Prev: dropline-installer
Next: No local console login
From: jeugdvakantiewerkgoirle on 17 Jun 2008 05:53
Hi,

I've configured a Slackware 12.1 box with 2 nics. Eth0 connects to the
ADSL modem, Eth1 connects to a LAN and provides DHCP and filesharing
with Samba. I've build a firewall script using the tool provided here:
http://www.slackware.com/~alien/efg/
for allowing internet traffic.

'Works like a charm. Recently I've added a wireless router to act as
an Access Point. I point the router to 192.168.2.1 (eth1) and get a
wireless connection, including access to the samba shares. Of course
they require a password to get in but is there a way to just grant
internet access and nothing else to the wireless connections?

How do I separate that kind of traffic? Third NIC? Some clever
iptables rules?

Any help much appreciated.

From: Doug Mitton on 17 Jun 2008 10:19
jeugdvakantiewerkgoirle(a)gmail.com wrote:

>Hi,
>
>I've configured a Slackware 12.1 box with 2 nics. Eth0 connects to the
>ADSL modem, Eth1 connects to a LAN and provides DHCP and filesharing
>with Samba. I've build a firewall script using the tool provided here:
>http://www.slackware.com/~alien/efg/
>for allowing internet traffic.
>
>'Works like a charm. Recently I've added a wireless router to act as
>an Access Point. I point the router to 192.168.2.1 (eth1) and get a
>wireless connection, including access to the samba shares. Of course
>they require a password to get in but is there a way to just grant
>internet access and nothing else to the wireless connections?
>
>How do I separate that kind of traffic? Third NIC? Some clever
>iptables rules?
>
>Any help much appreciated.

I have a similar system running under Debian. I have built it up
slowly as I wanted services.

The way I handle this is to:
- The wireless router is only an AP, no DHCP, etc.
- I set up my own DHCP service on my server/gateway machine.
- I set up static and dynamic IP addresses based on MAC address.
- Any DHCP request from an unknow MAC address is assigned an IP
address from the pool which is filtered via iptables rules.
- Any known MAC addresses are assigned "static" IP addresses and are
given specific access based on the IP address.

This is a small family network that has no more than 10 computers on
it at any one time. My intent is to filter internet access BUT allow
intranet access to my shared printer and "Kids Common Drive".

This is not exacly what you wanted BUT it is my approach. Hopefully
it gives you some ideas.

--
-------------------------------------------------
http://www3.sympatico.ca/dmitton
SPAM Reduction: Remove ".invalid" from my domain.
-------------------------------------------------
From: Sylvain Robitaille on 17 Jun 2008 10:40
jeugdvakantiewerkgoirle(a)gmail.com wrote:

> How do I separate that kind of traffic? Third NIC? Some clever
> iptables rules?

Either is possible. The IPtables approach would require only that
you know what range of addresses will only be used by wireless
clients. Another possibility is a virtual network interface,
which might at least give you a better starting point. See
/usr/src/linux/Documentation/networking/alias.txt for details.

I hope that helps ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl(a)alcor.concordia.ca

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

From: Robby Workman on 17 Jun 2008 23:51
On 2008-06-17, jeugdvakantiewerkgoirle(a)gmail.com <jeugdvakantiewerkgoirle(a)gmail.com> wrote:
> Hi,
>
> I've configured a Slackware 12.1 box with 2 nics. Eth0 connects to the
> ADSL modem, Eth1 connects to a LAN and provides DHCP and filesharing
> with Samba. I've build a firewall script using the tool provided here:
> http://www.slackware.com/~alien/efg/
> for allowing internet traffic.
>
> 'Works like a charm. Recently I've added a wireless router to act as
> an Access Point. I point the router to 192.168.2.1 (eth1) and get a
> wireless connection, including access to the samba shares. Of course
> they require a password to get in but is there a way to just grant
> internet access and nothing else to the wireless connections?
>
> How do I separate that kind of traffic? Third NIC? Some clever
> iptables rules?

Both will be the most effective.

Plug the router into a third nic, and then use iptables to prevent
packets traversing from the wireless interface to the others
(except the packets you *want*, which will probably be only those
in ESTABLISHED or RELATED state).

-RW
 | 
Pages: 1
Prev: dropline-installer
Next: No local console login