <chris-use...@roaima.co.uk> wrote:
> bone <dropdeads...@gmail.com> wrote:
> > I have been asked to construct a machine with 2 ethernet cards to do
> > the following:
> > eth0 is on our 192.168.0.* LAN
> > eth1 is on another 192.168.0.* LANIf the LANs are using the same network number this will /really/
> complicate matters.
>
> > (these could be adjustable so eth1 is 192.168.1.*)Yes, do that.
>
> > 1) we want to allow traffic from eth0 to eth1 but only for 3 IPs on
> > eth0 side to 1 IP on eth1 sideYou'll need to create a (static) route on at least those three hosts that
> tells them they can reach 192.168.1.0/24 via your new server. Since
> you're going to need firewall rules to implement your policy, it won't
> matter if it's easier for you to apply the route to all hosts on your
> 192.168.0.0/24 network.
>
> You will then need to create a set of three firewall rules that permits
> traffic from the designated IP addresses but no other.
>
> > 2) no machines on eth1 can send any new connections back to eth0 side,
> > it can only send data through already established connections
> > instigated from the 3 IPs on eth0.You need an "established" rule that tells the iptables firewall layer to
> pass traffic previously established from eth0 to eth1. Everything else
> can be rejected.
>
> For extra points, consider whether your new server will need to contact
> any hosts on either of your networks. Similarly consider whether any of
> your existing hosts will need to access your new server itself. Finally,
> you need to determine how likely it is that other hosts on your
> 192.168.0.0/24 network will be able to snaffle one of the permitted IP
> addresses and hence bypass your firewall security.
>
> Chris