LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-24-2010, 07:34 PM   #1
lapoltba
LQ Newbie
 
Registered: Sep 2010
Posts: 3

Rep: Reputation: 0
Isolating an untrusted network while retaining access from specific PCs


This is my first post here so a hello to everyone! I am by no means a networking guru but I understand the basics and I consider myself to be fairly knowledgable about computers. I have only dabbled in inlinux and know almost nothing in that respect.

Anyway, I have a fairly specific question that is a bit out of the norm. At school, the shop I work in has machines that run windows xp and CANNOT be updated to the latest SP (consider these machines "B"). This means that they are quarantined whenever connected to the network. There are also workstations that we would like to be able to connect to "B" for the sole purpose of dropping a file into a directory. These machines we will call "A" and are considered trusted.

Here is what I have so far.... I have NO control of the school's network. I have a spare PC with two NICs as well as a 5 port switch. My thought was to use the spare PC as a gateway/router/VPN and setup an isolated "network b" consisting of all the untrusted systems. Disallow all traffic other than the VPN connection. Connect via vpn from the 4ish trusted workstations "A" to Network B. I could use mac filtering (i think) to accomplish this and disallow any computer not specifically authorized, thereby isolating the untrusted computers completely.

I would really appreciate any input you may have on my idea. If you have suggestions for Distros or other methods of accomplishing this I am completely open to ideas.

Thanks!
 
Old 09-25-2010, 04:25 AM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
what you are asking for is very like a DMZ (not quite the usual application, which is to do with webservers, but very similar in what is going on 'under the hood').

I think the easiest way of making progress is for you to do a bit of research on Demilitarised Zones and Iptables (use your favourite search engine for 'dmz' and 'iptables' and you'll get loads of hits) and then you'll have specific questions to ask.
 
Old 09-25-2010, 02:36 PM   #3
evilted
Member
 
Registered: Aug 2009
Location: Ouagadougou, Burkina Faso
Distribution: centos
Posts: 92

Rep: Reputation: 18
look for linux thats already a router. distros include endian, pfsense, ipcop, etc. the hard work is already done for you..
 
Old 09-25-2010, 11:25 PM   #4
jefro
Moderator
 
Registered: Mar 2008
Posts: 22,361

Rep: Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692
I agree, you should consider a pre-made distro.

Consider http://www.untangle.com/ or others.

A simple graphical way may be the best.


As for the xp's you can set them as limited users and disable update features.
 
Old 09-26-2010, 08:13 PM   #5
lapoltba
LQ Newbie
 
Registered: Sep 2010
Posts: 3

Original Poster
Rep: Reputation: 0
I was trying to get dd-WRT set up but my limited knowledge of Linux is not helping. I know I need to use IPtables to setup the firewall but thats about as far as I got. It has OpenVPN and looks like it should do all I need it to.

It's currently installed on the spare PC I have and I got "network b" established with the computer I set up assigning IP addresses via DHCP. It is working properly as a basic router because connecting it to network A allows B computers to connect to the outside world (not a good thing).

Simply disabling updates on the xp machines on B is not enough. The schools network polls computers randomly and unless I can block traffic in and out with my firewall, the computers will get quarantined anyway. This may all be for nought anyway since the eitire network B may get booted if the School network can't communicate, but that remains to be seen.

I know there is a way to setup the firewall to close all ports and only allow one for VPN access to a select set of MAC addresses, but again, I'm no guru here...
 
Old 09-26-2010, 09:44 PM   #6
jefro
Moderator
 
Registered: Mar 2008
Posts: 22,361

Rep: Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692Reputation: 3692
u n t a n g l e
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Isolating part of a network default5 Linux - Networking 2 04-08-2010 06:49 PM
LXer: Bug in latest Linux gives untrusted users root access LXer Syndicated Linux News 0 11-03-2009 11:50 PM
Multiple NIC on Ubuntu Box - Isolating traffic to specific interfaces whitehawk Linux - Networking 1 10-16-2009 09:03 AM
Can't access server using hostname from other PCs on the local network binister Linux - Software 5 09-01-2006 03:13 AM
Blocking Specific Programs from Network Access? Trip in VA Linux - Newbie 23 08-06-2006 02:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration