On Tuesday 20 April 2004 4:08 am, Rodrigo Haces wrote:
> New Situation:
>
> eth0: 192.168.1.1 Connected to hub 1
> eth1: 192.168.0.1 Connected to hub 2
>
> hub 1 is for guests
> hub 2 is for administrative porposes, and MUST be able to use network
> 192.168.0.x and 192.168.1.x
So, the firewall needs to allow 192.168.1.0/24 addresses to connect to
192.168.0.0/24 but not the other way round.
> so this is something i thought.
>
> eth0... 192.168.1.1 netmask 255.255.255.0
> eth1... 192.168.0.1 netmask 255.255.0.0
Doesn't look good.
> eth1:1. 192.168.1.101 netmask 255.255.0.0
Looks as bad as the first idea, with only one interface.
> my laptop is part of the administrative sector, i have 192.168.0.10 ip, but
> i need to be able to use also 192.168.1.10 so i can monitor guests,
What is wrong with yur laptop havign just one IP address (that *is*
conventional, after all), and the firewall allowing it to "monitor" addresses
in the other subnet? Perhaps you should explain more about what you mean by
"monitor"?
> Any ideas
Yes. Have two subnets with separate address ranges, a firewall in between,
and allow one subnet to connect to the other, but not the other way round.
eg:
eth0 192.168.1.1 netmask 255.255.255.0
eth1 192.168.0.1 netmask 255.255.255.0
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
Regards,
Antony.
--
Success is a lousy teacher. It seduces smart people into thinking they can't
lose.
- William H Gates III
Please reply to the list;
please don't CC me.
