Penguin
Note: You are viewing an old revision of this page. View the current version.

This page carries on from MetaNetInstallation, and indirectly from MetaNet. You might want to read those first.

zebra and bgpd

WanDaemon, at low level, provides you with 192.168 addresses. What you want is 10.x.x.x connectivity - so you need to run zebra.

Configuration information is in ZebraConfig. Note: this page may have a slight Debian tint!

Read MetaNetBGPNotes for information describing BGP on the !MetaNet.

At this point you should be able to ping 10.66.10.1, Hydrogen's !MetaNet address.

Routing

Add to your boot scripts somewhere (/etc/network/interfaces is a good place for Debian. Can you tell we love Debian here?)
route add -net 10.0.0.0 netmask 255.0.0.0 reject route add -net 192.168.0.0 netmask 255.255.0.0 metric 1000 reject

This will give you "Destination host unreachable errors", without sending random packets out your default gateway.

DNS

After you have zebra working correctly, and you can ping 10.66.10.1, then you may want to setup DNS (Debian: apt-get install bind). In your name server, you need to make sure you don't have any forwarders1?, and that you have blocks that look much like this

zone "10.in-addr.arpa" {

type stub; masters { 10.66.10.1; }; file "/var/cache/bind/stubs/10.x";

};

zone "tla" {

type stub; masters { 10.66.10.1; }; file "/var/cache/bind/stubs/tla";

};

For future use, and resolving metanet routers, also add

zone "168.192.in-addr.arpa" {

type stub; masters { 10.66.10.1; }; file "/var/cache/bind/stubs/192.168.x";

};

zone "metaix.tla" {

type stub; masters { 10.66.10.1; }; file "/var/cache/bind/stubs/metaix.tla";

};

as well.

Note: You may wish to change the paths based on your distribution. Debian Woody prefers "/var/cache/bind/stubs", but doesn't create it by default. Make sure the directory you have named in the config file exists on the filesystem!

Note 2: FedoraCore users see FedoraNotes too. You don't need an absolute path for the 'file' part, just the filename will be enough.

You should then be able to restart named(8) (debian: /etc/init.d/bind restart, or reload if it's already running) and then ping "www.tla".

You are now properly on the !MetaNet. You should now be able to visit http://www.tla/

Other clients on your network

Make sure any clients on your network that you want to resolve !MetaNet addresses have the address of your nameserver as the first nameserver in /etc/resolv.conf, or their native DNS configuration. You can put your ISP's nameserver after it as a precaution, if you like.

Firewalling

See FirewallNotes and PerrysFirewallingScript. Although you should be able to mostly trust other people on the metanet, you should at the very least do some basic firewalling.

For example, samba/nmbd does broadcasts that will go across the metanet. You can either block traffic to and from the metanet on ports 137, 138 and 139 (both TCP and UDP) or you can add the following in smb.conf's global section
bind interfaces only = yes interfaces = 10.x.y.0/24

Note: The following is geared towards a system where the MetaNet router doesn't supply services to the MetaNet, and isn't your desktop, for example. But it can still be used and applied, with (relatively heavy) modification.

The only traffic on the 192.168.0.0/16 range is BGP, and DNS to the tla root server, so you can safely firewall off everything except port 179 tcp/udp incoming. You'll need to allow 53 udp for forwarding to/from your nameserver if it's not on the router... You will need to leave outgoing open, and ports >=1024 incoming with stateful acceptance (RELATED,ESTABLISHED) since your MetaNet router will use the IP on the wan0 interface for its communication onto the MetaNet.

An example of this is

iptables -A INPUT -p udp --dport 179 -s 192.168.0.0/16 -i wan0 -d 192.168.x.y -j ACCEPT iptables -A INPUT -p tcp --dport 179 -s 192.168.0.0/16 -i wan0 -d 192.168.x.y -j ACCEPT

<Add extra allowances here, if your MetaNet router is serving services...>

iptables -A INPUT -p tcp --dport 1:1023 -j REJECT iptables -A INPUT -p udp --dport 1:1023 -j REJECT iptables -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p imcp -j ACCEPT iptables -A OUTPUT -d 192.168.0.0/16 -o wan0 -s 192.168.x.y -j ACCEPT iptables -A OUTPUT -d 10.0.0.0/8 -o wan0 -s 192.168.x.y -j ACCEPT iptables -A OUTPUT -p imcp -j ACCEPT

Further, you want these for forwarding your 10.x range over your MetaNet router (where ethX is the NIC with your 10.x.y.z/24 on it)
iptables -A FORWARD -p udp -d 192.168.0.0/16 -o wan0 --dport 53 -s 10.x.y.z/24 -i ethX -j ACCEPT ( For a DNS server that ) iptables -A FORWARD -p udp -d 10.x.y.z/24 -o ethX -s 192.168.0.0/16 -i wan0 --sport 53 -j ACCEPT ( isn't on the MetaNet router ) iptables -A FORWARD -d 10.0.0.0/8 -o wan0 -s 10.x.y.z/24 -i ethX -j ACCEPT iptables -A FORWARD -d 10.x.y.z/24 -o ethX -s 10.0.0.0/8 -i wan0 -j ACCEPT iptables -A FORWARD -p imcp -j ACCEPT

You'll need more than the above in your FORWARD chain if you also run something like NAT for your internet connection on your MetaNet router.

Root CA

The !MetaNet has a CertificateAuthority? that it uses for signing SSL websites and potentially other cool stuff. To add this "root CA" to your browser, visit http://www.meta.net.nz/install-cert.html

Now, go to MetaNetResources to see what you can do with your new internetwork.


1? The reason is that if you use a forwarder, then all queries for anything other than master/slave zones get forwarded to the other server and you won't be able to resolve metanet names and addresses.