Differences between version 11 and previous revision of MetaNetConfiguration.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 11 | Last edited on Thursday, November 18, 2004 2:11:19 pm | by MikeBeattie | Revert |
| Older page: | version 10 | Last edited on Thursday, November 18, 2004 1:46:05 pm | by MikeBeattie | Revert |
@@ -69,14 +69,17 @@
For example, samba/nmbd does broadcasts that will go across the metanet. You can either block traffic to and from the metanet on ports 137, 138 and 139 (both [TCP] and [UDP]) or you can add the following in smb.conf's global section:
bind interfaces only = yes
interfaces = 10.x.y.0/24
+
+__Note:__ The following is geared towards a system where the MetaNet router doesn't supply services to the MetaNet, and isn't your desktop, for example. But it can still be used and applied, with (relatively heavy) modification.
The only traffic on the 192.168.0.0/16 range is BGP, and DNS to the tla root server, so you can safely firewall off everything except port 179 tcp/udp incoming. You'll need to allow 53 udp for forwarding to/from your nameserver if it's not on the router... You will need to leave outgoing open, and ports >=1024 incoming with stateful acceptance (RELATED,ESTABLISHED) since your MetaNet router will use the IP on the wan0 interface for its communication onto the MetaNet.
An example of this is:
iptables -A INPUT -p udp --dport 179 -s 192.168.0.0/16 -i wan0 -d 192.168.x.y -j ACCEPT
iptables -A INPUT -p tcp --dport 179 -s 192.168.0.0/16 -i wan0 -d 192.168.x.y -j ACCEPT
+ <Add extra allowances here, if your MetaNet router is serving services...>
iptables -A INPUT -p tcp --dport 1:1023 -j REJECT
iptables -A INPUT -p udp --dport 1:1023 -j REJECT
iptables -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
