Private IP help
We both enable private IPs, set the correct IP and netmask (255.255.128.0) in /etc/network/interfaces (we both have ubuntu) and reboot.
We both can see the new interface in ifconfig but we can't ping each other.
Any ideas?
11 Replies
@rsk:
Aren't the "private networks" firewalled by Linode so only nodes belonging to same account can see each other?
If I can remember the last time Caker explained it to me, no, they're not. The private network is a LAN, and behaves as such (anything can connect to anything, broadcasts work, etc.)
The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise).
On Linode's end, they prevent you from going into promiscuous mode (no packet sniffing other peoples' traffic), and prevent you from spoofing IPs (keeping your firewall rules secure).
You know… that's one of the lovely things about Linode. They're behaving like people, not like accountants. I expected them to block traffic between nodes belonging to different accounts, because, after, all, they're different clients as far as the things are concerned. 99% of companies would say "Hey, we're losing money here! They should have to pipe it over the bandwidth-measured interfaces!".
It turned out to be a small typo in /etc/network/interfaces and it works now.
I set up NFS and works like a charm!
@Guspaz:
The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise).
I did put up correct entries in /etc/hosts.allow and /etc/hosts.deny to prevent anyone else to access the NFS share.
But can someone link/guide me (or a good guide to iptables) to set it up so it only listens to the whitelisted IP?
Thanks so much!
@shah:
@Guspaz:The private network on your linode should be secured to only listen to a given set of IPs (unless you need otherwise).
I did put up correct entries in /etc/hosts.allow and /etc/hosts.deny to prevent anyone else to access the NFS share.
But can someone link/guide me (or a link to a good guide to iptables) to set it up so it only listens to the whitelisted IP?
Thanks so much!
Bump. I would appreciate any comments. Thanks
iptables -A INPUT -i eth1 -s !10.0.0.1 -j REJECT
(Replace eth1 and 10.0.0.1 appropriately.)
I'm not sure what distro you're on, but on Debian (and I suppose it would apply to Ubuntu), I then do:
iptables-save > /etc/iptables.conf
And then put the following script in /etc/network/if-pre-up.d/iptables:
#!/bin/sh
# Load iptables rules before interfaces are brought online
# This ensures that we are always protected by the firewall
#
# Note: if bad rules are inadvertently (or purposely) saved it could block
# access to the server except via the serial tty interface.
#
RESTORE=/sbin/iptables-restore
STAT=/usr/bin/stat
IPSTATE=/etc/iptables.conf
test -x $RESTORE || exit 0
test -x $STAT || exit 0
# Check permissions and ownership (rw------- for root)
if test `$STAT --format="%a" $IPSTATE` -ne "600"; then
echo "Permissions for $IPSTATE must be 600 (rw-------)"
exit 0
fi
# Since only the owner can read/write to the file, we can trust that it is
# secure. We need not worry about group permissions since they should be
# zeroed per our previous check; but we must make sure root owns it.
if test `$STAT --format="%u" $IPSTATE` -ne "0"; then
echo "The superuser must have ownership for $IPSTATE (uid 0)"
exit 0
fi
# Now we are ready to restore the tables
$RESTORE < $IPSTATE