Can I deny internet from a doze box, but still get samba? - Networking

This is a discussion on Can I deny internet from a doze box, but still get samba? - Networking ; OK, here's the thing. I've got a "gateway" box, that has apache, for the website, Samba, for the LAN, and "dnsmasq", which it's. It plugs into the DSL, and there are 6 other boxen on the LAN. 3 of them ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Can I deny internet from a doze box, but still get samba?

  1. Can I deny internet from a doze box, but still get samba?

    OK, here's the thing. I've got a "gateway" box, that has apache, for the
    website, Samba, for the LAN, and "dnsmasq", which it's. It plugs into the
    DSL, and there are 6 other boxen on the LAN. 3 of them are doze boxen, 2
    are "spare" Slack boxen, and one - my workstation - I dual-boot, Slack
    11.0 or W2K.

    Is it possible, when I boot my box to Doze, to deny internet access to it,
    but still let it get to the Samba server?

    In other words, I've got this:
    ____________
    ---DSL---["The Server"]-------["My Workstation"]
    [ ]-------[box A]
    [ ]-------[box B]
    [____________] etc.

    And what I want to do is, when I boot "My Workstation" in Slack, I want
    internet and Samba (which I have) but when I boot it in Windows 2000, I
    want Samba file access (which I now have), but no internet (which I have
    but don't want).

    The server is running Slackware 11.0, with all of the defaults, and it's
    the first time I've seen "dnsmasq", which somebody told me "doesn't really
    mean masquerading" or something like that. I've looked at dnsmasq.conf,
    and am pretty much baffled as to how to do that, and, as I said, I don't
    even know if it's possible, let alone how to do so if it is.

    And, of course, I want the other boxen (3 x W2K + 1 x Slack 11.0 +
    1 x Slack 10.0) to still have both Samba and Internet access - the guys
    in the office run AV almost daily, and so on. I've also stuck a big
    "hosts" file on "The Server" - I'll have to check if that has
    "answerworks" - that's always been a pain in the ass.

    Thanks,
    Rich


  2. Re: Can I deny internet from a doze box, but still get samba?

    On Mon, 26 Feb 2007 19:14:18 +0000, Rich Grise wrote:
    > Is it possible, when I boot my box to Doze, to deny internet access to it,
    > but still let it get to the Samba server?


    If you're assigning IP addresses statically, you could give different
    addresses to the Windows and Linux installations, and then use a
    firewall rule on the gateway machine to deny Internet access to the
    Windows system.

    Mike

  3. Re: Can I deny internet from a doze box, but still get samba?

    On Mon, 26 Feb 2007 20:12:25 +0000, Mike Playle wrote:

    > On Mon, 26 Feb 2007 19:14:18 +0000, Rich Grise wrote:
    >> Is it possible, when I boot my box to Doze, to deny internet access to it,
    >> but still let it get to the Samba server?

    >
    > If you're assigning IP addresses statically, you could give different
    > addresses to the Windows and Linux installations, and then use a
    > firewall rule on the gateway machine to deny Internet access to the
    > Windows system.
    >


    Thanks for this, but now how do I learn how to "use a firewall rule"?

    I'm sure there's an RTFM out there somewhere, could you or anyone
    please point me to it?

    Thanks,
    Rich



  4. Re: Can I deny internet from a doze box, but still get samba?

    Rich Grise post:

    > Thanks for this, but now how do I learn how to "use a firewall rule"?


    It's been a while since I set up a server, but here's where I would
    look:

    http://www.slackbook.org/html/security.html
    especially section Host Access Control

    man iptables
    man hosts

    /usr/share/doc/Linux-HOWTOs/Firewall-HOWTO
    or other HOWTOs, but keep in mind that they may be a bit old.

    Roel

  5. Re: Can I deny internet from a doze box, but still get samba?

    Roel Kluin wrote:
    > Rich Grise post:
    >
    >
    >>Thanks for this, but now how do I learn how to "use a firewall rule"?

    >
    >
    > It's been a while since I set up a server, but here's where I would
    > look:
    >
    > http://www.slackbook.org/html/security.html
    > especially section Host Access Control
    >
    > man iptables
    > man hosts
    >
    > /usr/share/doc/Linux-HOWTOs/Firewall-HOWTO
    > or other HOWTOs, but keep in mind that they may be a bit old.
    >
    > Roel


    There's plenty of information on the Netfilter pages
    , including current HOWTOs.

    --

    Tauno Voipio
    tauno voipio (at) iki fi

  6. Re: Can I deny internet from a doze box, but still get samba?

    Rich Grise wrote:
    > Is it possible, when I boot my box to Doze, to deny internet access to it,
    > but still let it get to the Samba server?


    Download zone alarm (firewall) for the windows box. It defaults to no
    apps allowed to connect to the internet, they need to ask for
    permission. when you see the box come up warning that firefox or IE are
    trying to access the internet. say no, and check the "remember this
    decision" box.

    As for samba, look at the 'trusted zones' section in zone alarm, and put
    in the (local) address of your samba server. Allows connections into and
    out of the windows box.

    Should be pretty easy with zone alarm.

    HTH.

    --
    As we enjoy great advantages from inventions of others, we should be glad
    of an opportunity to serve others by any invention of ours;
    and this we should do freely and generously.
    --Benjamin Franklin
    (remove _eh to email)

  7. Re: Can I deny internet from a doze box, but still get samba?

    On Mon, 26 Feb 2007 19:14:18 +0000, Rich Grise wrote:

    > Is it possible, when I boot my box to Doze, to deny internet access to
    > it, but still let it get to the Samba server?
    >
    > In other words, I've got this:
    > ____________
    > ---DSL---["The Server"]-------["My Workstation"]
    > [ ]-------[box A]
    > [ ]-------[box B]
    > [____________] etc.


    Are the boxen configured with fixed IP addresses? If yes, simply remove
    the default gateway entry in Doze or point it to an unused IP address in
    your subnet.

    If no (the server runs dhcpd), things get a little more tricky - dhcpd
    doesn't know the OS of the calling box and Slack/W2k will both connect
    with the same MAC address by default. However, if supported by your NIC,
    you could set different MAC addresses in Slack or W2k and make a special
    entry for the W2k MAC address in your dhcpd.conf so that no gateway
    address is passed to W2k, or the gateway address passed is an unused IP
    address in your subnet.

    http://www.irongeek.com/i.php?page=security/changemac



    --


    --
    Posted via a free Usenet account from http://www.teranews.com


  8. Re: Can I deny internet from a doze box, but still get samba?

    On Mon, 26 Feb 2007 19:14:18 +0000, Rich Grise wrote:

    > I dual-boot, Slack
    > 11.0 or W2K.
    >


    >
    > Thanks,
    > Rich
    >

    Not strictly on-topic...

    Advice: stop dual booting. Run W2k under VMWare hosted on Slackware. That
    way you can simplify your network layout, and also provide IPtables
    protection for the W2k box.

    --
    Douglas Mayne

  9. Re: Can I deny internet from a doze box, but still get samba?

    Rich Grise wrote:
    > OK, here's the thing. I've got a "gateway" box, that has apache, for the
    > website, Samba, for the LAN, and "dnsmasq", which it's. It plugs into the
    > DSL, and there are 6 other boxen on the LAN. 3 of them are doze boxen, 2
    > are "spare" Slack boxen, and one - my workstation - I dual-boot, Slack
    > 11.0 or W2K.
    >
    > Is it possible, when I boot my box to Doze, to deny internet access to it,
    > but still let it get to the Samba server?
    >


    The only way I can think of how this would work involves client config
    somehow... either by static IP or some tricks.

    What I would do would be to deny that IP access to the internet by
    default, and then have your slack box "authenticate" in some manner
    against your gateway which would allow external access.

    I'm thinking a cron job that runs every minute on your gateway to
    identify the internal box - if it's Slackware, allow, else deny.
    (probe for a service that would prove it's slack and not windows...)

    Ray

  10. Thanks! was Re: Can I deny internet from a doze box, but still get samba?

    On Mon, 26 Feb 2007 19:14:18 +0000, Rich Grise wrote:

    > OK, here's the thing. I've got a "gateway" box, that has apache, for the
    > website, Samba, for the LAN, and "dnsmasq", which it's. It plugs into the
    > DSL, and there are 6 other boxen on the LAN. 3 of them are doze boxen, 2
    > are "spare" Slack boxen, and one - my workstation - I dual-boot, Slack
    > 11.0 or W2K.
    >
    > Is it possible, when I boot my box to Doze, to deny internet access to it,
    > but still let it get to the Samba server?


    Thanks all! Too many answers, too little brains! :-) :-) :-)

    Thanks!
    Rich


  11. Re: Thanks! was Re: Can I deny internet from a doze box, but still get samba?


    "Rich Grise" wrote in message
    newsan.2007.03.02.23.21.42.15317@example.net...
    > On Mon, 26 Feb 2007 19:14:18 +0000, Rich Grise wrote:
    >
    >> OK, here's the thing. I've got a "gateway" box, that has apache, for the
    >> website, Samba, for the LAN, and "dnsmasq", which it's. It plugs into the
    >> DSL, and there are 6 other boxen on the LAN. 3 of them are doze boxen, 2
    >> are "spare" Slack boxen, and one - my workstation - I dual-boot, Slack
    >> 11.0 or W2K.
    >>
    >> Is it possible, when I boot my box to Doze, to deny internet access to
    >> it,
    >> but still let it get to the Samba server?

    >
    > Thanks all! Too many answers, too little brains! :-) :-) :-)
    >
    > Thanks!
    > Rich
    >

    AVG AV plus firewall supports W2k. You could install a free trial version
    and see if it did what you wanted. I suspect it would do exactly what you
    want if configured properly. Try this link :
    http://www.grisoft.cz/doc/products-a...ewall/us/crp/0
    ..



+ Reply to Thread