Ask Your Question
0

How to allow connections only from selected machines in the home network

asked 2014-01-12 07:54:21 -0500

manna gravatar image

updated 2014-12-28 02:12:23 -0500

mether gravatar image

Hi all

I plan to share the home network (lan and wireless) with other people, however I do not want that this other people can access my machine, data, disk, etc. Ideally there would be a way to configure the firewall or something similar to only accept connections from a list of specified machines.

E.g. If my machines are called A, B, C, and the other machines in the same network are called D, E, then I would allow A to only accept incoming and out coming connections from B,C. B from A, C. C from A, B.

Basically it is like protecting a sub-network consisting of A, B, C from the other machines (D, E) which are part of the home network. I want to be very conservative, excluding all possible interactions between (A,B,C) and (D,E), as if D and E would not belong to the home network.

How could this be done?

Thanks mannaggia

edit retag flag offensive close merge delete

Comments

This is more an administrative question than a Fedora troubleshooting question. Are you running Fedora/Linux because whatever answers you get here will probably be specific to Fedora.

FranciscoD_ gravatar imageFranciscoD_ ( 2014-01-13 20:25:06 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2014-01-12 12:34:31 -0500

The degree of isolation you can achieve depends on how much effort you are willing to put into it. More complex measures will provide superior isolation, with physical isolation of the networks being the best.

The simplest might be to use the /etc/hosts.allow and /etc/hosts.deny files to list IP addresses, subnets, domain names, etc that can access services on your machine. The configuration can be very flexible, with the options described in man hosts_access. You can share these files as needed, or make them unique for each machine. For example:

/etc/hosts.deny:
          ALL: ALL
/etc/hosts.allow:
          ALL: LOCAL 192.168.1.5

This does assume you have control of the dhcp server giving out IP addresses - probably your home router. You could set static IPs on each machine locally, but this leaves the chance that D or E could get one of the other group's IP address if they aren't using it at the time. You can be more creative if you run your own dhcp server, assigning individual machines to different address pools or subnets based on their unique MAC address.

Because these machines are still on a shared physical network, someone could manually set a static IP on DE that is allowed by ABC and their attempts to connect would not be denied - unless they could not authenticate for the services they are trying to connect to.

The best security for your situation is probably done at the service level. If you don't want DE to ssh into ABC, don't give DE's users the passwords or keys to ABC. If you don't want them to access shared storage on ABC, do not share the SMB passwords. If you have a test http site that you only want ABC to see, put a password in front of it. These are examples; if you want to require better authentication for a specific service, you should read the documentation for that service and open a new question as required.

edit flag offensive delete link more

Question Tools

Stats

Asked: 2014-01-12 07:54:21 -0500

Seen: 259 times

Last updated: Jan 12 '14