Spliting a Network

teammatt3's picture

He has: 2,102 posts

Joined: Sep 2003

I have a network that looks like this:

Bertha is a router running linux.

The computer in the orange box have a special requirement. They can't go anywhere on the web except for the pages on example.com.

The other computers outside the orange box need access to the entire web.

Is there a way I can do that, only using one router, and switch (without going to each computer and configuring it)? If so, how? If not, what hardware do I need?

greg's picture

He has: 1,581 posts

Joined: Nov 2005

I presume the router is one of the hackable ones (Linksys WRTXXX etc).
Static IP's sound like the way to go, then get some software for the router that will allow access only to listed sites.

Some software to compile in the Linux side of things that has access restricting (and probably even stuff like bandwidth quotas)

Or something like Gargoyle
This screenshot looks promising for you

Have a look at the other screenshots on the home page.

teammatt3's picture

He has: 2,102 posts

Joined: Sep 2003

The router is a Debian linux server running DHCP, NAT and various other things. So a Linksys thing won't work. I could buy one, if that's a better idea?

When you say static IPs are the way to go, does that mean I would have manually assign IPs to each of those computers in the orange box? Or is there a way to do that automatically?

greg's picture

He has: 1,581 posts

Joined: Nov 2005

Hmm. I just presumed when you said router you meant a conventional router.

In that case, I haven't had much experience with linux and DHCP/NAT etc, but would imagine there will be plenty of software to allow for further access limiting, as well as many other things.

What routing app are you using?

With DHCP, when you turn of some devices the IP's assigned to them go back into the available pool. When you turn a device back on, it might not get the same IP. (And other reasons why their IP might change)

So static IP's are going to be a necessity, unless you can limit access via MAC addresses (or have IP's assigned to device MAC addresses)
Either way, you obviously have different boxes with different needs, so need to uniquely identify each of them to setup their allowances.

pr0gr4mm3r's picture

He has: 1,502 posts

Joined: Sep 2006

You could do different address pools, but there is no way to enforce it, except at the individual computers. It's better to do two separate networks, so even is someone connected their own computer, they wouldn't get any higher access.

Get a second switch and an additional NIC card for the server. You can get a USB one for pretty cheap if you have no PCI slots free. You can then setup your firewall and NAT rules accordingly for the separate networks.

I'm planning on adding a more limited network using this method, so when I'm working on infected computers, I can give them limited access to the Internet and the rest of my network.

BTW, that illustration is priceless.

greg's picture

He has: 1,581 posts

Joined: Nov 2005

pr0gr4mm3r wrote:
BTW, that illustration is priceless.
Yeah, did you look like this while drawing it --> Sticking out tongue

teammatt3's picture

He has: 2,102 posts

Joined: Sep 2003

Ok. Looks like I'll get a second switch and an extra NIC. I'll probably need more help once I get it setup.

Networking gives me a headache, or maybe it's just that diagram I made Smiling

pr0gr4mm3r's picture

He has: 1,502 posts

Joined: Sep 2006

What do you use to configure your routing? Do you just use IPTables, or do you have a front-end? I use Webmin to manage my home server, and add the firewall/routing rules.

teammatt3's picture

He has: 2,102 posts

Joined: Sep 2003

I've been trying a lot of things recently. For a firewall I used Firestarter and Guarddog. Both are just GUIs for IPTables. Firestarter is much easier to use, but it doesn't look like it is being developed anymore. I'm a little bit worried about that.

Firestarter also sets up NAT automatically, so I didn't have to do much there.

I configured DHCP manually with dhcpd3. They have lots of examples in the config file, so I just followed those. Firestarter has an interface for DHCP too, but it isn't very sophisticated.

Guarddog was confusing to me and I never got it to work properly so I probably won't be using it. It has a lot of options though, so if you know about networking, it's probably pretty good.

The problem with both Firestarter and Guarddog is they require Gnome. So if you don't have a monitor on your machine, you can't use the GUI.

I haven't checked out Webmin yet (I had no idea it did that stuff). I'll try it out.

pr0gr4mm3r's picture

He has: 1,502 posts

Joined: Sep 2006

Webmin is a web interface, so you can use it on your server w/o a GUI. I thought Firestarter was the firewall that is standard with Ubuntu - would be surprised if development suddenly stopped.

They have: 121 posts

Joined: Dec 2008

Setting up two physical networks is one way (and probably the most professional/proper). But I'm cheap, so can think of a few ways with the existing hardware:

You could either have two virtual networks all on one switch/router, or just do some fancy nat / ipf (or linux equivilant) rules, or simplest of all:

---Simplest:
If the users don't have access to network settings on their clients, just change the gateway on those machines to something other than your linux router. Anyone trying to access something other than the immediate network will get a 'no route to host'.

---For virtual network you'd have to:
1) set up DHCP daemon to hand out IP addresses according to the client's mac address. This way you can control when clients get to be on the priviledged or unpriviledged 'network' each time they connect to the network or their dhcp lease expires.

2) Restrict access to the WAN interface on your router to the unpriviledged network using a packet filter (iptables in linux?)

3) Allow access to the WAN interface on your router to the priviledged network (iptables in linux?)

4) Continue to use NAT, so the clients that do have access to the WAN interface all get to 'share'

5) Add 'bridging' in your linux router, so the two networks can communicate with each other. In each case the 'gateway' to each client would be the internal interface of your router.

When you add a new client on your network, you'd have to set up your dhcp daemon to recognize the new MAC address, and assign it to the appropriate network (priviledged network, or no)

---Or... you could keep everyone on the same network, and then add individual allow / deny for each client on the network in your packet filter.

Unfortunately, I'm a BSD guy - all I know is 'ipf' to manipulate the packet filter, I believe the linux equivilant is 'iptables'?

In ipf you would (I'm not trying to convert you, but maybe these might help find the iptables equivalent?):
For a 'allow access to internet client' you would (where fxp0 is internal interface, and fxp1 is external interface)
pass in quick on fxp1 from 192.168.1.2/24 keep state
pass out quick on fxp1 from 192.168.1.2/24 keep state

and for a 'deny' access to internet client' you would:
block in quick on fxp1 from 192.168.1.3/24
block out quick on fxp1 from 192.168.1.3/24

Kind of short of technical details, but hopefully it has enough hints to get you going... Don't fear ditching the fancy web interfaces and going right to the config files and the delivered userland executables. There tends to be alot more help and documentation out there as they usually remain unchanged for quite some time, and offer the most flexibility...

Cheers,
Shaggy.

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.