From: Simon H. <li...@th...> - 2008-08-29 16:32:31
|
hOZONE wrote: >it's for a architect. >he has two office (let's call NET_A and NET_B), max 10 pc per office. >the internet gateway is 192.168.1.1 with dhcp (192.168.1.100 to >192.168.1.250) and it is "closed" by the ISP vendor, so it must has >this addess. >there is one server (192.168.1.3) which must be visible in office A. >pc in office NET_A should not see pc of operators in office NET_B, >and viceversa. Several ways of dealing with this - none of it is Shorewall specific. Ideally, what you would do is simply set up net B with a different subnet, and add a route in the router - ie tell the router that 192.168.2.0/24 is reached via your shorewall. If you can gain access to the router then that would be my recommended option. If you can't access the router, then consider doing a second level of NAT - ie you have your own router with an 'external' interface in 192.168.1.0/24, and as many other interfaces as you want for the rest of your network. You simply MASQ all your internal networks onto one 'external' address to get out to the internet. You could renumber net A so that there is no NAT between anything internal. If you choose to use bridging, then you will have to block all traffic by default, and then allow certain traffic. You will have to selectively allow some ARP traffic so that net B devices can find the router and server, and vice versa. You will probably also have to allow some broadcast traffic to/from the server to make Windows networking operate. With Linux/Shorewall there are restrictions when bridging (see the Shorewall website) - after some version of kernel, you cannot filter outbound traffic from the firewall, only inbound - but I think you should have no trouble achieving what you are after. |