The best device looks to be a linux bridging firewall insterted between the network gateway and the network. I've used fwbuilder with good results and I'll try it on the bridging firewall. Thanks. -----Original Message----- From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Nigel Wade Sent: Wednesday, October 13, 2004 6:24 AM To: For users of Fedora Core releases Subject: Re: IP access restriction Rick Lim wrote: > I have a friend that has a few boxes directly on the internet, which he > thinks are being access by unwanted "visitors". > > These machine still have to have routable IP address but should have limited > access from external IP subnets. > > > > What would be suitable for limiting IP subnet access to these address? > > Would a 'firewall' like machine with IPTABLES be able to accomplish this, > that is without changing the IP address passed through the 'firewallish' > machine? > What's the network topology? If it's possible to insert a single device in the network which carries all traffic then it is possible to add a bridging firewall. You can create bridging firewalls with iptables. We operate one here between our subnet and the Uni. router. Building a bridging firewall is pretty straight forward. You need to install the bridge-utils package first. Then create a bridge interface with the brctl command, and give it a name (here its called nameOfBridgeInterface): # brctl addbr nameOfBridgeInterface then you add ethernet cards to the bridge (you can have multiple cards in each segment, and the bridging software uses spanning-tree to provide redundancy). For 2 cards, eth0 and eth1, with 1 in each segment you would do: # brctl addif nameOfBridgeInterface eth0 # brctl addif nameOfBridgeInterface eth1 then put the cards in promiscuous mode (they need to accept all packets): # ifconfig eth0 promisc 0.0.0.0 # ifconfig eth1 promisc 0.0.0.0 then, if you want to be able to connect to the bridge, you create a network script for it, /etc/sysconfig/network-scripts/ifcfg-nameOfBridgeInterface DEVICE=nameOfBridgeInterface BOOTPROTO=static BROADCAST=<your-network-broadcast-address> IPADDR=<bridge-IP> NETMASK=<your-network-netmask> NETWORK=<your-network-address> ONBOOT=yes TYPE=Ethernet USERCTL=no PEERDNS=no The startup scripts will take care of everything else. Iptables rules can be applied to the FORWARD chain for packets traversing the bridge, or to the INPUT/OUTPUT chains for packets destined to/from the bridge itself. You can also add rules for each card. You should not have any network initialization on eth0 or eth1, the bridge rules above do the necessary work, activating the card in promiscuous mode and assigning no IP. One problem is that most GUIs for iptables assume you are setting up either a personal firewall or a NAT firewall. The only GUI I know that even acknowledges that a bridging firewall is a possibility is fwbuilder, and you still need to check the rules carefully with that as it has a tendency to create spurious rules. -- Nigel Wade, System Administrator, Space Plasma Physics Group, University of Leicester, Leicester, LE1 7RH, UK E-mail : nmw@xxxxxxxxxxxx Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555 -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
