[lug] IP subnetting, Firewalls, and RAID

Michael J. Pedersen marvin at netinfra.net
Sat Dec 11 10:40:16 MST 1999 

On Fri, Dec 10, 1999 at 11:21:50PM -0700, Andrew Diederich wrote:
> IP subnetting:
> he wants to set up a class B on a 10.x.x.x network, obviously internal.
> He was thinking of using 10.1.x.x for servers, 10.2.x.x for developers, etc.
> I think that he'd need routers for that, but if he shifted right one
> in the dotted-quad he'd be OK?  So, 10.0.1.x for servers, 10.0.2.x for
> developers, with a 255.255.0.0 netmask?  

Well, you have a couple of options, and they're decided for you by the subnet
mask.  You can use the 10.x.x.x, but if you don't want to configure a router
somewhere along the way, you'll have to use a subnet mask of 255.0.0.0, which
will effectively make one large network.  Not the best solution.

On the other hand, using a subnet mask of 255.255.0.0, you just need to
configure a linux box somewhere to be a router, which is actually pretty easy.
Simply configure a linux box with three network cards, like so:

ifconfig eth0 internet-settings-including-netmask-address-etc
ifconfig eth1 10.1.0.1 netmask 255.255.0.0 broadcast 10.1.255.255
route add -net 10.1.0.0 netmask 255.255.0.0 dev eth1
ifconfig eth2 10.2.0.1 netmask 255.255.0.0 broadcast 10.2.255.255
route add -net 10.2.0.1 netmask 255.255.0.0 dev eth2

Just remember that eth0 is your internet connection, so it will need to be the
one to be firewalled.  I'll tell you how to do that later :)

> RAID:

Sorry, never done RAID, so can't help out there (not yet, anyway).

> Firewall:
> I guess one solution might be to get a KRUD CD from Kevin.  I'm not proud,
> let me know if that's the right way to go.  *grin*  Anyway, I just read
> through the IP-Masquerading howto, the IP-chains howto, and the 
> firewall howto, and am still confused.  I guess I was hoping there was an
> easier way than building all of the rules myself with the ipchains stuff.
> I think the firewall howto was from '96 -- the author said he'd tested
> it with Red Hat 3.0.3.  

Well, the IP-Chains HOWTO is one of the more difficult reads, in my opinion.
It took me about a week to finally figure out everything that they were doing.
However, here's a scheme that should do what you want it to do.

ipchains -A output -p tcp -s 0.0.0.0/0.0.0.0 -d local.ip.address/netmask http
	-j ACCEPT
ipchains -A output -s 0.0.0.0/0.0.0.0 -d internet.(ip|network)/inernet.netmask
	-j DENY

That should block absolutely everything except for http on the internet
connection.  It's not perfect, but it's pretty decent.

-- 
Michael J. Pedersen
WhoDP: whodp://earth.activerse.com/pedersen
Check out Ding! at http://www.activerse.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/19991211/b8358dd1/attachment.pgp>

More information about the LUG mailing list