R
Rich Grise
Guest
I've got kind of an opportunity here - at my client's, there's a "server,"
which plugs into the DSL, dynamic IP which hasn't changed in what seems
like months, and 7 computers and a (an?) HP plotter on 10.0.0.0/8 .
5 of the boxen are W2K only, and the 2 which are mine are Slack 10.0/
W2K.
All I have as far as servers go is IP masquerading and samba, so it's not
much of a server, but that's what everybody's calling it. To the lusers,
it's just S:.
The closest thing I have to a firewall is, as I say, IP masquerading:
-----------------------------------------
root@ops:~# cat /usr/local/sbin/masq-on
modprobe ipt_MASQUERADE # If this fails, try continuing anyway
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -P INPUT DROP #only if the first two are succesful
iptables -A FORWARD -i eth0 -o eth0 -j REJECT
root@ops:~#
-----------------------------------------
root@ops:~# route -ve
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
4.11.176.0 * 255.255.252.0 U 0 0 0
eth0
10.0.0.0 * 255.0.0.0 U 0 0 0
eth1
loopback * 255.0.0.0 U 0 0 0 lo
default wbar5-lax1-4-11 0.0.0.0 UG 0 0 0
eth0
root@ops:~#
------------------------------------------
root@ops:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@ops:~#
--------------------------------------------
Maybe I should have asked some time ago - am I shooting myself in the foot
with this setup? (everything in the setting up has been copied and pasted -
I really don't understand the file formats and stuff yet - on iptables,
basically I can't figure out which is supposed to be INPUT and which is
supposed to be OUTPUT. I suppose it's in the FM and I just haven't stumbled
across it yet.)
The "check your ports" websites all seem to say "all ports are closed" or
"all ports are stealthed", so to put up a mailserver, which is about all
I'd need in addition to the samba; Apache seems to come up automagically;
is open the ports, but that would call for some protection, or am I guessing
in la-la-land?
Meanwhile, things are slow at the shop, and the guy's looking for make-
work for me, so what's a reasonable amount of money to ask for to set up
a "real" LAN? I know I could have it done in a day, but since the fringe
bennies are incomparable, I'm working for $15.00/hour, and I'd like to
milk a LAN setup more than $120.00.
What does one of those guys who works in a zoot suit and pomade charge for
something like that?
Thanks,
Rich
which plugs into the DSL, dynamic IP which hasn't changed in what seems
like months, and 7 computers and a (an?) HP plotter on 10.0.0.0/8 .
5 of the boxen are W2K only, and the 2 which are mine are Slack 10.0/
W2K.
All I have as far as servers go is IP masquerading and samba, so it's not
much of a server, but that's what everybody's calling it. To the lusers,
it's just S:.
The closest thing I have to a firewall is, as I say, IP masquerading:
-----------------------------------------
root@ops:~# cat /usr/local/sbin/masq-on
modprobe ipt_MASQUERADE # If this fails, try continuing anyway
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -P INPUT DROP #only if the first two are succesful
iptables -A FORWARD -i eth0 -o eth0 -j REJECT
root@ops:~#
-----------------------------------------
root@ops:~# route -ve
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
4.11.176.0 * 255.255.252.0 U 0 0 0
eth0
10.0.0.0 * 255.0.0.0 U 0 0 0
eth1
loopback * 255.0.0.0 U 0 0 0 lo
default wbar5-lax1-4-11 0.0.0.0 UG 0 0 0
eth0
root@ops:~#
------------------------------------------
root@ops:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@ops:~#
--------------------------------------------
Maybe I should have asked some time ago - am I shooting myself in the foot
with this setup? (everything in the setting up has been copied and pasted -
I really don't understand the file formats and stuff yet - on iptables,
basically I can't figure out which is supposed to be INPUT and which is
supposed to be OUTPUT. I suppose it's in the FM and I just haven't stumbled
across it yet.)
The "check your ports" websites all seem to say "all ports are closed" or
"all ports are stealthed", so to put up a mailserver, which is about all
I'd need in addition to the samba; Apache seems to come up automagically;
is open the ports, but that would call for some protection, or am I guessing
in la-la-land?
Meanwhile, things are slow at the shop, and the guy's looking for make-
work for me, so what's a reasonable amount of money to ask for to set up
a "real" LAN? I know I could have it done in a day, but since the fringe
bennies are incomparable, I'm working for $15.00/hour, and I'd like to
milk a LAN setup more than $120.00.
What does one of those guys who works in a zoot suit and pomade charge for
something like that?
Thanks,
Rich