Internet | | | eth0 (public IP) Firewall/dhcp server | eth1 (192.168.1.1) | | Hub/Switch<--- Internal network (20-30 PC's) We are setting up a firewall/dhcp server. The dhcp server will run on eth1 and I think I know how to set it up (it seems to be easy with Yast2). SuSEfirewall will see eth0 as the external interface and eth1 as the internal. How do we pass the internet traffic from eth1 to eth0? Is it by setting the public IP to be the gateway for eth1? Is it possible to prevent certain PC's from having access to the internet? cheers, alberto ------------------------------------------------------------------- Alberto Santana, Ph.D. Center for Chemical Sensor Development for Explosives Department of Chemistry University of Puerto Rico - Mayaguez P.O. Box 9019 Phone: (787) 832-4040 x2485 Mayaguez PR, 00681-9019 http://www.uprm.edu/~asantana
Alberto Santana wrote:
How do we pass the internet traffic from eth1 to eth0?
1) Enable IP forwarding 2) setup the appropriate routes.
Is it possible to prevent certain PC's from having access to the internet?
Sounds like a job for iptables. /Per
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 23 Feb 2004 11:06:11 -0400
"Alberto Santana"
Internet | | | eth0 (public IP) Firewall/dhcp server | eth1 (192.168.1.1) | | Hub/Switch<--- Internal network (20-30 PC's)
We are setting up a firewall/dhcp server. The dhcp server will run on eth1 and I think I know how to set it up (it seems to be easy with Yast2). SuSEfirewall will see eth0 as the external interface and eth1 as the internal. How do we pass the internet traffic from eth1 to eth0? Is it by setting the public IP to be the gateway for eth1? Is it possible to prevent certain PC's from having access to the internet? Your gateway has to do with the routing table not the interface. You will have a routing table that looks somewhat like this: Destination Gateway Genmask Iface aa.bb.cc.00 0.0.0.0 255.255.255.0 eth0 0.0.0.0 aa.bb.cc.dd 0.0.0.0 eth0 192.168.1.0 192.168.1.1 255.255.255.0 eth1
Your gateway to the local net is eth1, your gateway to all other
networks is your public IP (aa.bb.cc.dd).
Each of the PCs will use 192.168.1.1 as the gateway.
You should also be able to deny any host of group of hosts from using
the Internet.
I would also suggest that you use a switch and not a hub because a
switch will always run the best speed/duplex for each of the attached
machines, where a hub will generally run at the duplex/speed of the
slowest connected PC. So, if most of the systems are 100Mbps full
duplex, but one PC is 10Mbps half duplex, with a hub (in general) your
entire network would be 10Mbps. (Some hubs are more switchlike).
- --
Jerry Feldman
Alberto Santana wrote:
Internet | | | eth0 (public IP) Firewall/dhcp server | eth1 (192.168.1.1) | | Hub/Switch<--- Internal network (20-30 PC's)
We are setting up a firewall/dhcp server. The dhcp server will run on eth1 and I think I know how to set it up (it seems to be easy with Yast2). SuSEfirewall will see eth0 as the external interface and eth1 as the internal. How do we pass the internet traffic from eth1 to eth0? Is it by setting the public IP to be the gateway for eth1? Is it possible to prevent certain PC's from having access to the internet?
cheers, alberto
------------------------------------------------------------------- Alberto Santana, Ph.D. Center for Chemical Sensor Development for Explosives Department of Chemistry University of Puerto Rico - Mayaguez P.O. Box 9019 Phone: (787) 832-4040 x2485 Mayaguez PR, 00681-9019 http://www.uprm.edu/~asantana
Correct, you use eth1 (192.168.1.1) as the default gateway. I haven't looked at SuSE firewall, but it should be possible to block access for certain IP addresses, you could also setup each of those boxes to not have the default gateway, though that means people can always configure it. Regards Sid. -- Sid Boyce .... Hamradio G3VBV and keen Flyer Linux Only Shop.
On Monday 23 February 2004 17:06, Alberto Santana wrote:
Internet
| eth0 (public IP)
Firewall/dhcp server
| eth1 (192.168.1.1)
Hub/Switch<--- Internal network (20-30 PC's)
We are setting up a firewall/dhcp server. The dhcp server will run on eth1 and I think I know how to set it up (it seems to be easy with Yast2). SuSEfirewall will see eth0 as the external interface and eth1 as the internal. How do we pass the internet traffic from eth1 to eth0? Is it by setting the public IP to be the gateway for eth1? Is it possible to prevent certain PC's from having access to the internet?
cheers, alberto
------------------------------------------------------------------- Alberto Santana, Ph.D. Center for Chemical Sensor Development for Explosives Department of Chemistry University of Puerto Rico - Mayaguez P.O. Box 9019 Phone: (787) 832-4040 x2485 Mayaguez PR, 00681-9019 http://www.uprm.edu/~asantana
Configuring SuSEfirewall2 with YaST2 is really easy, but if you want to prevent some PC's to access the internet there are a few other things you must be aware of: 1. Set the FW Quickmode to "No", as the inside would otherwise be wide open. 2. Filtering happens on IP-level, so you must know the IP's of the PC's you want to block. Since you are giving the addresses by DHCP you need to take care that these PC's always are given the same IP-address. Therefore you need to find out the physical MAC-addresses of those PC's, and configure the DHCP-server something like this (In Yast2): Subnet : 192.168.1.0/255.255.255.0 Range : 192.168.1.2 192.168.1.127 Router : 192.168.1.1 Hosts: PC_1 fixed-address 192.168.1.129 hardware ethernet 01:23:45:67:89:AB (<- HW address from PC's eth) PC_2 fixed-address 192.168.1.130 hardware ethernet 01:23:45:67:89:AC etc... 3. In the FW-setup: Set FW_MASQ_NETS to: 192.168.1.0/25 This will allow all addresses below 192.168.1.128 to access the internet, and block the addresses above .128. You could also restrict access to specific services, e.g. http, ftp, etc. You'll find more about that in the description with each option. The other things you need to remember is (in FW-config): 4. Block all access from the outside, allow access *only* to those services you want to offer to the public. If none, block all (FW_SERVICES_EXT_* and FW_ALLOW_INCOMING_HIGH_*) Hope this helps: /Marty
participants (5)
-
Alberto Santana -
Jerry Feldman -
Per Jessen -
Sid Boyce -
Smartyone