LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 02-04-2008, 03:39 PM   #1
atrain
Member
 
Registered: Apr 2004
Location: Toronto, Ontario
Distribution: Gentoo
Posts: 55

Rep: Reputation: 15
Question Same subnet, but running specific clients through a separate gateway?


I have been given the task of building an "internet kill switch". This is for a single computer lab in a building with many other clients. All computers (lab or otherwise) need complete access to the entire subnet all the time. This means that I can't just hit a power switch for the lab hub. To make matters worse, there is no way to isolate the clients physically from the network at all.

My original idea was to route all traffic through a Linux box. I'd have a mechanism to switch between 2 iptables profiles. One would allow all traffic through (we have another firewall, no need to make this too complex) and one would block all traffic except that going to the local subnet (10.0.0.0/24).

As I can't physically isolate the clients, I was considering just pointing them to this Linux box, and have it act as the internet gateway. But, some people told me that I may have to use something like proxy-arp or bridging to have the route repeat the subnet. Would the fact that their still physically linked fix this? Or do I still have to do something like this. There is only 1 ethernet connection on the machine, because there is only 1 network, so bridging could not work.

Also, you may just recommend I make an IP or MAC based Firewall for the internet itself. Unfortunately, this solution is also not available.

Here is a little diagram:
Current:
Internet --- Network + Lab (10.0.0.0/24)

What I want:
Network (10.0.0.0/24) ----- Lab (10.0.0.0/24)
|_Firewall/Gateway (10.0.0.2)

Not available options:
Internet --- Firewall --- Network / Lab
Internet --- Network --- Firewall --- Lab.

Its a very weird situation, and I can use all the help I can get. Thanks in advance!
~ ATrain.
 
Old 02-04-2008, 03:53 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Ideally you have a seperate vlan which holds that client, you didn't say anything about the switch you're using, but you don't need two nics to do routing, one is fine. if you can, just configure an 802.1q trunk between that box and a suitably intelligent switch. if you can't do vlan's, you can still just put two seperate networks on one nic regardless, e.g. 10.0.0.0/24 and 192.168.0.0/24 and then just route through it, that'd work fine, no need to mess with proxy arps or anythign that messy...
 
Old 02-04-2008, 04:07 PM   #3
atrain
Member
 
Registered: Apr 2004
Location: Toronto, Ontario
Distribution: Gentoo
Posts: 55

Original Poster
Rep: Reputation: 15
I'm not sure how well these windows boxes will handle being on a separate subnet from the PDC, but I can always give it a try. And no, the switches don't have any useful features.

But the general consensus is that for them to go through the gateway, but to be on the same subnet, I'll need to set up a proxy arp? Any advice into how to go about doing that? Can I just enable the kernel option, or is there any other configuration I have to do as well?

Last edited by atrain; 02-04-2008 at 04:15 PM.
 
Old 02-04-2008, 04:34 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
there would be no need for a proxy arp at all. if you set that machines gw to be the linux box then it has no idea where the packets go after that, but you would need to do a nat on the linux box to retain some form of sanity.
 
Old 02-04-2008, 04:42 PM   #5
atrain
Member
 
Registered: Apr 2004
Location: Toronto, Ontario
Distribution: Gentoo
Posts: 55

Original Poster
Rep: Reputation: 15
I'd prefer to avoid NAT, because then our logging system would have issues.

Would incoming traffic work though? Basically, I'd prefer if this gateway could be completely transparent to both sides of the network.
 
Old 02-04-2008, 05:14 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
if it's transparent, then it's not a gateway, it'd be a bridge, and then you are back to vlans on a decent switch or two nics and seperate switches.
 
Old 02-04-2008, 05:20 PM   #7
atrain
Member
 
Registered: Apr 2004
Location: Toronto, Ontario
Distribution: Gentoo
Posts: 55

Original Poster
Rep: Reputation: 15
"there would be no need for a proxy arp at all. if you set that machines gw to be the linux box then it has no idea where the packets go after that, but you would need to do a nat on the linux box to retain some form of sanity."

Assuming I just set them to gw, without nat, what would happen exactly? would data still get through, in both directions? When you say that they it has no idea where the packets go after that, what do you mean by that exactly?


Also, is there any alternative solutions that would work well and be easier to implement than this. I might be able to get off with just pointing all the lab computers to this for dns, because I doubt many of the users will memorize Google's ip :P
 
Old 02-05-2008, 04:50 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
without a nat you would have asymmetric routing. outbound data would go via the gateway but as it would still have a source address on the local network, the responses would go directly to the box from the real gateway. This isn't *great* design, but asymmetric routing isn't that bad, and very very common in more complex internet routing environments. It's only if you go through a stateful device, e.g. a firewall, would you come unstuck, as it'd only se half a conversation and complain.
 
Old 02-05-2008, 10:51 AM   #9
atrain
Member
 
Registered: Apr 2004
Location: Toronto, Ontario
Distribution: Gentoo
Posts: 55

Original Poster
Rep: Reputation: 15
That should be fine. I don't think blocking incoming traffic is to important, once they cant send data out it should be fine. The clients are plugged into a dumb switch, I don't think it will care how the data is being routed.

Would an iptables config like this work:

Internet mode (allow everything)
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Local-only mode (Drop everything thats not local network traffic)
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -d 10.0.0.0/255 -j ALLOW


(I don't have the box yet so I can't test any settings. I'm not great w/iptables)
 
Old 02-05-2008, 11:03 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
well you wouldn't really want iptables at all. either the box routes or it doesn't, so if you just send an "echo 0 > /proc/sys/net/ipv4/ip_forward" then it will stop routing anything instantly. you cuold do it with iptables if you wanted, but wouldn't actually be needed.
 
Old 02-05-2008, 12:19 PM   #11
atrain
Member
 
Registered: Apr 2004
Location: Toronto, Ontario
Distribution: Gentoo
Posts: 55

Original Poster
Rep: Reputation: 15
I do want to iptables. It still has to route local network traffic when internet is disabled. Thats why "iptables -A FORWARD -d 10.0.0.0/255 -j ALLOW" is there. Otherwise, all traffic would be stopped, and that doesn't help.
 
Old 02-05-2008, 12:23 PM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
hmm, yeah i suppose. alternatively set a local route and a remote route on the client pc, so only internet requests come via your box anyway..?
 
Old 02-05-2008, 12:29 PM   #13
atrain
Member
 
Registered: Apr 2004
Location: Toronto, Ontario
Distribution: Gentoo
Posts: 55

Original Poster
Rep: Reputation: 15
Well, I thought that if you set the default gateway, then all traffic should be routed through that if possible. If traffic was coming in from other locations, it would be accepted, but for requests out of the network, it would try this gateway before the default router.

BTW: The client computers in this case are Windows boxes, I don't know if that makes a difference or not. I've never monkeyed with this kind of stuff back when I was a windows user 3.5 years ago. But they only have 1 field for gateway.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
two gateway for one subnet bondoq Linux - Networking 12 05-14-2007 10:05 AM
help with dhcpd.config file to assign address's to clients on another subnet ccammack Linux - Networking 2 10-03-2005 10:42 AM
iptables accept ftp port only to specific subnet GUIPenguin Linux - Security 2 09-29-2005 11:24 AM
How to connect to a gateway on a different subnet? anGeR Linux - Networking 1 04-09-2004 09:50 AM
Gateway on different subnet mikewelter Linux - Networking 2 12-17-2003 01:28 PM


All times are GMT -5. The time now is 07:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration