Hi,
I have a small home LAN, where one machine (192.168.1.1) connects to the internet via dialup (no DSL here) and shares the connection with IP masquerading. To achieve this, I tried out various recipes found on the internet, and finally put this in /etc/rc.d/rc.local:
--8<------ rc.local ------------ #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
# Setup IP Masquerading iptables -F; iptables -t nat -F; iptables -t mangle -F iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Secure it iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT iptables -P INPUT DROP iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT --8<---------------------------
I don't understand much about iptables. Documentation about it is on my TODO list (I'll keep it for after my death:oD).
Now I have a problem. I fiddled a bit with NFS, and I had a firewall-related problem with it. In short, when iptables (the firewall) runs, I can't do an NFS mount. But as soon as I stop it (service iptables stop), NFS mounts are possible.
Now what can I do to 1) go on sharing my ppp connection 2) be able to do NFS mounts while 3) still having a reasonable secure system?
Cheers,
Niki Kovacs
On Tue, 2006-05-16 at 14:34 +0200, Niki Kovacs wrote:
Hi,
I have a small home LAN, where one machine (192.168.1.1) connects to the internet via dialup (no DSL here) and shares the connection with IP masquerading. To achieve this, I tried out various recipes found on the internet, and finally put this in /etc/rc.d/rc.local:
--8<------ rc.local ------------ #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
# Setup IP Masquerading iptables -F; iptables -t nat -F; iptables -t mangle -F iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Secure it iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT iptables -P INPUT DROP iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT --8<---------------------------
I don't understand much about iptables. Documentation about it is on my TODO list (I'll keep it for after my death:oD).
Now I have a problem. I fiddled a bit with NFS, and I had a firewall-related problem with it. In short, when iptables (the firewall) runs, I can't do an NFS mount. But as soon as I stop it (service iptables stop), NFS mounts are possible.
Now what can I do to 1) go on sharing my ppp connection 2) be able to do NFS mounts while 3) still having a reasonable secure system?
---- I think that you should look at David Ranch's scripts for iptables...
http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/c-html/firewall-examples.h...
Craig
Hi,
make sure you have a 1 in this file /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
Other than that, everything looks alright.
later Charles
On Tuesday 16 May 2006 08:34, Niki Kovacs wrote:
Hi,
I have a small home LAN, where one machine (192.168.1.1) connects to the internet via dialup (no DSL here) and shares the connection with IP masquerading. To achieve this, I tried out various recipes found on the internet, and finally put this in /etc/rc.d/rc.local:
--8<------ rc.local ------------ #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
# Setup IP Masquerading iptables -F; iptables -t nat -F; iptables -t mangle -F iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Secure it iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT iptables -P INPUT DROP iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT --8<---------------------------
I don't understand much about iptables. Documentation about it is on my TODO list (I'll keep it for after my death:oD).
Now I have a problem. I fiddled a bit with NFS, and I had a firewall-related problem with it. In short, when iptables (the firewall) runs, I can't do an NFS mount. But as soon as I stop it (service iptables stop), NFS mounts are possible.
Now what can I do to 1) go on sharing my ppp connection 2) be able to do NFS mounts while 3) still having a reasonable secure system?
Cheers,
Niki Kovacs _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Oh sorry i didn't fully read the post,
You will also need to add something like this
iptables -I INPUT -i eth0 -j ACCEPT
which will allow anything to connect to the server from inside ( if eth0 is your internal network card )
put this just before your iptables -A INPUT -P DROP
Sorry again.
On Tuesday 16 May 2006 08:48, Charles Lacroix wrote:
Hi,
make sure you have a 1 in this file /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
Other than that, everything looks alright.
later Charles
On Tuesday 16 May 2006 08:34, Niki Kovacs wrote:
Hi,
I have a small home LAN, where one machine (192.168.1.1) connects to the internet via dialup (no DSL here) and shares the connection with IP masquerading. To achieve this, I tried out various recipes found on the internet, and finally put this in /etc/rc.d/rc.local:
--8<------ rc.local ------------ #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
# Setup IP Masquerading iptables -F; iptables -t nat -F; iptables -t mangle -F iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Secure it iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT iptables -P INPUT DROP iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT --8<---------------------------
I don't understand much about iptables. Documentation about it is on my TODO list (I'll keep it for after my death:oD).
Now I have a problem. I fiddled a bit with NFS, and I had a firewall-related problem with it. In short, when iptables (the firewall) runs, I can't do an NFS mount. But as soon as I stop it (service iptables stop), NFS mounts are possible.
Now what can I do to 1) go on sharing my ppp connection 2) be able to do NFS mounts while 3) still having a reasonable secure system?
Cheers,
Niki Kovacs _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Selon Charles Lacroix clacroix@cegep-ste-foy.qc.ca:
You will also need to add something like this
iptables -I INPUT -i eth0 -j ACCEPT
which will allow anything to connect to the server from inside ( if eth0 is your internal network card )
put this just before your iptables -A INPUT -P DROP
Thanks very much! That worked!
I'm one step further, in front of the next problem. On the server side, my /etc/exports looks like this:
--8<--------- /vrac 192.168.1.5(rw) -------------
For the moment, I don't bother about security, I just set up a no-frills configuration and try to fine-tune and secure it later. So no hosts.allow or hosts.deny. Of course, the /vrac directory exists, and there's some stuff in it.
I start the server.
On the client (192.168.1.5) side, I have a /localvrac directory. Now I do this:
# mount 192.168.1.1:/vrac /localvrac
I cd into localvrac (as root), and I can see the contents of the remote directory. So far so good. Put as soon as I try to either open one of the text files or do a 'touch something.txt', I get a Permission denied error.
What did I do wrong?
Niki
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, May 16, 2006 at 03:29:25PM +0200, Niki Kovacs enlightened us:
Selon Charles Lacroix clacroix@cegep-ste-foy.qc.ca:
You will also need to add something like this
iptables -I INPUT -i eth0 -j ACCEPT
which will allow anything to connect to the server from inside ( if eth0 is your internal network card )
put this just before your iptables -A INPUT -P DROP
Thanks very much! That worked!
I'm one step further, in front of the next problem. On the server side, my /etc/exports looks like this:
--8<--------- /vrac 192.168.1.5(rw)
For the moment, I don't bother about security, I just set up a no-frills configuration and try to fine-tune and secure it later. So no hosts.allow or hosts.deny. Of course, the /vrac directory exists, and there's some stuff in it.
I start the server.
On the client (192.168.1.5) side, I have a /localvrac directory. Now I do this:
# mount 192.168.1.1:/vrac /localvrac
I cd into localvrac (as root), and I can see the contents of the remote directory. So far so good. Put as soon as I try to either open one of the text files or do a 'touch something.txt', I get a Permission denied error.
What did I do wrong?
You didn't read the exports(5) man page, especially the section on User ID Mapping.
Matt
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, May 16, 2006 at 03:29:25PM +0200, Niki Kovacs wrote:
I'm one step further, in front of the next problem. On the server side, my /etc/exports looks like this:
--8<--------- /vrac 192.168.1.5(rw)
On the client (192.168.1.5) side, I have a /localvrac directory. Now I do this: # mount 192.168.1.1:/vrac /localvrac
I cd into localvrac (as root), and I can see the contents of the remote directory. So far so good. Put as soon as I try to either open one of the text files or do a 'touch something.txt', I get a Permission denied error.
What did I do wrong?
Asside from not reading the man page ?
Try:
/vrac 192.168.1.5(rw,no_root_squash)
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)