[MLB-WIRELESS] IP Tables.

sanbar sandbar at ozemail.com.au
Wed Apr 6 01:11:18 EST 2005 

Phil NodeHPL wrote:

> Hi Guys,

Hello Phil

> Ok, well progress back here at NodeHPL, and my surronding area, leads 
> me to the next question about working with MelbWireless.
>  
> IP Tables.

Ooh. The black art of firewalling. Werd.

> Now I've had a /16 (i think) given to me, I know NodeIPK near me also 
> has an IP allocation, but how do we setup our IP's locally, and then 
> intern, link to each other and the rest of the group, while 
> maintaining our independant broadband services (like I have aDSL with 
> Internode), and our own private network.
>  
> currently my knowledge extends to and is also limited to :
>  
> All IP's in my personnal network are 192.168.0.x with 192.168.0.1 as 
> my aDSL Modem/Router (which does dhcp .30 to .250)

Please take a moment to go to the window and wave to Rick and all his 
219 dynamically assigned IP mates[1] downloading all their dwarf pr0n 
now they know they have open access :)

(big snip of internal network setup details)

> How can I setup my network, to give unlimited access to anyone within 
> my private network to :
>  
> each other,
> my aDSL,
> Melbourne Wireless.
>  
> Without allowing :
>  
> Melbourne wireless to use my aDSL
> Melbourne wireless to see my private network (beyond my SME server)
> my aDSL to see my private network (beyond my SME server)
> my aDSL to see Melbourne wireless

You probably need to set up a DMZ and treat your "Melbourne Wireless" 
interface as though it's the big, bad internet. That means you need to 
set up your iptables firewall to only let certain services come in from 
the Melbourne Wireless side of the network, and certain services go out 
to the Melbourne Wireless side of the network. A spare computer with a 
couple of network interfaces running any flavour of un*x will do.
Firewalling ain't easy, as you really need to know what you are doing to 
get a system secure. If you want to learn it, start with someone else's 
(a really good starting point is a script at 
http://orbital.wiretapped.net/~technion/iptables.txt), pull it apart, 
break it, and put it back together.
Some people are paid a lot of money (unless they work for Dodo) to sort 
out the problem you've just described, and I haven't even scratched the 
surface of stuff such as network address translation, shutting down 
unnecessary services, mac filtering and so on. This level of network 
control is hard to do for a beginner, and even harder to get right.
What you should be saying is: "Hey guys, if I throw on a free barbecue 
and cut you some beer, can you come around and play with my node setup 
and help me fine-tune it, then let me know how to manage it?" That may 
get you close to achieving everything you've asked in this email within 
a short timeframe.
- Barry

-- 
[1] Sorry Rick. Couldn't help myself. 
http://antifsck.dyndns.org


To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message

More information about the Melbwireless mailing list