give machines on network local access but deny any outside access

freelancerTax

hi all,
i have a network at home - the setup is like this

switch which is connected to DSL router (d-link DSL-2640R)

connected to the switch is several computers

debian file server
Main pc - dual boot with ubuntu and winxp
a second pc - also dual boot with winxp and ubuntu

also several laptops that use wireless to connect directly through the router - all ubuntu

currently everything has acces to every other machine and also access to the internet through the router

now here is what i would like

1. alll machine have access to the file server
2 only linux machines have access to the internet at all - all ports to windows machines blocked in and out except for local network
3. would like to not buy additional hardware.

anyone know a good way to do this?

swampgas

freelancerTax wrote: »

hi all,
i have a network at home - the setup is like this

switch which is connected to DSL router (d-link DSL-2640R)

connected to the switch is several computers

debian file server
Main pc - dual boot with ubuntu and winxp
a second pc - also dual boot with winxp and ubuntu

also several laptops that use wireless to connect directly through the router - all ubuntu

currently everything has acces to every other machine and also access to the internet through the router

now here is what i would like

1. all machine have access to the file server
2 only linux machines have access to the internet at all - all ports to windows machines blocked in and out except for local network
3. would like to not buy additional hardware.

anyone know a good way to do this?

Off the top of my head, I would say you could configure the DHCP server to block the XP systems by giving a bogus or gateway IP address. the Linux machines could have static network settings, so they DO see the gateway.

This won't stop anyone on an XP system changing their settings manually though.


I don't know if you could get dd-wrt working on a router instead?

freelancerTax

hi swampgas,
cant install dd-wrt unfortunately its not supported on this router

i have already tried the fake gateway but i dont really like it becasue i have read that it only stops you accessing outside the network it doesnt help with blocking incoming connections.

i guess im looking for a real way to block like a physical firewall without having to buy one..

shannon_tek

Would it not be possible to have one computer at the top that will deny incoming and outcoming and have the rest of the pc's in a loop. If u get Wat I'm saying.

I don't know if that's possible. It's something I would like to have.

freelancerTax

hi shannontek,
this is something i have thought about - im not quite sure how to do it though - would be better with a pc on all the time - i could use the file server as i have built it like a nas (super small, low power, wol, headless)

i would have liked to be able to do it a router level but unfortunatly my router sucks.....

swampgas

freelancerTax wrote: »

hi swampgas,
cant install dd-wrt unfortunately its not supported on this router

i have already tried the fake gateway but i dont really like it becasue i have read that it only stops you accessing outside the network it doesnt help with blocking incoming connections.

i guess im looking for a real way to block like a physical firewall without having to buy one..

Well, incoming connections shouldn't make it through the NAT/firewall on the router in the first place. So a fake gateway should work well enough.

freelancerTax

unfortuanatly my router does allow incoming connections by default and doesnt have a good filtering system otherwise i would be doing this

rolion

freelancerTax wrote: »

now here is what i would like

1. alll machine have access to the file server
2 only linux machines have access to the internet at all - all ports to windows machines blocked in and out except for local network
3. would like to not buy additional hardware.

anyone know a good way to do this?

1.setup your LAN with IP address range as on your Debian server (and DNS if is running on Debian server) then do file access and user/share access from the server and with local accounts

2.without a default gateway(router),ALL your inside LAN PCs won't know how to get outside,on the WAN ,through your router . By setting only IP address,subnet mask (and DNS if is running on Debian server) will allow local traffic only.Access to another network is done at IP address network level not at ports level (where applications,services are configured).Set correct Default Gateway info on Linux computers.

3.no hardware,just IP configuration,done from DHCP leasing,reservation based on MAC address in the Debian DHCP server configuration OR manually assigning IPs on each client PC.

Good luck...

freelancerTax

thanks swampgas and rolion for the gateway suggestion
does any of ye know if its safe to not have firewall,anti-virus enabled on windows machines in this configuration ?

both windows and linux machines will have access to private data via samba on the debian fileserver

ft

rolion

viruses can have the origins from:

inside,on a 'floppy', cd, usb,file AND/OR a virus got it from an email received on another PC in the LAN. My advise,ignore firewall,get Antivirus.

outside,from a bad website,bad email or a improper configured firewall.

I know at least one software,quite good,that does a special offer on internet security for 3 PCs,but you may have to run live update somehow "offline": download the update exe file and run it on each Windows PC,at least once a week from a USB key that could be,potentially,infected from another PC !!!

Even if the Windows' PCs do not have access to internet,the latest viruses/trojans/malware/spyware ,once they 'infects' a victim in a LAN topology,they are looking for potential targets in the next second ! On your Windows PCs...they will just 'miss' the "call home" functionality...

Regards

freelancerTax

thanks rolion

hhmmm im kinda wanting to restrict the internet so i dont need firewall/antivirus on the windows machines

lets say all the linux machines are secure and stuff like infection from usb external devices are taken out off the equation - would it be safe to run without antivirus? - this is kinda the point of doing this so i dont have to maintain the windows machines at all

thanks
ft

rolion

On Win XP i will get AV,on Win7 not

Is your call...

NullZer0

Use one of the linux machines as a gateway with a router behind it.
Configure ACL's.


Job done

rolion

iRock wrote: »

Use one of the linux machines as a gateway with a router behind it.
Configure ACL's.


Job done

Can you elaborate on your "job done" ,pls !?
What exactly can we make from your post !??
ACLs on ...dynamic or static IPs ? Or,go a step forward and do it on MAC address !!
What is wrong with existing DLink router !??

Gateway / no gateway is the simple and safe here...

Please confirm !

Regards

freelancerTax

hi iRock,
can you please elaborate on your post - im not an it expert

ft

NullZer0

rolion wrote: »

Gateway / no gateway is the simple and safe here...

Thats not really secure though, if you dont assign a gateway, can't it just be changed?

NullZer0

freelancerTax wrote: »

hi iRock,
can you please elaborate on your post - im not an it expert

ft

I was thinking that you could use the Linux box as a gateway or proxy (allowing you to still have filtered internet access), to make it completely secure, you would need to have two NIC's on the linux box.

freelancerTax

hi iRock
thats a problem because i only have one ethernet port on each machine... not server boards ......

is there any other secure way you know of doing this?

thanks,
ft