Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Currently, Debian Lenny with no desktop sucks the least for me.
Posts: 23
Rep:
Isolate Windows box in a Linux LAN
I have four Debian computers in a LAN with a Linksys router and a switch. The router is set for DHCP, but I have given the four Linux boxes static IP addresses – 192.168.1.110...113 and the static IPs are functioning. The file /etc/hosts, in each computer, is configured to enable ssh between all Linux boxes by host name.
Now, I have added a Windows XP computer that will be used only once in a while for a specific purpose. It is configured DHCP, 198.162.1.100, and shares the internet connection. I tried to assign it static IP 192.168.1.114 and that was successful, but then it wouldn't connect to the internet. So, I put it back to DHCP. It will ping the Linux computers, but they cannot ping it regardless of whether the Windows firewall is on or off.
What I want to accomplish is for the Linux computers to not accept any communication from the Windows computer. I have tried putting “All: 192.168.1.100” (the Windows DHCP IP address) or “IP: 192.168.1.100” into the /etc/hosts.deny file, but the Windows box still is able to ping to Linux.
If I'm not being too paranoid, how can I isolate that computer?
As I understand it, hosts.deny and hosts.allow are utilized by the tcp wrapper and protect individual daemons, which operate at the application layer of the IP stack. Ping, on the other hand, operates on the internet layer, which is well below the application layer. So ping is not a good test of whether you've secured access or not. Try accessing the Linux boxes via an ssh or ftp client instead.
You can't really isolate any networked computer unless you disconnect the ethernet cable. You protect your linux by hardening it and applying as many best practices as you can.
Just like jefro said, the best way to completely isolate a network computer simply is to disconnect it by pulling the plug. If you want the most security, make sure that you update your system on a daily basis, and reconfigure iptables by dropping virtually all packets going to that particular system, and manually allowing data to it.
Distribution: Currently, Debian Lenny with no desktop sucks the least for me.
Posts: 23
Original Poster
Rep:
corp769 and jefro,
You guys are right. I was trying to make a simple solution complicated. The win box only gets used maybe twice a month for a short time. Other than that, it's turned off. When using windows, turn off the Linux computers. Thanks
I'm always joking that "the most secure setting is 'off'", but mostly to highlight the fact that going overboard on security leads to sacrificing usability, so finding the right balance, which gives the most security while still maintaining maximum usability, is important. Keeping the windows machine powered off when it's not needed is a solid policy, but I don't know that I'd want to run around the house shouting, "Everyone! SHUT DOWN YOUR MACHINES!! I'M BRINGING UP THE WINDOWS BOX!!"
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.