Differences between version 13 and previous revision of MetaNetConfiguration.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 13 | Last edited on Thursday, November 18, 2004 5:25:16 pm | by MikeBeattie | Revert |
| Older page: | version 12 | Last edited on Thursday, November 18, 2004 2:19:49 pm | by MikeBeattie | Revert |
@@ -72,14 +72,14 @@
interfaces = 10.x.y.0/24
__Note:__ The following is geared towards a system where the MetaNet router doesn't supply services to the MetaNet, and isn't your desktop, for example. But it can still be used and applied, with (relatively heavy) modification.
-The only traffic __required__ on the 192.168../16 range is BGP, and DNS to the tla root server, so
you can safely firewall off everything except port 179 tcp/udp incoming. You'll need to allow 53 udp for forwarding to/from your nameserver if it's not on the router..
. You will need to leave outgoing open, and ports >=1024 incoming with stateful acceptance (RELATED,ESTABLISHED) since your MetaNet router will use the IP on the wan0 interface for its communication onto the MetaNet.
+The only traffic __required__ on the 192.168../16 range for your MetaNet router,
is BGP. So
you can safely firewall off everything except port 179 tcp/udp incoming. You will need to leave outgoing open, and ports >=1024 incoming with stateful acceptance (RELATED,ESTABLISHED) since your MetaNet router will use the IP on the wan0 interface for its communication onto the MetaNet. You'll also need to allow traffic to pass back and forth between 192.168../16 and 10.x.y.z/24, but that's in your FORWARD chain
.
An example of this is:
iptables -A INPUT -p udp --dport 179 -s 192.168.0.0/16 -i wan0 -d 192.168.x.y -j ACCEPT
iptables -A INPUT -p tcp --dport 179 -s 192.168.0.0/16 -i wan0 -d 192.168.x.y -j ACCEPT
- <Add extra allowances here, if your MetaNet router is serving services...>
+ <Add extra allowances here, if your MetaNet router is serving services (like DNS, etc)
...>
iptables -A INPUT -p tcp --dport 1:1023 -j REJECT
iptables -A INPUT -p udp --dport 1:1023 -j REJECT
iptables -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
@@ -87,11 +87,11 @@
iptables -A OUTPUT -d 192.168.0.0/16 -o wan0 -s 192.168.x.y -j ACCEPT
iptables -A OUTPUT -d 10.0.0.0/8 -o wan0 -s 192.168.x.y -j ACCEPT
iptables -A OUTPUT -p imcp -j ACCEPT
-Further, you want these for forwarding
your 10.x range over your MetaNet router
(where
ethX is
the NIC with your 10.x.y.z/24 on it):
- iptables -A FORWARD -p udp
-d 192.168../16 -o wan0 --dport 53
-s 10.x.y.z/24 -i ethX -j ACCEPT ( For a DNS server that )
- iptables -A FORWARD -p udp
-d 10.x.y.z/24 -o ethX -s 192.168../16 -i wan0 --sport 53
-j ACCEPT ( isn't on the MetaNet router )
+The following allows pretty much open slather access from anything on the MetaNet into
your 10.x.y.z/24 segment.
(change
ethX to
the NIC with your 10.x.y.z/24 on it):
+ iptables -A FORWARD -d 192.168../16 -o wan0 -s 10.x.y.z/24 -i ethX -j ACCEPT
+ iptables -A FORWARD -d 10.x.y.z/24 -o ethX -s 192.168../16 -i wan0 -j ACCEPT
iptables -A FORWARD -d 10.0.0.0/8 -o wan0 -s 10.x.y.z/24 -i ethX -j ACCEPT
iptables -A FORWARD -d 10.x.y.z/24 -o ethX -s 10.0.0.0/8 -i wan0 -j ACCEPT
iptables -A FORWARD -p imcp -j ACCEPT
