network limiter

body00 · 05-07-2004, 04:35 PM

hello.. i have a 9.2 mandrake on command, shareing the internet in the network. I have soon merged with another network. My network shares internet by DHCP... How can i restrict the net just for my ips ???
i have
192.168.0.1 -> the server
192.168.0.252-255 -> my computers
192.168.0.x -> the others who should not get any access to the server

how can i do it ??? please reply i am in a big dilema here

Mara · 05-07-2004, 05:13 PM

You should modify the netmask for masquerade to cover only your machines.
252 is 11111100
255 is 11111111
so your netmask should probably be 255.255.255.252 with network 192.168.0.252

OR
You can give the second network a different addresses like 10.0.0.x and not add it to your firewalling script.

body00 · 05-07-2004, 05:20 PM

will this dhcp do the work ???
or they'll still have access to the internet ???

------------------------------------------------------------------

ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.0 {
# default gateway

option routers 192.168.0.1;
option subnet-mask 255.255.255.0;

option domain-name "b.astral.ro";
option domain-name-servers 194.102.255.2;

range dynamic-bootp 192.168.0.251 192.168.0.253;
default-lease-time 43200;
max-lease-time 21600;

}
host Pcd {

hardware ethernet 00:02:44:0F:3C:68;
fixed-address 192.168.0.253;

}

host Contele {

fixed-adress 192.168.0.252;

}

Mara · 05-08-2004, 06:57 PM

It should be just fine. But remember not allow the new network to use the same DHCP configuration.

body00 · 05-09-2004, 08:14 AM

anyone in the network can access the net if they put my server as gateway and dns provider.

what can i do to restrict them ??? i mean, even if they don't use my dhcp server they can use me as a gateway. PLEASE HELP

body00 · 05-09-2004, 11:10 PM

anyone with ideas ?

IDEAS AT LEAST are welcomed.... thank you !

Mara · 05-10-2004, 04:53 AM

Not exactly...If your firewalling masquerade script will only forward connection from a range of addresses, even if the other machines will have your gateway set as theirs, they won't have Internet connection.

To makes things more secure (someone can set an IP manually), you should think about filtering using MAC address (still can be spoofed, but it's harder).