iptables; 1 cable modem, many networks, "segregation&qu

[Sastraxi]

Hey all,

I'm making a router/htpc box, it has two nics, they *should* be set up correctly, haven't tested. Right now, my priority is to set up the home network.

Here's how the network topology looks:

isp > cable modem > computer in question > switch -> other switches, computers, hubs, etc.

I'm looking to have 3 kind of segregated networks, 192.168.0.2-254 (which is also what I'd like dhcpd to assign), 192.168.1.2-254 (first set of servers), 192.168.2.2-254 (second set of servers).

The .0.x goes out on x.x.x.42, .1.x goes out on x.x.x.26, and .2.x goes out on x.x.x.27.

Now, these .1.x and .2.x IPs will be manually configured, the .0.x IPs configured by DHCP. Being completely new to both the dhcp daemon and iptables, I've come in search of some help (where to begin!).

Here's the catch, though. I don't want the internal network to be able to access each other between IP seperations... for example, 192.168.0.x users should NOT be able to ping OR see 192.168.1.x or 192.168.2.x users, or vice versa. Making sense? In a (very brief) moment of illumination, I thought I could change the broadcast IP to 192.168.0.1, but seeing as Windows doesn't let you change this variable, and a potential host of other problems with it, I've dropped the idea. Am I going to need 4 network cards =/

I figure I should make an iptables script that contains all my rules, so that I can simply change it, run the script, then remove all config from iptables if I wanted to (iptables is all set up, by the way).

So that's where I'm stuck, no clue what to do for iptables. I'm *pretty* sure I can configure dhcpd myself, but the man pages for that tool doesn't look too promising.

[ben]

Hi,

If your three networks are on the same segment, the segregation will be quite thin. You will be able to sniff the whole traffic for instance.

I would suggest you invest in the same number of NICs as of network you want to build. This is the right way do do it, although I am quite sure one can find a workaround to make your setting quite working.

Serving many networks with one dhcp server serving on one NIC is not difficult, although you will have to overload the NIC IP address with one IP per network. (also known as IP alias).

Every net will have that NIC as gateway and then iptables allows or denies the bridge between networks.

Then again, this is a kludge, I would not do it like this, but with three or four network card, they are cheap.

HTH

Ben

[TheCoop]

shorewall would be very useful in this, you can tell it to drop all packets from eth1 going to eth2, for instance. essentially it is an iptables wrapper, and very easy to set up. it even has a webmin interface
_________________
95% of all computer errors occur between chair and keyboard (TM)

"One World, One web, One program" - Microsoft Promo ad.
"Ein Volk, Ein Reich, Ein Führer" - Adolf Hitler

Change the world - move a rock

[Sastraxi]

ben: So you think it'd be possible with only 2 NICs? Reason I ask is that I only have 1 more PCI slot and that's due for the 2nd TV card... =/

I'll look up IP alias and the denying bridging stuff, thanks

TheCoop: is shorewall any bit like smoothwall? Is it something I *emerge* or something I pop in and it runs.. becuase this is a dual purpose machine =/

[TheCoop]

emerge shorewall. Edit the files in /etc/shorewall and then run /etc/init.d/shorewall start
_________________
95% of all computer errors occur between chair and keyboard (TM)

"One World, One web, One program" - Microsoft Promo ad.
"Ein Volk, Ein Reich, Ein Führer" - Adolf Hitler

Change the world - move a rock

[fleed]

If the internal PCs can see each other doesn't depend on your router's configuration. If you have all internal networks being driven from the same switch, or series of switches, then they'll be able to see each other. The users will just need access to change the system's settings so they can specify a larger subnet than the one they're in, for example, and they'll be able to ping each other.

A possibly better solution would be to use totally different addressing regimes, for example:
A) Internal workstations: DHCP over 192.168.0.
B) Server farm 1: 10.0.0.
C) Server farm 2: etc

But this still does not guarantee security. Since they are all physically on the same ethernet segment, they can change their ip addresses so they're on a different network and they'll be able to ping, etc.

So, if you want total segregation you'll need different NICs, one for each segment.

It IS possible to get it working with 2 NICs, you just won't get absolute network segregation.

ben: I don't think each machine will be able to sniff traffic if they're all running off switches. AFAIK they'll only be able to sniff their own packets. If it was a hub then yeah, they'd be on the same wire (sort of) so sniffing would be possible.

[ben]

Hi,

First an analogy:
You try to build a multicultural city but are afraid of interracial violence. So you separate the city in quartier (say one for the green, one for the blue, one for the orange guys). You put a policeman at the main crossing to allow/deny access to the different part of the city.
All is fine, but you don't have enough money to build your dream city, so you end up with a village with only one road: the main street where everybody lives. You place the policeman in the middle of this street and ask people to ask permission to this policeman if they are allowed or denied access to their neihbourgh (oops spelling??).

Moral of the story:
If you cannot afford the hardware, then you cannot afford the design.

This mean that you should redefined what you expect from your network, i.e. why do you want a segregation. It is speed, security, are you wanting it just for fun...
Maybe you can simplify your design to one network, and all would be fine. Maybe you cannot, so you may need a network card with multiple interfaces on it, or you can grab an old computer with enough PCI slot to act as a pure firewall/router between the Internet and all your networks.

Those answer may not be what you expected, but they are by far more adequate as the following kludge:

Now if you really want to play dirty, you can begin with connecting two networks to the internal NIC, say 192.168.1.x and 192.168.2.x. This NIC will have two static IP addresses: i.e. 192.168.1.1 and 192.168.2.1 (have a look at /etc/conf.d/net.eth0). You would want to start the dhcp server listening to those two "virtual" interfaces, i.e. eth1:0 and eth1:1. The dhcpd.conf will have two networks configured. I think you will have to assign dedicated address to each MAC address so that the machine end up in the right network.
With this setting, you should be able to get the right IP address from every machine on your networks.
Then iptables (or shorewall if you so please) will forward or not packet baesd on the source and destination IP address.

I hope to have clarified things a bit, but I, once again, vote for a NIC per network, be it on your existant machine or on a dedicated firewall/router.
For instance you wouldn't want to have a TV card in this firewall, would you?

Ben

[ben]

[fleed]

You're absolutely right! Had forgotten about arp-poisoning and the like. And I also agree that the network topology should be changed to fit the resources, otherwise it'll be worse!

[Sastraxi]

So one nic per? Alright. Thanks guys; I'll post an explanation of what I'm doing when I get home