Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
09-24-2010, 07:34 PM
|
#1
|
LQ Newbie
Registered: Sep 2010
Posts: 3
Rep:
|
Isolating an untrusted network while retaining access from specific PCs
This is my first post here so a hello to everyone! I am by no means a networking guru but I understand the basics and I consider myself to be fairly knowledgable about computers. I have only dabbled in inlinux and know almost nothing in that respect.
Anyway, I have a fairly specific question that is a bit out of the norm. At school, the shop I work in has machines that run windows xp and CANNOT be updated to the latest SP (consider these machines "B"). This means that they are quarantined whenever connected to the network. There are also workstations that we would like to be able to connect to "B" for the sole purpose of dropping a file into a directory. These machines we will call "A" and are considered trusted.
Here is what I have so far.... I have NO control of the school's network. I have a spare PC with two NICs as well as a 5 port switch. My thought was to use the spare PC as a gateway/router/VPN and setup an isolated "network b" consisting of all the untrusted systems. Disallow all traffic other than the VPN connection. Connect via vpn from the 4ish trusted workstations "A" to Network B. I could use mac filtering (i think) to accomplish this and disallow any computer not specifically authorized, thereby isolating the untrusted computers completely.
I would really appreciate any input you may have on my idea. If you have suggestions for Distros or other methods of accomplishing this I am completely open to ideas.
Thanks!
|
|
|
09-25-2010, 04:25 AM
|
#2
|
Senior Member
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070
|
what you are asking for is very like a DMZ (not quite the usual application, which is to do with webservers, but very similar in what is going on 'under the hood').
I think the easiest way of making progress is for you to do a bit of research on Demilitarised Zones and Iptables (use your favourite search engine for 'dmz' and 'iptables' and you'll get loads of hits) and then you'll have specific questions to ask.
|
|
|
09-25-2010, 02:36 PM
|
#3
|
Member
Registered: Aug 2009
Location: Ouagadougou, Burkina Faso
Distribution: centos
Posts: 92
Rep:
|
look for linux thats already a router. distros include endian, pfsense, ipcop, etc. the hard work is already done for you..
|
|
|
09-25-2010, 11:25 PM
|
#4
|
Moderator
Registered: Mar 2008
Posts: 22,361
|
I agree, you should consider a pre-made distro.
Consider http://www.untangle.com/ or others.
A simple graphical way may be the best.
As for the xp's you can set them as limited users and disable update features.
|
|
|
09-26-2010, 08:13 PM
|
#5
|
LQ Newbie
Registered: Sep 2010
Posts: 3
Original Poster
Rep:
|
I was trying to get dd-WRT set up but my limited knowledge of Linux is not helping. I know I need to use IPtables to setup the firewall but thats about as far as I got. It has OpenVPN and looks like it should do all I need it to.
It's currently installed on the spare PC I have and I got "network b" established with the computer I set up assigning IP addresses via DHCP. It is working properly as a basic router because connecting it to network A allows B computers to connect to the outside world (not a good thing).
Simply disabling updates on the xp machines on B is not enough. The schools network polls computers randomly and unless I can block traffic in and out with my firewall, the computers will get quarantined anyway. This may all be for nought anyway since the eitire network B may get booted if the School network can't communicate, but that remains to be seen.
I know there is a way to setup the firewall to close all ports and only allow one for VPN access to a select set of MAC addresses, but again, I'm no guru here...
|
|
|
09-26-2010, 09:44 PM
|
#6
|
Moderator
Registered: Mar 2008
Posts: 22,361
|
u n t a n g l e
|
|
|
All times are GMT -5. The time now is 11:09 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|