Blame: MetaNetConfiguration - Waikato Linux Users Group

Annotated edit history of MetaNetConfiguration version 15, including all changes. View license author blame.

Rev	Author	#	Line
4	CraigBox	1	`This page carries on from MetaNetInstallation, and indirectly from MetaNet. You might want to read those first.`
		2
		3	`!!zebra and bgpd`
		4
		5	`WanDaemon, at low level, provides you with 192.168 addresses. What you want is 10.x.x.x connectivity - so you need to run zebra.`
		6
		7	`Configuration information is in ZebraConfig. ''Note: this page may have a slight Debian tint!''`
		8
		9	`Read [MetaNetBGPNotes] for information describing BGP on the !MetaNet.`
		10
		11	`At this point you should be able to ping 10.66.10.1, Hydrogen's !MetaNet address.`
		12
		13	`!!Routing`
		14
		15	`Add to your boot scripts somewhere (/etc/network/interfaces is a good place for Debian. Can you tell we love Debian here?):`
		16
15	AlastairPorter	17	`<pre>`
4	CraigBox	18	`route add -net 10.0.0.0 netmask 255.0.0.0 reject`
		19	`route add -net 192.168.0.0 netmask 255.255.0.0 metric 1000 reject`
15	AlastairPorter	20	`</pre>`
4	CraigBox	21
		22	`This will give you "Destination host unreachable errors", without sending random packets out your default gateway.`
		23
		24	`!![DNS]`
		25
		26	`After you have zebra working correctly, and you can ping 10.66.10.1, then you may want to setup [DNS] (Debian: apt-get install bind). In your name server, you need to make sure you don't have any forwarders[1], and that you have blocks that look much like this:`
		27
15	AlastairPorter	28	`<pre>`
4	CraigBox	29	`zone "10.in-addr.arpa" {`
		30	`type stub;`
		31	`masters { 10.66.10.1; };`
		32	`file "/var/cache/bind/stubs/10.x";`
		33	`};`
		34
		35	`zone "tla" {`
		36	`type stub;`
		37	`masters { 10.66.10.1; };`
		38	`file "/var/cache/bind/stubs/tla";`
		39	`};`
15	AlastairPorter	40	`</pre>`
4	CraigBox	41
		42	`For future use, and resolving metanet routers, also add`
		43
15	AlastairPorter	44	`<pre>`
4	CraigBox	45	`zone "168.192.in-addr.arpa" {`
		46	`type stub;`
		47	`masters { 10.66.10.1; };`
		48	`file "/var/cache/bind/stubs/192.168.x";`
		49	`};`
		50
		51	`zone "metaix.tla" {`
		52	`type stub;`
		53	`masters { 10.66.10.1; };`
		54	`file "/var/cache/bind/stubs/metaix.tla";`
		55	`};`
15	AlastairPorter	56	`</pre>`
4	CraigBox	57
		58	`as well.`
		59
		60
		61	`__Note__: You may wish to change the paths based on your distribution. Debian Woody prefers "/var/cache/bind/stubs", but doesn't create it by default. __Make sure the directory you have named in the config file exists on the filesystem!__`
7	AlastairPorter	62
		63	`__Note 2: __ FedoraCore users see FedoraNotes too. You don't need an absolute path for the 'file' part, just the filename will be enough.`
4	CraigBox	64
		65	`You should then be able to restart named(8) (debian: /etc/init.d/bind restart, or reload if it's already running) and then ping "www.tla".`
		66
5	MattBrown	67	`You are now properly on the !MetaNet. You should now be able to visit http://www.tla/`
4	CraigBox	68
		69	`!Other clients on your network`
		70
6	JohnMcPherson	71	`Make sure any clients on your network that you want to resolve !MetaNet addresses have the address of your nameserver as the first nameserver in /etc/resolv.conf, or their native DNS configuration. You can put your [ISP]'s nameserver after it as a precaution, if you like.`
4	CraigBox	72
6	JohnMcPherson	73	`!!Firewalling`
8	MikeBeattie	74	`See FirewallNotes and PerrysFirewallingScript. Although you should be able to mostly trust other people on the metanet, you should at the very least do some basic firewalling.`
6	JohnMcPherson	75
		76	`For example, samba/nmbd does broadcasts that will go across the metanet. You can either block traffic to and from the metanet on ports 137, 138 and 139 (both [TCP] and [UDP]) or you can add the following in smb.conf's global section:`
15	AlastairPorter	77	`<pre>`
6	JohnMcPherson	78	`bind interfaces only = yes`
		79	`interfaces = 10.x.y.0/24`
15	AlastairPorter	80	`</pre>`
11	MikeBeattie	81
		82	`__Note:__ The following is geared towards a system where the MetaNet router doesn't supply services to the MetaNet, and isn't your desktop, for example. But it can still be used and applied, with (relatively heavy) modification.`
8	MikeBeattie	83
14	MikeBeattie	84	The only traffic __required__ on the 192.168.0.0/16 range for your MetaNet router is BGP. So you can safely firewall off everything except port 179 tcp/udp incoming. You will need to leave outgoing open, and ports >=1024 incoming with stateful acceptance (RELATED,ESTABLISHED) since your MetaNet router will use the IP on the wan0 interface for its communication onto the MetaNet. You'll also need to allow traffic to pass back and forth between 192.168.0.0/16 and 10.x.y.z/24, but that's in your FORWARD chain.
8	MikeBeattie	85
		86	`An example of this is:`
15	AlastairPorter	87	`<pre>`
8	MikeBeattie	88	`iptables -A INPUT -p udp --dport 179 -s 192.168.0.0/16 -i wan0 -d 192.168.x.y -j ACCEPT`
		89	`iptables -A INPUT -p tcp --dport 179 -s 192.168.0.0/16 -i wan0 -d 192.168.x.y -j ACCEPT`
13	MikeBeattie	90	`<Add extra allowances here, if your MetaNet router is serving services (like DNS, etc)...>`
14	MikeBeattie	91	`<you may also want to allow things in from your lan here (ssh!), since the following 4 rules will block them.>`
8	MikeBeattie	92	`iptables -A INPUT -p tcp --dport 1:1023 -j REJECT`
		93	`iptables -A INPUT -p udp --dport 1:1023 -j REJECT`
		94	`iptables -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT`
		95	`iptables -A INPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT`
		96	`iptables -A INPUT -p imcp -j ACCEPT`
		97	`iptables -A OUTPUT -d 192.168.0.0/16 -o wan0 -s 192.168.x.y -j ACCEPT`
		98	`iptables -A OUTPUT -d 10.0.0.0/8 -o wan0 -s 192.168.x.y -j ACCEPT`
		99	`iptables -A OUTPUT -p imcp -j ACCEPT`
15	AlastairPorter	100	`</pre>`
8	MikeBeattie	101
13	MikeBeattie	102	`The following allows pretty much open slather access from anything on the MetaNet into your 10.x.y.z/24 segment. (change ethX to the NIC with your 10.x.y.z/24 on it):`
15	AlastairPorter	103	`<pre>`
13	MikeBeattie	104	`iptables -A FORWARD -d 192.168.0.0/16 -o wan0 -s 10.x.y.z/24 -i ethX -j ACCEPT`
		105	`iptables -A FORWARD -d 10.x.y.z/24 -o ethX -s 192.168.0.0/16 -i wan0 -j ACCEPT`
9	MikeBeattie	106	`iptables -A FORWARD -d 10.0.0.0/8 -o wan0 -s 10.x.y.z/24 -i ethX -j ACCEPT`
		107	`iptables -A FORWARD -d 10.x.y.z/24 -o ethX -s 10.0.0.0/8 -i wan0 -j ACCEPT`
8	MikeBeattie	108	`iptables -A FORWARD -p imcp -j ACCEPT`
15	AlastairPorter	109	`</pre>`
8	MikeBeattie	110
		111	`You'll need more than the above in your FORWARD chain if you also run something like NAT for your internet connection on your MetaNet router.`
		112
6	JohnMcPherson	113
		114	`!!Root CA`
4	CraigBox	115	`The !MetaNet has a CertificateAuthority that it uses for signing SSL websites and potentially other cool stuff. To add this "root CA" to your browser, visit http://www.meta.net.nz/install-cert.html`
		116
		117	`Now, go to MetaNetResources to see what you can do with your new internetwork.`
		118
		119	`-----`
		120
15	AlastairPorter	121	`#[\|ftnt_1]~[[1\|#ftnt_ref_1]~] The reason is that if you use a forwarder, then all queries for anything other than master/slave zones get forwarded to the other server and you won't be able to resolve metanet names and addresses.`

Last edited on Saturday, February 17, 2007 11:05:09 pm by AlastairPorter

Edit PageHistory Diff Info LikePages