| Author |
Message |
shah
Joined: 26 Sep 2009
Posts: 14
|
| Posted: Mon Feb 15, 2010 11:17 pm Post subject: Private IP help |
|
|
So me and my friend both have linodes in the same datacenter. We are collaborating on a few things and want to take advantage of unmetered bandwidth on private IPs.
We both enable private IPs, set the correct IP and netmask (255.255.128.0) in /etc/network/interfaces (we both have ubuntu) and reboot.
We both can see the new interface in ifconfig but we can't ping each other.
Any ideas? |
|
| Back to top |
|
Vance
Joined: 18 Jan 2009
Posts: 309
|
| Posted: Tue Feb 16, 2010 1:02 am Post subject: |
|
|
| Perhaps firewall settings? |
|
| Back to top |
|
rsk
Joined: 24 Nov 2009
Posts: 283
|
| Posted: Tue Feb 16, 2010 10:32 am Post subject: |
|
|
| Aren't the "private networks" firewalled by Linode so only nodes belonging to same account can see each other? |
|
| Back to top |
|
Guspaz
Joined: 26 May 2009
Posts: 1030
Location: Montreal, QC
|
| Posted: Tue Feb 16, 2010 10:38 am Post subject: |
|
|
rsk wrote: Aren't the "private networks" firewalled by Linode so only nodes belonging to same account can see each other?
If I can remember the last time Caker explained it to me, no, they're not. The private network is a LAN, and behaves as such (anything can connect to anything, broadcasts work, etc.)
The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise).
On Linode's end, they prevent you from going into promiscuous mode (no packet sniffing other peoples' traffic), and prevent you from spoofing IPs (keeping your firewall rules secure). |
|
| Back to top |
|
rsk
Joined: 24 Nov 2009
Posts: 283
|
| Posted: Tue Feb 16, 2010 2:09 pm Post subject: |
|
|
Awesome.
You know... that's one of the lovely things about Linode. They're behaving like people, not like accountants. I *expected* them to block traffic between nodes belonging to different accounts, because, after, all, they're different clients as far as the things are concerned. 99% of companies would say "Hey, we're losing money here! They should have to pipe it over the bandwidth-measured interfaces!". |
|
| Back to top |
|
Xan
Joined: 08 Feb 2004
Posts: 562
Location: Austin
|
| Posted: Tue Feb 16, 2010 9:53 pm Post subject: |
|
|
| That's an interesting take on it. I see the private IPs being much more useful if only Linodes on my account can talk to each other. Without that security benefit, I don't see the point really at all. |
|
| Back to top |
|
hoopycat
Joined: 30 Aug 2008
Posts: 1136
|
| Posted: Tue Feb 16, 2010 10:28 pm Post subject: |
|
|
| I figure you can always add your own iptables rules, but you can't turn off bandwidth metering. |
|
| Back to top |
|
Guspaz
Joined: 26 May 2009
Posts: 1030
Location: Montreal, QC
|
| Posted: Wed Feb 17, 2010 11:48 am Post subject: |
|
|
| Indeed, since they prevent spoofing, there would be no security benefit to the blocking than Xan describes. |
|
| Back to top |
|
shah
Joined: 26 Sep 2009
Posts: 14
|
| Posted: Thu Feb 18, 2010 1:52 pm Post subject: |
|
|
Thanks guys!
It turned out to be a small typo in /etc/network/interfaces and it works now.
I set up NFS and works like a charm!
Guspaz wrote: The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise).
I did put up correct entries in /etc/hosts.allow and /etc/hosts.deny to prevent anyone else to access the NFS share.
But can someone link/guide me (or a good guide to iptables) to set it up so it only listens to the whitelisted IP?
Thanks so much! |
|
| Back to top |
|
shah
Joined: 26 Sep 2009
Posts: 14
|
| Posted: Sat Feb 20, 2010 12:21 pm Post subject: |
|
|
shah wrote:
Guspaz wrote: The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise).
I did put up correct entries in /etc/hosts.allow and /etc/hosts.deny to prevent anyone else to access the NFS share.
But can someone link/guide me (or a link to a good guide to iptables) to set it up so it only listens to the whitelisted IP?
Thanks so much!
Bump. I would appreciate any comments. Thanks |
|
| Back to top |
|
Xan
Joined: 08 Feb 2004
Posts: 562
Location: Austin
|
| Posted: Sat Feb 20, 2010 12:45 pm Post subject: |
|
|
Something like:
Code: iptables -A INPUT -i eth1 -s !10.0.0.1 -j REJECT
(Replace eth1 and 10.0.0.1 appropriately.)
I'm not sure what distro you're on, but on Debian (and I suppose it would apply to Ubuntu), I then do:
Code: iptables-save > /etc/iptables.conf
And then put the following script in /etc/network/if-pre-up.d/iptables:
Code: #!/bin/sh
# Load iptables rules before interfaces are brought online
# This ensures that we are always protected by the firewall
#
# Note: if bad rules are inadvertently (or purposely) saved it could block
# access to the server except via the serial tty interface.
#
RESTORE=/sbin/iptables-restore
STAT=/usr/bin/stat
IPSTATE=/etc/iptables.conf
test -x $RESTORE || exit 0
test -x $STAT || exit 0
# Check permissions and ownership (rw------- for root)
if test `$STAT --format="%a" $IPSTATE` -ne "600"; then
echo "Permissions for $IPSTATE must be 600 (rw-------)"
exit 0
fi
# Since only the owner can read/write to the file, we can trust that it is
# secure. We need not worry about group permissions since they should be
# zeroed per our previous check; but we must make sure root owns it.
if test `$STAT --format="%u" $IPSTATE` -ne "0"; then
echo "The superuser must have ownership for $IPSTATE (uid 0)"
exit 0
fi
# Now we are ready to restore the tables
$RESTORE < $IPSTATE
|
|
| Back to top |
|
shah
Joined: 26 Sep 2009
Posts: 14
|
| Posted: Sat Feb 20, 2010 12:57 pm Post subject: |
|
|
| Thanks so much Xan! |
|
| Back to top |
|
| |
