[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sample ruleset for dividing LANs



Steven Bowers <[email protected]> writes:
> I've been running a small LAN for some time with just two nics, one
> for the external DSL router and the other to my personal LAN. Recently
> I moved to a nicer apartment complex and would like to share my DSL to
> some of the residents. I've added a third nic and attached a Linksys
> WRT54G to it. Before I open it up to the complex I was trying to setup
> a ruleset that restricted traffic on that network from my own. Could
> someone give me a brief outline of how to keep the residents on the
> network I've setup for them?
>
> My LAN runs on 192.168.1.0/16 and I'm planning to put them on 192.168.21.0/16
This is probably a situation where block all, then specifying pass rules
specific to the interfaces makes for the most readable rule set.
Something along the lines of
mylan = "192.168.1.0/16"
otherlan "192.168.21.0/16" 
my_if = defineme0
other_if = defineme1
ext_if = defineme2
scrub in all
block all
## do your nat
nat on $ext_if from { $mylan, $otherlan } to any -> ($ext_if)
## other rdr as needed
pass in on my_if from $mylan to any 
pass out on ext_if from $mylan to any keep state
pass in on other_if from $otherlan to any 
pass out on ext_if from $otherlan to any keep state
- with the addition of some restriction on which ports and a few other
embellishments - could be what you need.
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"