iptables for "local" network

iptables for "local" network

Post by * Tong » Sat, 07 Sep 2002 11:50:27



Hi,

My ultimate goal is trying to setup my Linux server iptables that can
only allow "local" accessing, whereas "local" can mean either from box
that in my domain, or my country (.ca).

How can I do that? thanks

--
Tong (remove underscore(s) to reply)
  *niX Power Tools Project: http://xpt.sourceforge.net/
  - All free contribution & collection

 
 
 

iptables for "local" network

Post by Clive Dov » Sat, 07 Sep 2002 20:39:51



> Hi,

> My ultimate goal is trying to setup my Linux server iptables that can
> only allow "local" accessing, whereas "local" can mean either from box
> that in my domain, or my country (.ca).

> How can I do that? thanks

What are you trying to do, exactly?

Local is anything behind your router, but in an orgainization like a
university there can be a network consisting of a number of more local
networks for each department.
Then, the local network can connect to an internet service provider
which is its own local network which in turn connects to the backbone
(although some service providers connect to a larger provider (e.g.
Rogers once connected to e*).

Or to turn it around, the internet is a wide area network (WAN)
consisting of a huge number of smaller WANs which connect to yet other
WANS and eventually to LAANs and individual stations.

Also, when talking of the internet, forget about what country you are
in.  The internet is trans-national  There is no network that serves
all of Canada and only Canada. The heirarchy is more likely north-south
from your province or even town than east-west and north of the border.

Your question only has meaning in context of what you are trying to do
and at what level.

If you are trying to set up a home network, the easiest way to do it is
to set up an ip masquerading router, either by buying one at a price of
about $100.00 Canadian or by setting up That old 486 box that you are
using as a footstool to act as a dedicated router.  The cable/dsl
router which you buy from Staples or your local computer store is the
easiest solution. It is about the size of a computer textbook, draws
very little power, has no hard drive, does not create heat and is most
likely already configured for your needs by default.  Configuration, if
needed, is a process of accessing the router using your browser and
answering a few questions.

These linux newsgroups are comprised of people who are very willing to
help if you have a real problem and state it in terms of what you are
trying to do, what you have tried and what is not working out.

But don't expect them to write a textbook of hypotheticals for you.

 
 
 

iptables for "local" network

Post by * Tong » Sun, 08 Sep 2002 03:21:45



> > My ultimate goal is trying to setup my Linux server iptables that can
> > only allow "local" accessing, whereas "local" can mean either from box
> > that in my domain, or my country (.ca).

> What are you trying to do, exactly?

> Local is anything behind your router, but in an orgainization like a
> university there can be a network consisting of a number of more local
> networks for each department.

oh, sorry to have not make my point clear at the first place. Of all the
web pages I've been through, they all use ip addresses to construct
iptables rules. What I wanted to know is that whether I can use hostname
instead, and how.

Suppose my hostname is myhost.3rd.2nd.1st.ca, I want to know how I can
accept all connections from 3rd level domain, or 2nd, etc., even to .ca
level.

Thanks

--
Tong (remove underscore(s) to reply)
  *niX Power Tools Project: http://xpt.sourceforge.net/
  - All free contribution & collection

 
 
 

iptables for "local" network

Post by Clive Dov » Sun, 08 Sep 2002 05:50:33




>> > My ultimate goal is trying to setup my Linux server iptables that
>> > can only allow "local" accessing, whereas "local" can mean either
>> > from box that in my domain, or my country (.ca).

>> What are you trying to do, exactly?

>> Local is anything behind your router, but in an orgainization like a
>> university there can be a network consisting of a number of more
>> local networks for each department.

> oh, sorry to have not make my point clear at the first place. Of all
> the web pages I've been through, they all use ip addresses to
> construct iptables rules. What I wanted to know is that whether I can
> use hostname instead, and how.

> Suppose my hostname is myhost.3rd.2nd.1st.ca, I want to know how I can
> accept all connections from 3rd level domain, or 2nd, etc., even to
> .ca level.

> Thanks

The short answer is no.

The internet and all wide area networks and local area networks that
are part of it and all wide area and local area private networks
communicate with each other using ip addresses.

Domain names are just a convenience for human beings who find it easier
to remember a name than a number.

When you want to do a google search and you enter google.com into your
browser, your system contacts a Domain Name Server and fetches the ip
address for google.com and then uses it to make its connection.

For example, when the government of Zimbabwe wants to have a public web
site so that it can spread its propaganda, it obtains a subscription
from a service provider, pays a double monthly rate to get a commercial
service which gives it a static ip address instead of a dynamic one
which could change without notice and an authorized use policy that
allows it to connect in an http server (which is not allowed on home
cable service) and it reserves a domain name from its local domain name
granting authority (as the authority is in Zimbabwe, the name will end
with .zw, whereas you would probably get a name ending in .ca)

Zim government has a web site called http://www.gta.gov.zw/ but this ia
amere convenience for users, not an address used by the network.
Try pinging www.gta.com and you will see that the site has an ip
address of 209.88.90.3 at this time.  Zim could, if it so chose, switch
service providers, in which case it ould get a different ip address but
could keep the same domain name, provided that it registered the new ip
address against the name. In that event, its own service provider's DNS
server would list the name and the nem ip address and start propogating
the information to other DNS servers who in turn propogate to yet more
until (over a period of days) all the public DNS servers in the world
have the new address.

 
 
 

1. Local forwarding with "iptables" gives "invalid arguments"

Dear all,

while trying to set up a reverse proxy I ran into serious trouble with
iptables.

I'm trying to forward locally generated traffic to a remote machine.
But a command like

# iptables -A OUTPUT -t nat -p tcp -d 192.168.1.154 -j DNAT
--to-destination 192.168.1.250

fails with the laconic message "iptables: Invalid argument" which is
not helpful in any way.

I' running SuSE Linux Enterprise Server (last try was with their kernel
2.6.5-7.191-default)
and, YES, I have already rebuilt the kernel after setting
CONFIG_IP_NF_NAT_LOCAL=y.

Actually I built several kernel by now, the last one with all netfilter
stuff compiled in (not as modules).

However, the result stays the same whatever I try, that damn "Invalid
argument".

How can I find out what is the reason for that, how can I debug this
kind of stuff in a way that enables me to find what "argument" is
"invalid" here for what reason.

Benno

2. X Font Server can't connect to XF86

3. GETSERVBYNAME()????????????????????"""""""""""""

4. Help with read special character in shell script

5. """"""""My SoundBlast 16 pnp isn't up yet""""""""""""

6. Another Windoze box bites the dust :)

7. "Novell-like","non-TCP/IP","networking" OS to place Unix

8. wu-ftpd does not accept password with special characters

9. menu cleanup: "Networking support" -> "Networking options"

10. Type "(", ")" and "{", "}" in X...

11. "iptables mark with filter fw" vs "u32 match"

12. Which "conf." for setting up Local-Server of "Laser5 6.0"

13. "/usr" versus "/usr/local"