From: "Rokas" <rokasz@centras.lt>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] HTB shaping different subnets...
Date: Wed, 06 Aug 2003 05:30:22 +0000 [thread overview]
Message-ID: <marc-lartc-106014793431071@msgid-missing> (raw)
In-Reply-To: <marc-lartc-106009132605524@msgid-missing>
Hi Martin,
That you very much for your help.
I entered: ip address add 192.168.2.254/24 dev eth0
and also I added IP masquerading for this address range.
Everything now is working very well, just as I wanted.
Of course, If a user changed his IP address from 192.168.2.* range
into 192.168.1.*, he would be able to "see" the rest of the network
neighbourhood. But I don't think this would be a problem, because
most of LAN users are just newbie PC users... :)
Thank you,
Rokas Zakarevicius
> If you are indeed using a hub, then each of the machines on the internal
> network will be able to see the others, and all of the traffic, but only
> under two potential conditions:
>
> - a user puts the NIC into promiscuous mode
> - a user adds a route to the other IP network via the NIC
>
> But, these are security considerations, and probably not a problem for
> you.
>
>
> This will bring up a new address on eth0, cause the kernel to respond for
> ARP, and add a route to the 192.168.2.0/24 network:
>
> ip address add 192.168.2.254/24 dev eth0
>
> I'd recommend, additionally that you block all traffic to/from each of the
> 192.168.x.0/24 networks:
>
> iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j DROP
> iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j DROP
>
> Note, that still doesn't prevent users on each segment from potentially
> seeing each other (see above)--it just means that the IP networks will not
> be able to forward packets through your linux box to each other.
>
> You may need to alter your traffic control configuration to include
> references to the new IP range, but there is no problem with this
> solution.
>
> -Martin
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
prev parent reply other threads:[~2003-08-06 5:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-05 13:48 [LARTC] HTB shaping different subnets Rokas Zakarevicius
2003-08-05 14:04 ` Albert Manyà
2003-08-05 14:15 ` Martin A. Brown
2003-08-06 5:30 ` Rokas [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-106014793431071@msgid-missing \
--to=rokasz@centras.lt \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.