This is my first post here so a hello to everyone! I am by no means a networking guru but I understand the basics and I consider myself to be fairly knowledgable about computers. I have only dabbled in inlinux and know almost nothing in that respect.

Anyway, I have a fairly specific question that is a bit out of the norm. At school, the shop I work in has machines that run windows xp and CANNOT be updated to the latest SP (consider these machines "B"). This means that they are quarantined whenever connected to the network. There are also workstations that we would like to be able to connect to "B" for the sole purpose of dropping a file into a directory. These machines we will call "A" and are considered trusted.

Here is what I have so far.... I have NO control of the school's network. I have a spare PC with two NICs as well as a 5 port switch. My thought was to use the spare PC as a gateway/router/VPN and setup an isolated "network b" consisting of all the untrusted systems. Disallow all traffic other than the VPN connection. Connect via vpn from the 4ish trusted workstations "A" to Network B. I could use mac filtering (i think) to accomplish this and disallow any computer not specifically authorized, thereby isolating the untrusted computers completely.

I would really appreciate any input you may have on my idea. If you have suggestions for Distros or other methods of accomplishing this I am completely open to ideas.

Thanks!

what you are asking for is very like a DMZ (not quite the usual application, which is to do with webservers, but very similar in what is going on 'under the hood').

I think the easiest way of making progress is for you to do a bit of research on Demilitarised Zones and Iptables (use your favourite search engine for 'dmz' and 'iptables' and you'll get loads of hits) and then you'll have specific questions to ask.

look for linux thats already a router. distros include endian, pfsense, ipcop, etc. the hard work is already done for you..

I agree, you should consider a pre-made distro.

Consider http://www.untangle.com/ or others.

A simple graphical way may be the best.


As for the xp's you can set them as limited users and disable update features.

I was trying to get dd-WRT set up but my limited knowledge of Linux is not helping. I know I need to use IPtables to setup the firewall but thats about as far as I got. It has OpenVPN and looks like it should do all I need it to.

It's currently installed on the spare PC I have and I got "network b" established with the computer I set up assigning IP addresses via DHCP. It is working properly as a basic router because connecting it to network A allows B computers to connect to the outside world (not a good thing).

Simply disabling updates on the xp machines on B is not enough. The schools network polls computers randomly and unless I can block traffic in and out with my firewall, the computers will get quarantined anyway. This may all be for nought anyway since the eitire network B may get booted if the School network can't communicate, but that remains to be seen.

I know there is a way to setup the firewall to close all ports and only allow one for VPN access to a select set of MAC addresses, but again, I'm no guru here...

u n t a n g l e