Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
 Post subject: Private IP help
PostPosted: Tue Feb 16, 2010 12:17 am 
Offline
Senior Newbie

Joined: Sat Sep 26, 2009 4:19 am
Posts: 14
So me and my friend both have linodes in the same datacenter. We are collaborating on a few things and want to take advantage of unmetered bandwidth on private IPs.

We both enable private IPs, set the correct IP and netmask (255.255.128.0) in /etc/network/interfaces (we both have ubuntu) and reboot.

We both can see the new interface in ifconfig but we can't ping each other.

Any ideas?


Top
   
 Post subject:
PostPosted: Tue Feb 16, 2010 2:02 am 
Offline
Senior Member
User avatar

Joined: Sun Jan 18, 2009 2:41 pm
Posts: 830
Perhaps firewall settings?


Top
   
 Post subject:
PostPosted: Tue Feb 16, 2010 11:32 am 
Offline
Senior Member
User avatar

Joined: Tue Nov 24, 2009 1:59 pm
Posts: 362
Aren't the "private networks" firewalled by Linode so only nodes belonging to same account can see each other?


Top
   
 Post subject:
PostPosted: Tue Feb 16, 2010 11:38 am 
Offline
Senior Member
User avatar

Joined: Tue May 26, 2009 3:29 pm
Posts: 1691
Location: Montreal, QC
rsk wrote:
Aren't the "private networks" firewalled by Linode so only nodes belonging to same account can see each other?


If I can remember the last time Caker explained it to me, no, they're not. The private network is a LAN, and behaves as such (anything can connect to anything, broadcasts work, etc.)

The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise).

On Linode's end, they prevent you from going into promiscuous mode (no packet sniffing other peoples' traffic), and prevent you from spoofing IPs (keeping your firewall rules secure).


Top
   
 Post subject:
PostPosted: Tue Feb 16, 2010 3:09 pm 
Offline
Senior Member
User avatar

Joined: Tue Nov 24, 2009 1:59 pm
Posts: 362
Awesome.

You know... that's one of the lovely things about Linode. They're behaving like people, not like accountants. I *expected* them to block traffic between nodes belonging to different accounts, because, after, all, they're different clients as far as the things are concerned. 99% of companies would say "Hey, we're losing money here! They should have to pipe it over the bandwidth-measured interfaces!".


Top
   
 Post subject:
PostPosted: Tue Feb 16, 2010 10:53 pm 
Offline
Senior Member
User avatar

Joined: Sun Feb 08, 2004 7:18 pm
Posts: 562
Location: Austin
That's an interesting take on it. I see the private IPs being much more useful if only Linodes on my account can talk to each other. Without that security benefit, I don't see the point really at all.


Top
   
 Post subject:
PostPosted: Tue Feb 16, 2010 11:28 pm 
Offline
Senior Member
User avatar

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1739
Location: Rochester, New York
I figure you can always add your own iptables rules, but you can't turn off bandwidth metering.


Top
   
 Post subject:
PostPosted: Wed Feb 17, 2010 12:48 pm 
Offline
Senior Member
User avatar

Joined: Tue May 26, 2009 3:29 pm
Posts: 1691
Location: Montreal, QC
Indeed, since they prevent spoofing, there would be no security benefit to the blocking than Xan describes.


Top
   
 Post subject:
PostPosted: Thu Feb 18, 2010 2:52 pm 
Offline
Senior Newbie

Joined: Sat Sep 26, 2009 4:19 am
Posts: 14
Thanks guys!

It turned out to be a small typo in /etc/network/interfaces and it works now.

I set up NFS and works like a charm!

Guspaz wrote:
The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise).


I did put up correct entries in /etc/hosts.allow and /etc/hosts.deny to prevent anyone else to access the NFS share.
But can someone link/guide me (or a good guide to iptables) to set it up so it only listens to the whitelisted IP?

Thanks so much!


Top
   
 Post subject:
PostPosted: Sat Feb 20, 2010 1:21 pm 
Offline
Senior Newbie

Joined: Sat Sep 26, 2009 4:19 am
Posts: 14
shah wrote:
Guspaz wrote:
The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise).


I did put up correct entries in /etc/hosts.allow and /etc/hosts.deny to prevent anyone else to access the NFS share.
But can someone link/guide me (or a link to a good guide to iptables) to set it up so it only listens to the whitelisted IP?

Thanks so much!


Bump. I would appreciate any comments. Thanks


Top
   
 Post subject:
PostPosted: Sat Feb 20, 2010 1:45 pm 
Offline
Senior Member
User avatar

Joined: Sun Feb 08, 2004 7:18 pm
Posts: 562
Location: Austin
Something like:
Code:
iptables -A INPUT -i eth1 -s !10.0.0.1 -j REJECT

(Replace eth1 and 10.0.0.1 appropriately.)

I'm not sure what distro you're on, but on Debian (and I suppose it would apply to Ubuntu), I then do:
Code:
iptables-save > /etc/iptables.conf


And then put the following script in /etc/network/if-pre-up.d/iptables:
Code:
#!/bin/sh

# Load iptables rules before interfaces are brought online
# This ensures that we are always protected by the firewall
#
# Note: if bad rules are inadvertently (or purposely) saved it could block
# access to the server except via the serial tty interface.
#

RESTORE=/sbin/iptables-restore
STAT=/usr/bin/stat
IPSTATE=/etc/iptables.conf

test -x $RESTORE || exit 0
test -x $STAT || exit 0

# Check permissions and ownership (rw------- for root)
if test `$STAT --format="%a" $IPSTATE` -ne "600"; then
  echo "Permissions for $IPSTATE must be 600 (rw-------)"
  exit 0
fi

# Since only the owner can read/write to the file, we can trust that it is
# secure. We need not worry about group permissions since they should be
# zeroed per our previous check; but we must make sure root owns it.
if test `$STAT --format="%u" $IPSTATE` -ne "0"; then
  echo "The superuser must have ownership for $IPSTATE (uid 0)"
  exit 0
fi

# Now we are ready to restore the tables
$RESTORE < $IPSTATE


Top
   
 Post subject:
PostPosted: Sat Feb 20, 2010 1:57 pm 
Offline
Senior Newbie

Joined: Sat Sep 26, 2009 4:19 am
Posts: 14
Thanks so much Xan!


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group