Hi Martin,
That you very much for your help.
I entered: ip address add 192.168.2.254/24 dev eth0
and also I added IP masquerading for this address range.
Everything now is working very well, just as I wanted.
Of course, If a user changed his IP address from 192.168.2.* range
into 192.168.1.*, he would be able to "see" the rest of the network
neighbourhood. But I don't think this would be a problem, because
most of LAN users are just newbie PC users... :)
Thank you,
Rokas Zakarevicius
> If you are indeed using a hub, then each of the machines on the internal
> network will be able to see the others, and all of the traffic, but only
> under two potential conditions:
>
> - a user puts the NIC into promiscuous mode
> - a user adds a route to the other IP network via the NIC
>
> But, these are security considerations, and probably not a problem for
> you.
>
>
> This will bring up a new address on eth0, cause the kernel to respond for
> ARP, and add a route to the 192.168.2.0/24 network:
>
> ip address add 192.168.2.254/24 dev eth0
>
> I'd recommend, additionally that you block all traffic to/from each of the
> 192.168.x.0/24 networks:
>
> iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j DROP
> iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j DROP
>
> Note, that still doesn't prevent users on each segment from potentially
> seeing each other (see above)--it just means that the IP networks will not
> be able to forward packets through your linux box to each other.
>
> You may need to alter your traffic control configuration to include
> references to the new IP range, but there is no problem with this
> solution.
>
> -Martin
