[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Blocking internet Access



"Blunier, Mark" <Mark.Blunier@aventinerei.com> wrote:
> I will be installing a Debian box that will have two
> network cards.  One network will be connected to a
> private network.  It will use a static IP.  The second
> network card will be connected to the plant network.
> It will use DHCP.  I need to run Firefox to view a server
> on the private network.  I'd like to be able to block
> firefox (and any other web browsers) from accessing
> information on the internet through the plant
> network.  This machine will be running a vncserver that
> PC's on the plant network will access.  I'd prefer to do
> this by setting something on the Linux box rather that
> having to have
> IT make changes to their network configuration.

Just from memory, you'll want something like this ...

Let's assume you are using:

  Corporation:  172.16.0.0/255.255.0.0
         eth1:  172.16.64.192
      Private:  192.168.128.0/255.255.255.0
         eth0:  172.168.128.1

Here's the iptables rule to block any traffic from Private
reaching anything except your corporate network (except for
the Gateway itself):  

iptables -A INPUT \
   -i eth0 -s ! 192.168.128.1/255.255.255.0 \
   -o eth1 -d ! 172.16.0.0/255.255.0.0 \
   -j REJECT

I don't recommend you use NAT/PAT (which is always a major
issue for network administrators/management), so you do _not_
want to block Corporation access into your Private Network. 
You should work with your network administrators to define
routes to your 192.168.128.0/255.255.255.0 network.

You should also setup your gateway so it knows what corporate
routes to take.  E.g., if your company uses OSPF, setup your
gateway device to listen for OSPF.  They might even want you
to announce via OSPF -- although it might be best to ask for
a subnet in the same class A or B they are using.

Resist the temptation just to NAT/PAT everything.  Use
subnets that your netadmins are aware of and they can route
to/from.


-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith@ieee.org     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.