Private IP help

Perhaps firewall settings?

Aren't the "private networks" firewalled by Linode so only nodes belonging to same account can see each other?

@rsk:

Aren't the "private networks" firewalled by Linode so only nodes belonging to same account can see each other?

If I can remember the last time Caker explained it to me, no, they're not. The private network is a LAN, and behaves as such (anything can connect to anything, broadcasts work, etc.)

The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise).

On Linode's end, they prevent you from going into promiscuous mode (no packet sniffing other peoples' traffic), and prevent you from spoofing IPs (keeping your firewall rules secure).

Awesome.

You know… that's one of the lovely things about Linode. They're behaving like people, not like accountants. I expected them to block traffic between nodes belonging to different accounts, because, after, all, they're different clients as far as the things are concerned. 99% of companies would say "Hey, we're losing money here! They should have to pipe it over the bandwidth-measured interfaces!".

That's an interesting take on it. I see the private IPs being much more useful if only Linodes on my account can talk to each other. Without that security benefit, I don't see the point really at all.

I figure you can always add your own iptables rules, but you can't turn off bandwidth metering.

Indeed, since they prevent spoofing, there would be no security benefit to the blocking than Xan describes.

Thanks guys!

It turned out to be a small typo in /etc/network/interfaces and it works now.

I set up NFS and works like a charm!

@Guspaz:

The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise).

I did put up correct entries in /etc/hosts.allow and /etc/hosts.deny to prevent anyone else to access the NFS share.

But can someone link/guide me (or a good guide to iptables) to set it up so it only listens to the whitelisted IP?

Thanks so much!

@shah:

@Guspaz:

The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise).

I did put up correct entries in /etc/hosts.allow and /etc/hosts.deny to prevent anyone else to access the NFS share.

But can someone link/guide me (or a link to a good guide to iptables) to set it up so it only listens to the whitelisted IP?

Thanks so much!

Bump. I would appreciate any comments. Thanks

Something like:

iptables -A INPUT -i eth1 -s !10.0.0.1 -j REJECT

(Replace eth1 and 10.0.0.1 appropriately.)

I'm not sure what distro you're on, but on Debian (and I suppose it would apply to Ubuntu), I then do:

iptables-save > /etc/iptables.conf

And then put the following script in /etc/network/if-pre-up.d/iptables:

#!/bin/sh

# Load iptables rules before interfaces are brought online
# This ensures that we are always protected by the firewall
#
# Note: if bad rules are inadvertently (or purposely) saved it could block
# access to the server except via the serial tty interface.
#

RESTORE=/sbin/iptables-restore
STAT=/usr/bin/stat
IPSTATE=/etc/iptables.conf

test -x $RESTORE || exit 0
test -x $STAT || exit 0

# Check permissions and ownership (rw------- for root)
if test `$STAT --format="%a" $IPSTATE` -ne "600"; then
  echo "Permissions for $IPSTATE must be 600 (rw-------)"
  exit 0
fi

# Since only the owner can read/write to the file, we can trust that it is
# secure. We need not worry about group permissions since they should be
# zeroed per our previous check; but we must make sure root owns it.
if test `$STAT --format="%u" $IPSTATE` -ne "0"; then
  echo "The superuser must have ownership for $IPSTATE (uid 0)"
  exit 0
fi

# Now we are ready to restore the tables
$RESTORE < $IPSTATE

Thanks so much Xan!