Linode Forum :: Private IP help

Linode Forum https://forum.linode.com/

Private IP help https://forum.linode.com/viewtopic.php?f=19&t=5205	Page 1 of 1

Author:	shah [ Tue Feb 16, 2010 12:17 am ]
Post subject:	Private IP help
So me and my friend both have linodes in the same datacenter. We are collaborating on a few things and want to take advantage of unmetered bandwidth on private IPs. We both enable private IPs, set the correct IP and netmask (255.255.128.0) in /etc/network/interfaces (we both have ubuntu) and reboot. We both can see the new interface in ifconfig but we can't ping each other. Any ideas?

Author:	Vance [ Tue Feb 16, 2010 2:02 am ]
Post subject:
Perhaps firewall settings?

Author:	rsk [ Tue Feb 16, 2010 11:32 am ]
Post subject:
Aren't the "private networks" firewalled by Linode so only nodes belonging to same account can see each other?

Author:	Guspaz [ Tue Feb 16, 2010 11:38 am ]
Post subject:
rsk wrote: Aren't the "private networks" firewalled by Linode so only nodes belonging to same account can see each other? If I can remember the last time Caker explained it to me, no, they're not. The private network is a LAN, and behaves as such (anything can connect to anything, broadcasts work, etc.) The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise). On Linode's end, they prevent you from going into promiscuous mode (no packet sniffing other peoples' traffic), and prevent you from spoofing IPs (keeping your firewall rules secure).

Author:	rsk [ Tue Feb 16, 2010 3:09 pm ]
Post subject:
Awesome. You know... that's one of the lovely things about Linode. They're behaving like people, not like accountants. I expected them to block traffic between nodes belonging to different accounts, because, after, all, they're different clients as far as the things are concerned. 99% of companies would say "Hey, we're losing money here! They should have to pipe it over the bandwidth-measured interfaces!".

Author:	Xan [ Tue Feb 16, 2010 10:53 pm ]
Post subject:
That's an interesting take on it. I see the private IPs being much more useful if only Linodes on my account can talk to each other. Without that security benefit, I don't see the point really at all.

Author:	hoopycat [ Tue Feb 16, 2010 11:28 pm ]
Post subject:
I figure you can always add your own iptables rules, but you can't turn off bandwidth metering.

Author:	Guspaz [ Wed Feb 17, 2010 12:48 pm ]
Post subject:
Indeed, since they prevent spoofing, there would be no security benefit to the blocking than Xan describes.

Author:	shah [ Thu Feb 18, 2010 2:52 pm ]
Post subject:
Thanks guys! It turned out to be a small typo in /etc/network/interfaces and it works now. I set up NFS and works like a charm! Guspaz wrote: The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise). I did put up correct entries in /etc/hosts.allow and /etc/hosts.deny to prevent anyone else to access the NFS share. But can someone link/guide me (or a good guide to iptables) to set it up so it only listens to the whitelisted IP? Thanks so much!

Author:	shah [ Sat Feb 20, 2010 1:21 pm ]
Post subject:
shah wrote: Guspaz wrote: The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise). I did put up correct entries in /etc/hosts.allow and /etc/hosts.deny to prevent anyone else to access the NFS share. But can someone link/guide me (or a link to a good guide to iptables) to set it up so it only listens to the whitelisted IP? Thanks so much! Bump. I would appreciate any comments. Thanks

Author:

Xan [ Sat Feb 20, 2010 1:45 pm ]

Post subject:

Something like:

Code:

iptables -A INPUT -i eth1 -s !10.0.0.1 -j REJECT

(Replace eth1 and 10.0.0.1 appropriately.)

I'm not sure what distro you're on, but on Debian (and I suppose it would apply to Ubuntu), I then do:

Code:

iptables-save > /etc/iptables.conf

And then put the following script in /etc/network/if-pre-up.d/iptables:

Code:

#!/bin/sh

# Load iptables rules before interfaces are brought online
# This ensures that we are always protected by the firewall
#
# Note: if bad rules are inadvertently (or purposely) saved it could block
# access to the server except via the serial tty interface.
#

RESTORE=/sbin/iptables-restore
STAT=/usr/bin/stat
IPSTATE=/etc/iptables.conf

test -x $RESTORE || exit 0
test -x $STAT || exit 0

# Check permissions and ownership (rw------- for root)
if test `$STAT --format="%a" $IPSTATE` -ne "600"; then
  echo "Permissions for $IPSTATE must be 600 (rw-------)"
  exit 0
fi

# Since only the owner can read/write to the file, we can trust that it is
# secure. We need not worry about group permissions since they should be
# zeroed per our previous check; but we must make sure root owns it.
if test `$STAT --format="%u" $IPSTATE` -ne "0"; then
  echo "The superuser must have ownership for $IPSTATE (uid 0)"
  exit 0
fi

# Now we are ready to restore the tables
$RESTORE < $IPSTATE

Author:	shah [ Sat Feb 20, 2010 1:57 pm ]
Post subject:
Thanks so much Xan!

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/