[plug] Configuring ipchains on potato

bob bob at contact.omen.com.au
Wed Jul 10 18:18:09 WST 2002 

On Wed, 2002-07-10 at 15:24, Craig Ringer wrote:
> >>Anyway, long story short. I'd like to get up to speed on configuring a
> >>firewall/gateway & DNS (I think I can handle most everything else but I
> >>have 0 experience with ipchains or setting up a DNS [2] (I'll be
> >>registering an org.au ). The plan is to run all the services locally on
> >>the alpha and only use the permanent dialup for the static IP so I may
> >>need some hints here and there along the way on other things too.
> > 
> > Get MonMotha (Google for it) for now, get technical later. About 12 simple 
> > questions to answer, run it from startup, game over.
> 
> OK, a few ideas for the setup that you might want to consider - 
> depending entirely on personal prefs of course.
> 
> _If_ you're thinking about moving to woody and a 2.4 kernel (yay 
> iptables), I'd reccomend installing the ipmasq package, at least if you 
> don't have world-reachable IPs for your internal LAN.

Woody isn't in any of the local mirrors for alphas so I'm sticking with
what I can get easily.

ipmasq is installed :).
 
> That way you can just create an /etc/ipmasq/I90external.rul file to 
> override the default rules (all ports open, internal lan "protected" 
> only by masq'd addrs) and create a half-decent firewall. Don't know if 
> its the best way but it fits in well with the rest of the system and its 
> worked well for me so far at home. At work I use fwbuilder (I'm lazy and 
> can't be stuffed writing huge rulesets by hand) to make a script that 
> correctly configures iptables.

sounds good...

> As for dns, after you pick bind8 or bind9 (I really can't reccomend one 
> over the other as I lack the experience but I use bind8 myself 
> currently) its pretty easy to do the basics ; create a master zone file 
> for .localnet or .localdomain for your private network ( I tend to use 
> an invalid TLD like that because I use the 192.168.x.x range @home and 
> 10.x.x.x at work, and don't want namespace conflicts with the outside 
> world). I don't know about others on the list but I won't use a 
> real-world TLD for private IP addresses.

See other post. I may not end up running bind. However I'd still like to
see what I can learn.
 
> You'll need another master zone file if you need to serve DNS for a real 
> domain too, rather than farming it out to someone else.

Thats the original plan. That may not happen now that I've found
http://soa.granitecanyon.com/

> If you can't be stuffed learing to config bind manually, webmin to the 
> rescue :-) there are some good bind modules out there. Its also a good 
> idea IMHO to set up bind to do forwarding and set it as the DNS for all 
> local machines on the lan ; that way you can transparently cache, hide 
> dns server changes from client machines, cleanly fail-over to secondary 
> DNS servers, etc. I use DHCP to inform client machines of their intended 
> DNS settings etc.

Yep, ok. D/L'ing webmin now.
 
> I can provide a sample /etc/ipmasq/I90external.rul if you're interested, 
> as well as sample zone files etc. I don't claim that they're ideal but 
> they work well for me.

That'd be very useful. Its always easier to nut things out if you have
examples. 

Thanks!
 
> -- 
> Craig Ringer

-- 
bob
Cave canem...te necet lingendo.

More information about the plug mailing list