Restrict OpenSuSE network traffic to a subnet

[dsr at tao.merseine.nu (dsr at tao.merseine.nu)]

I'm going to break protocol and republish this theoretically
private email on the BLU discuss list, on the theory that Mr.
Westcott meant to reply to me there, and it is educational to 
others to see the same solution.

As a practical matter, I'm not a free consultant. When I offer
advice on mailing lists, it's a community service.


On Mon, Dec 18, 2006 at 02:55:47PM -0500, John Westcott IV wrote:
>    I want a SuSE machine to be restricted to a single IP subnet, say 
> 234.45.* for inbound and outbound, for all services.

OK.

>    At first I wanted to limit traffic to/from a single machine for the 
> testing but then I thought using a subnet would be nice so that I can 
> scp data over to another machine before the rebuild without changing the 
> settings again.

Sure.

> SuSEfirewall2-custom but that did not seem to work.
>    While I was looking at this, I also started wondering if there is an 
> easier way, like with the routing tables or something.
>    I do not control the network, so I can't do anything with that.
>    Does this help?
> 

Yes, it does.

The easiest way is to not inform your machine that there is
anything outside the local network: i.e. don't let it know that
there is a router available.

Assuming that your machine has an address in 234.45.* already,
this is as simple as:

# route del -net default gw

Which will effectively limit all traffic, in and out, to the
local network.

-dsr-

-- 
_.. ___ . ...   _ .... .   _. ... ._   ._. . ._ _..   _.__ ___ .._ ._.
__ ._ .. ._.. ..__..   _ .... .   .._. _... .. ..__..

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.