Re: Blocking Internal machines from Access to the Internet
- From: "Kevin T. Neely" <ktneely@xxxxxxxxxxxxxxxxxxx>
- Date: Mon, 31 Jul 2006 22:40:15 -0500
On 2006-07-31, Ken Roberts <forums@xxxxxxxxxxxxx> wrote:
Kevin T. Neely wrote:
On 2006-07-30, Kevin T. Neely <ktneely@xxxxxxxxxxxxxxxxxxx> wrote:
I am trying to block a host on my internal network from reaching the
WAN and therefore the internet. I am using shorewall to configure my
iptables firewall but am having trouble crafting a proper rule.
It's been a while since I played with Linux-based firewalls, so forgive
me for not providing real examples. My only recent firewall experience
is on Cisco gear.
My approach would be to deny access by default, and then add it
specifically for those machines that need it. However, with this
Thank you for the help and advice. This is definitely not an office
setup. Basically, my "miscreants" are the children who like to find
sneaky ways to stay up as late as possible using the internet on their
newly-installed computers in their rooms. I have setup DHCP
reservations for their computers and they are currently not skilled
enough to get around that meager security measure. I don't really
mind if they figure out how to get around what I setup, since doing so
would really teach them a lot about computers and networking that I
cannot otherwise get them to learn, so major security is not a big
deal.
What I want, however, is for the connection to drop right as I change
the rule. As it stands, even with the REJECT and DROP rules, open
connections (like an AIM client) remain open until they reboot their
computer or stop/restart the client, which is not what I want.
I'm running a Linux firewall because I want one device that I can use
as firewall, ssh server, mail server, etc. and not run a medium-sized
office's worth of equipment in getting the services I want. I also
want to be able to log certain traffic to hard disk, for which I need
an always-on computer.
I do have an older, managed BayNetworks switch I suppose I could use
and set the port by which my logging server is connected to mirror the
router port. But that is a lot more noise/heat for my little office
closet I'm not sure I want to incur.
Better yet, if you can figure a way to have two separate networks you
could enable/disable access for the whole network, which will prevent
your miscreant from just changing the IP address to get access.
I have it like this:
Inet
|
cable modem
|
router
|
switch - {wired desktop computers}
|
Wireless AP
And it's like that. However, I have a third interface in the router
and am contemplating setting the wireless to a different subet than
the wired lan so that I can protect the internal network a bit more.
Once I do this, I /could/ disable the wireless at night (their
computers are connected via wireless), but then my laptop,
etc. wouldn't work, and I go to bed later than they.
K
--
In Vino Veritas
http://astroturfgarden.com
.
- References:
- Blocking Internal machines from Access to the Internet
- From: Kevin T. Neely
- Re: Blocking Internal machines from Access to the Internet
- From: Kevin T. Neely
- Re: Blocking Internal machines from Access to the Internet
- From: Ken Roberts
- Blocking Internal machines from Access to the Internet
- Prev by Date: Re: there is a slight delat in ping reply
- Next by Date: my own ftp client waits on connect... please help
- Previous by thread: Re: Blocking Internal machines from Access to the Internet
- Next by thread: return traffic to default gw
- Index(es):
Relevant Pages
|
