Differences between version 9 and previous revision of MetaNetConfiguration.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 9 | Last edited on Thursday, November 18, 2004 1:44:25 pm | by MikeBeattie | Revert |
| Older page: | version 8 | Last edited on Wednesday, November 17, 2004 10:19:11 pm | by MikeBeattie | Revert |
@@ -70,9 +70,9 @@
For example, samba/nmbd does broadcasts that will go across the metanet. You can either block traffic to and from the metanet on ports 137, 138 and 139 (both [TCP] and [UDP]) or you can add the following in smb.conf's global section:
bind interfaces only = yes
interfaces = 10.x.y.0/24
-All
traffic on the 192.168../16 range is purely
BGP, so you can safely firewall off everything except port 179 tcp and
udp incoming. You will need to leave outgoing open, and ports >=1024 incoming with stateful acceptance (RELATED,ESTABLISHED) since your MetaNet router will use the IP on the wan0 interface for its communication onto the MetaNet.
+The only
traffic on the 192.168../16 range is BGP, and DNS to the tla root server
, so you can safely firewall off everything except port 179 tcp/
udp incoming. You'll need to allow 53 udp for forwarding to your nameserver if it's not the router..
. You will need to leave outgoing open, and ports >=1024 incoming with stateful acceptance (RELATED,ESTABLISHED) since your MetaNet router will use the IP on the wan0 interface for its communication onto the MetaNet.
An example of this is:
iptables -A INPUT -p udp --dport 179 -s 192.168.0.0/16 -i wan0 -d 192.168.x.y -j ACCEPT
iptables -A INPUT -p tcp --dport 179 -s 192.168.0.0/16 -i wan0 -d 192.168.x.y -j ACCEPT
@@ -84,11 +84,13 @@
iptables -A OUTPUT -d 192.168.0.0/16 -o wan0 -s 192.168.x.y -j ACCEPT
iptables -A OUTPUT -d 10.0.0.0/8 -o wan0 -s 192.168.x.y -j ACCEPT
iptables -A OUTPUT -p imcp -j ACCEPT
-Further, you want these for forwarding your 10.x range over your MetaNet router:
- iptables -A FORWARD -d 10.../8 -s 10.x.y.z/24 -o wan0
-j ACCEPT
- iptables -A FORWARD -d 10.x.y.z/24 -s 10.../8 -i wan0 -j ACCEPT
+Further, you want these for forwarding your 10.x range over your MetaNet router (where ethX is the NIC with your 10.x.y.z/24 on it)
:
+ iptables -A FORWARD -p udp -d 192.168../16 -o wan0 --dport 53 -s 10.x.y.z/24 -i ethX -j ACCEPT ( For a DNS server that )
+ iptables -A FORWARD -p udp -d 10.x.y.z/24 -o ethX -s 192.168../16 -i wan0 --sport 53 -j ACCEPT ( isn't on the MetaNet router )
+ iptables -A FORWARD -d 10.../8 -o wan0
-s 10.x.y.z/24 -i ethX
-j ACCEPT
+ iptables -A FORWARD -d 10.x.y.z/24 -o ethX
-s 10.../8 -i wan0 -j ACCEPT
iptables -A FORWARD -p imcp -j ACCEPT
You'll need more than the above in your FORWARD chain if you also run something like NAT for your internet connection on your MetaNet router.
