cmisip
2003-Jun-05 12:20 UTC
[Shorewall-users] single ethernet interface behind router - how to protect from the net?
I have a d link router connected to a cable modem. Behind the router are several computers each with a single ethernet interface eth0. Therefore my internal (LAN) and external (internet) interface is the same. I want to protect the machines from the internet but not from each other so I thought adding rules to accept connections from their respective fw from eth0:192.168.1.0/24 should be adequate. Come to think of it, all traffic from the internet comes through the router first and then to the PC. Does this mean that they are tagged with the address of the router (192.168.1.1) and hence will be part of eth0:192.168.1.0/24. If so, then I did not protect the PC from connections from the internet. Or is my configuration correct? Thanks.
John S. Andersen
2003-Jun-05 12:30 UTC
[Shorewall-users] single ethernet interface behind router - how to protect from the net?
On 5 Jun 2003 at 14:21, cmisip wrote:> I have a d link router connected to a cable modem. Behind the router > are several computers each with a single ethernet interface eth0. > Therefore my internal (LAN) and external (internet) interface is > the same.Huh?>I want to protect the machines from the internet but not from > each other so I thought adding rules to accept connections from > their > respective fw from eth0:192.168.1.0/24 should be adequate. Come to > think of it, all traffic from the internet comes through the router > first and then to the PC. Does this mean that they are tagged with > the > address of the router (192.168.1.1) and hence will be part of > eth0:192.168.1.0/24. If so, then I did not protect the PC from > connections from the internet. Or is my configuration correct? >Thanks.You can not protect any other machine with a single interface setup. You can only protect that single machine in which shorewall/iptables is running. If you want to protect all, put another nic in the linux machine hook it to the cable machine with eth0, and put a cheap hub or switch on eth1, and ditch the dlink router. If you intend to run shorewall separetly on EACH machine behind the router, then your setup as explained will not do much good. for the reason you surmised. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/