Logging/Blocking LAN traffic
Hello,
Where I work we have a lan, it is almost 100% windows machines except for 2 CentOS machines in which some clients connect to, via VPN. (very small network, <50 ip's used) I would like to know if there is a way to block access from that machines to others in the network. I'm already logging traffic (with IPTraff) to see if they're accessing other machines in the network others than the ones they should connect. Thanks in advance, Nuno Santos |
which machines are you trying to block and from where ?
|
Quote:
The problem is that our clients connect to those CentOS machines through VPN and they have access to all of our network. I want to limit them to only the machines they have to connect for working. Thanks again |
DMZ?
|
Quote:
They connect to those CentOS machines, and they need to connect to more machines inside of our network (mainly printers and one or two more computers). But, since they connect through VPN they have an internal ip and can access all network. Ahh, and our network is workgroup based, not domain. Maybe that'll change in the upcoming months but i don't know when. Thanks, Nuno Santos |
Which internal ip addresses do they get ? If you can safely block anything coming from a local ip in the centos boxes then it should be quite straight forward.
iptables -A OUTPUT -o eth0 -p all -d xxx.xxx.xxx.xxx -j ACCEPT iptables -A OUTPUT -o eth0 -p all -d yyy.yyy.yyy.yyy -j ACCEPT iptables -A OUTPUT -o eth0 -p all -d zzz.zzz.zzz.zzz -j ACCEPT iptables -A OUTPUT -o eth0 -p all -j REJECT xxx.xxx.xxx.xxx is an allowed destination, as is yyy and zzz. those rules must come before the reject rule if they are to work. Make sure the correct outgoing ethX name is used, and the correct ip addresses to allow. The problem lies in allowing outgoing traffic back over the VPN. Do the centos boxes have separate ethernet ports for internal and external networks ? |
Quote:
|
I would have put a source ip in there as well, I forgot before.
as in iptables -A OUTPUT -o eth0 -p all -s localhost -j REJECT or iptables -A OUTPUT -o eth0 -p all -s 192.168.1.0/24 -j REJECT |
All times are GMT -5. The time now is 10:00 AM. |