So I just completed my first custom firewall, and will the help of an excellent PDF, I must say I'm quite impressed. But unfortunatly my next task is not covered in my firewal bible. I want to be able to completely restrict all the internal users from seeing each other, no pings, no tcp, nothing. How do I do this? Is it with IPTABLES? and if so how?

a firewall restricts access from network to network. i don't see how it would be able to restrict access between two computers on the same subnet.

Ok, so, how would I come up with a way of restricting those users from accessing each other?

You need iptables and a firewall script on each machine to do that I believe.

A quick and dirty way to disallow all pings is:

That won't do for my situation, the clients on the network will change every day.

I want to be able to completely restrict all the internal users from seeing each other, no pings, no tcp, nothing.
What's the purpose is of doing that?

hey it s too easy

there are 2 ways 2 perform this task

one way is you can block ping by putting rule in firewall linkethis

iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP

or

the way u got an answer i mean in edidting in sysctl.conf file


also if u want to block all the traffic from different lan, the way is
make ur firewall restricitve by putting default policy to DROP

iptables -P FORWARD DROP

What was the PDF you found, if I may ask?

-- Poetics

K, so Ill explain it a bit further. I DONT want to have users in ONE subnet to be able to see each other with pings tcp udp, nothing. Now, I already figured out that this is NOT going to happen in the same subnet. So what I did was created around 200 virtual networks and assigned each user their own subnet ie:

192.168.1.3
192.168.2.3
192.168.3.3
192.168.4.3

and then told iptables that no virtual ethernet cards (eth1:1 eth1:2 eth1:3) could talk to each other. but every one could talk to eth1 (the router) and the router could talk to every one.

oh, and dude, the pdf i found is killer, its a 896 page pdf document on securing your linux box, its just nuts the iptables stuff is around page 196
heres the link

http://www.tldp.org/LDP/solrhe/Secur...ution-v2.0.pdf

its dope man, just dope!, oh hey, if anyone's got an idea on how to exploit my multiple subnet network to see other users (aside from manually configuring your ip, or if you have an idea on how to curcumvent this) LEMME KNOW!!!

I am no expert on any of this and was wondering how you created the virtual ethernet cards? Are you using VMWare or something like that to create the virtual ethernet cards? I use VMWare on my home computer by the way.

It seems to me that much the same thing could be accomplished on a real router. You could use a subnet mask that creates the smallest possible size subnets and then place everyone on a seperate subnet. For instance, suppose you have a class C address with a subnet mask of 255.255.255.254. If I am not mistaken you would then have 252 useable networks with 2 useable IP addresses per subnet. Of course, to communicate between each subnet they would need to go through a router. The router could use access control lists to control access to each port in either direction.

VLANs would also accomplish much the same thing. I assume you are using an ethernet network with a star topology. Suppose you replaced your hubs or switches with switches that support the creation of VLANs. You could then create very small VLANs with only one or several users per VLAN. To communicate between each VLANs you would need to go through a router. The access control list on the router could be used to control things. If both the switch and the router support trunking you would only need one cable between each switch and the router. By the way packets to not leak between VLANs.

I am not a network administrator or anything like that so what I have just suggested may or may not be practical or correct. I hope I am not way over my head on this subject. I do not know enough about security to know how to exploit any of these.

K, so Ill explain it a bit further (...) talk to every one.
I'm still wondering hat's the purpose of doing that? What makes you think you need this?

UnSpawn: dude! i want to make a network where no one can ping/connect/see nothing anyone else. and Rick485 you pretty much hit the nail on the head, thats exactly what i'm doing, with the exception of the switch to support vlans im just making virtual ethernet card with redhat-config-network ie eth1 192.168.1.1 eth1:1 192.168.2.1 eth1:2 192.168.3.1 and so on. then on each subnet there is a 192.168.x.3 address for the client. then the firewall is configed so that eth1 can see all subnets but all subnet can ONLY see eth1

I'm still with unSpawn with this -- otis, you've mentioned what you want, but the key question is why is this so important if everyone's on the same network?

I mean, what's the point of networking in this instance?

why is this so important if everyone's on the same network?

Because i dont want them to see each other! I've said this three times now. I don't want to sound like a dink, but read the posts! I figure that if I put everybody on a diffefent subnet , and then restrict subnet access through the firewall, then they wont be able to see each other.

Precisely. I thought the main idea behind having a network is to have the computers be able to communicate with each other. But, I can see how this would be used in some instances. For example, you have the router acting as a gateway to XXXX(internet, other wan), and you are doing some rather high security stuff on these computers, and want them only to be able to access XXXX, and not communicate between each other. That would really be the only point of having it anyways, because if they aren't needing to get out elsewhere, why not just have them as stand alone machines?

Who knows, maybe this dude is just one of those people who does things not because he needs to, but because he thinks he can, or simply wants to see if it can be done. Anyhow, I think it would be a waste of well, just about everything to even attempt this, but hey if that's his thing, let him run with it.