[Scottish] Sharing a Linux Proxy Server across networks

Paul Millar scottish at mailman.lug.org.uk
Mon Feb 24 09:44:01 2003 

Hi Apostolus,

On Mon, 24 Feb 2003 apostolus@blueyonder.co.uk wrote:
> I have a simple query here that someone might be able to help me with.  
> I have a lInux Server (SuSE) with Squid running on 192.168.10.1..  I
> have windows clients that access the outside world thru' the proxy but
> would now like to split the clients into three separate networks..  I
> know I can just change the workgroup name but want to be able to hide
> all services on each of the three networks but still allow access to all
> thru'' the proxy server..  is this possible without compromising the
> integrity of the individual win networks..

In principle, yes.  You can alias a single physical interface (eth0, for 
example) to multiple IP addresses; but your last sentence is a bit 
worrying.  If your after some "integrity" (i.e. security) you might have 
to think this through a bit.

IP addresses are assign at "layer 3" of the OSI model.  At layer 2 (MAC),
IP addresses are more like suggestions.  For example, a malicious or badly
configured machine will potentially "see" the other machines and could
cause problems.

To reduce this effect, you can:
    use switches instead of hubs - this effectively makes the network 
                 topology point-to-point (rather than shared-bus). A badly 
                 configured machine would only see network-broadcast and 
                 multicast packets.  If those broadcast packets were RIPs, 
                 for example, this could still cause problems.
    use virtual LANs (aka VLANs) - this simulates the effect of having
                 separate wiring for each virtual lan, making the three 
                 LANs completely separate (provided your switch supports 
                 this).

The good news is Linux supports network aliases via 802.1Q VLAN tagging.  
If you can configure your switch to send the encoded packets to the Linux
box, then it can then straddle the three VLANs and act as a common service
to the three.
   
HTH

Paul.


-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
Particle Physics (Theory & Experimental) Groups                Dr Paul Millar 
Department of Physics and Astronomy                     paulm@astro.gla.ac.uk
University of Glasgow                                 paulm@physics.gla.ac.uk
Glasgow, G12 8QQ, Scotland             http://www.astro.gla.ac.uk/users/paulm 
+44 (0)141 330 4717        A54C A9FC 6A77 1664 2E4E  90E3 FFD2 704B BF0F 03E9
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --