[plug] Configuring ipchains on potato

Craig Ringer craig at postnewspapers.com.au
Wed Jul 10 15:24:37 WST 2002 

>>Anyway, long story short. I'd like to get up to speed on configuring a
>>firewall/gateway & DNS (I think I can handle most everything else but I
>>have 0 experience with ipchains or setting up a DNS [2] (I'll be
>>registering an org.au ). The plan is to run all the services locally on
>>the alpha and only use the permanent dialup for the static IP so I may
>>need some hints here and there along the way on other things too.
> 
> Get MonMotha (Google for it) for now, get technical later. About 12 simple 
> questions to answer, run it from startup, game over.

OK, a few ideas for the setup that you might want to consider - 
depending entirely on personal prefs of course.

_If_ you're thinking about moving to woody and a 2.4 kernel (yay 
iptables), I'd reccomend installing the ipmasq package, at least if you 
don't have world-reachable IPs for your internal LAN.

That way you can just create an /etc/ipmasq/I90external.rul file to 
override the default rules (all ports open, internal lan "protected" 
only by masq'd addrs) and create a half-decent firewall. Don't know if 
its the best way but it fits in well with the rest of the system and its 
worked well for me so far at home. At work I use fwbuilder (I'm lazy and 
can't be stuffed writing huge rulesets by hand) to make a script that 
correctly configures iptables.

As for dns, after you pick bind8 or bind9 (I really can't reccomend one 
over the other as I lack the experience but I use bind8 myself 
currently) its pretty easy to do the basics ; create a master zone file 
for .localnet or .localdomain for your private network ( I tend to use 
an invalid TLD like that because I use the 192.168.x.x range @home and 
10.x.x.x at work, and don't want namespace conflicts with the outside 
world). I don't know about others on the list but I won't use a 
real-world TLD for private IP addresses.

You'll need another master zone file if you need to serve DNS for a real 
domain too, rather than farming it out to someone else.

If you can't be stuffed learing to config bind manually, webmin to the 
rescue :-) there are some good bind modules out there. Its also a good 
idea IMHO to set up bind to do forwarding and set it as the DNS for all 
local machines on the lan ; that way you can transparently cache, hide 
dns server changes from client machines, cleanly fail-over to secondary 
DNS servers, etc. I use DHCP to inform client machines of their intended 
DNS settings etc.

I can provide a sample /etc/ipmasq/I90external.rul if you're interested, 
as well as sample zone files etc. I don't claim that they're ideal but 
they work well for me.

-- 
Craig Ringer
GPG Key Fingerprint: AF1C ABFE 7E64 E9C8 FC27  C16E D3CE CDC0 0E93 380D
	-- if it ain't broke, add features 'till it is. (or:)
	while (! broken) { feature ++ ; }

More information about the plug mailing list