[MLB-WIRELESS] IP Tables.
sanbar
sandbar at ozemail.com.au
Wed Apr 6 01:11:18 EST 2005
Phil NodeHPL wrote:
> Hi Guys,
Hello Phil
> Ok, well progress back here at NodeHPL, and my surronding area, leads
> me to the next question about working with MelbWireless.
>
> IP Tables.
Ooh. The black art of firewalling. Werd.
> Now I've had a /16 (i think) given to me, I know NodeIPK near me also
> has an IP allocation, but how do we setup our IP's locally, and then
> intern, link to each other and the rest of the group, while
> maintaining our independant broadband services (like I have aDSL with
> Internode), and our own private network.
>
> currently my knowledge extends to and is also limited to :
>
> All IP's in my personnal network are 192.168.0.x with 192.168.0.1 as
> my aDSL Modem/Router (which does dhcp .30 to .250)
Please take a moment to go to the window and wave to Rick and all his
219 dynamically assigned IP mates[1] downloading all their dwarf pr0n
now they know they have open access :)
(big snip of internal network setup details)
> How can I setup my network, to give unlimited access to anyone within
> my private network to :
>
> each other,
> my aDSL,
> Melbourne Wireless.
>
> Without allowing :
>
> Melbourne wireless to use my aDSL
> Melbourne wireless to see my private network (beyond my SME server)
> my aDSL to see my private network (beyond my SME server)
> my aDSL to see Melbourne wireless
You probably need to set up a DMZ and treat your "Melbourne Wireless"
interface as though it's the big, bad internet. That means you need to
set up your iptables firewall to only let certain services come in from
the Melbourne Wireless side of the network, and certain services go out
to the Melbourne Wireless side of the network. A spare computer with a
couple of network interfaces running any flavour of un*x will do.
Firewalling ain't easy, as you really need to know what you are doing to
get a system secure. If you want to learn it, start with someone else's
(a really good starting point is a script at
http://orbital.wiretapped.net/~technion/iptables.txt), pull it apart,
break it, and put it back together.
Some people are paid a lot of money (unless they work for Dodo) to sort
out the problem you've just described, and I haven't even scratched the
surface of stuff such as network address translation, shutting down
unnecessary services, mac filtering and so on. This level of network
control is hard to do for a beginner, and even harder to get right.
What you should be saying is: "Hey guys, if I throw on a free barbecue
and cut you some beer, can you come around and play with my node setup
and help me fine-tune it, then let me know how to manage it?" That may
get you close to achieving everything you've asked in this email within
a short timeframe.
- Barry
--
[1] Sorry Rick. Couldn't help myself.
http://antifsck.dyndns.org
To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message
More information about the Melbwireless
mailing list