[SGVLUG] Preventing certain Machines from Internet

John E. Kreznar jek at ininx.com
Mon Nov 5 17:38:13 PST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Sean O'Donnell" <sean at seanodonnell.com> writes:

> > Arthur Baldwin wrote:
> >> I was wondering if anyone knows of an existing project where the
> >> following can be acheived:
> ...
> ...
> >> I think that this type of software would fill a very common need in very
> >> small businesses (less than 10 employees).


> ... doh, sorry, you were looking for an out-the-box solution. *ignore
> me, as usual* =)

But the iptables or ip_forward solution that you propose IS
"out-the-box" (the dhcp part is not wanted since the IP addresses of
Baldwin's machines "would be known" so are presumably static) -- all
Baldwin has to do is configure the gateway to do address translation
only for the privileged interior machines on his LAN, but not for the
others.

Contrary to Emerson's assertion in a later posting, some sites DO want
to deliberately block all Internet access from interior machines -- I
do that all the time so that I'm free to "romp" on interior machines
without fear that errant software will tattle to the Internet.

Contrary to a proposal by Felizardo in a later post, no new hardware
is required for your iptables + ip_forward solution -- the existing
gateway machine can do the job.

- -- 
 John E. Kreznar jek at ininx.com 9F1148454619A5F08550 705961A47CC541AFEF13

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8+ <http://mailcrypt.sourceforge.net/>

iD8DBQFHL8VQYaR8xUGv7xMRAsZ8AJ9SNvNuXzHNUMj+GMy7FLZIcFKG4wCfQ7bo
2TgPXzw5MHhxGbMcHrP1TT4=
=oerv
-----END PGP SIGNATURE-----



More information about the SGVLUG mailing list