LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 10-16-2007, 04:08 PM   #1
matters
Member
 
Registered: May 2007
Distribution: Slackware
Posts: 281

Rep: Reputation: Disabled
Filter traffic between computers same subnet


Lets say i have 1 network of 3 computers mixed os (winxp and linux)

Im wondering how to filter traffic between computer on the same subnet
using single firewall on linux

is that possible? What way? Iptables or theres other?

Lets say subnet is 192.168.0.0 (dhcp server is running on linux)

Thanks!
 
Old 10-16-2007, 04:16 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
a firewall is a layer 3 device, it won't see any traffic on an internal network unless you are running a layer 2 firewall, i.e. transparently switching through it. you can achieve this with, for example, a linux box with a handful of NIC's in it and ebtables filtering the layer 2 bridged traffic rather than the iptables handling the layer 3 routed traffic.
 
Old 10-16-2007, 04:49 PM   #3
matters
Member
 
Registered: May 2007
Distribution: Slackware
Posts: 281

Original Poster
Rep: Reputation: Disabled
Could you give an example, so i can understand it more easily?

I thought iptables can understand layer 2 since its possible to filter based on mac address too.

Can you give me more details about ebtables regarding layer2 filtering with ebtables since i have just one subnet (192.168.0.0) right now and want to have linux box to filter.

Thanks!
 
Old 10-16-2007, 05:24 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
in order to filter traffic, that filtering device needs to have full control of that traffic. this will only be the case if, rather than connecting these machines with an ethernet switch, you use the server as the switch, one nic per machine, and then use the bridge module to make those collection of NIC's behave as a switch. wihtout that direct involvement in the traffic, it will never see the traffic between two other nodes at all.
 
Old 10-17-2007, 07:29 AM   #5
matters
Member
 
Registered: May 2007
Distribution: Slackware
Posts: 281

Original Poster
Rep: Reputation: Disabled
To clarify, that means instead of ethernet switch wich i currenly use now i need to use for instance if i use dsl router + 2 linux boxes + 2 winxp, that means that i need on linux server 5 separated nics? and the rest computers 1 nic per machine to connect, then bridge module to use nics as switch?


Wondering if theres similar solution regarding external switch ?

Now, by accomplish this it means that i can combine iptables/ebtables and have only 1 firewall controling the whole subnet.

Thats what i wanted to achieve.

Im looking for an opinion to see if its more secured than using firewalls on each machine ?

Thanks!
 
Old 10-17-2007, 08:11 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
that's right, if you want to stop client 1 talking to client 2. I should say that what you're asking for is *very* uncommon. you really don't see anyone do it at all outside of high security enterprise networks. client firewalls are by far the more common approach.
 
Old 10-17-2007, 05:19 PM   #7
matters
Member
 
Registered: May 2007
Distribution: Slackware
Posts: 281

Original Poster
Rep: Reputation: Disabled
Thats good Im wondering is there anything i can do with vlan to achieve this?

Thanks!


P.S having trouble install multiple nics into same computer, i got no enough space
 
Old 10-18-2007, 04:07 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
ok, well we've not moved into 802.1q switching as of yet, but if you are already there, then yes you could use vlan's to achieve this. you *could* create one vlan for each switchport on your switch and trunk them all up to the server on an uplink port. this is the sort of physical architecture that many new NAC vendors are taking in the emerging markets, but they would be in a fail-open hardware environment, so the filtering device going down wouldn't be able to cause an outage. but yeah you could try that on a single nic if you already have a capable switch.
 
Old 10-18-2007, 06:40 PM   #9
matters
Member
 
Registered: May 2007
Distribution: Slackware
Posts: 281

Original Poster
Rep: Reputation: Disabled
I dont have switch yet, btw by fail open environment could you please elaborate a bit more about it, do you mean as if fatal error occurs?

Im wondering what would be suggestion/solution to solve problem if on mother board i dont have enough pci slots to put all nics needed?


Thanks!

Last edited by matters; 10-18-2007 at 06:50 PM.
 
Old 10-19-2007, 03:42 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
well to do it on one nic you'll need to invest in a managed switch which supports 802.1q. if i wanted one of these at a basic level I'd be paying about 400 for a Cisco 2960, but you can go cheaper with other vendors. fail-open would mean that if the filter device itself died the base level tin would still be able to allow systems to communicate as long as there was rudimentary power to the hardware. rebooting the box wouldn't interrupt connectivity etc...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to filter traffic? OdinnBurkni Linux - Networking 1 08-11-2007 06:30 AM
filter dhcp-request on one subnet boeboe2005 Linux - Networking 4 02-21-2006 11:37 AM
Possible? 1 public subnet/1 private; 1 host: traffic out the way it came in? JMCraig Linux - Networking 8 10-17-2005 09:12 PM
Incorrect destination addy on subnet traffic af_dave Linux - Security 5 08-29-2004 03:43 AM
routing http traffic to the correct box on subnet nodine Linux - Security 1 07-15-2004 10:51 AM


All times are GMT -5. The time now is 09:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration