TWiki>
CF Web>Research>ResearchGroups>BioInformatics>M160>DNSMASQ>NatMasqFirewallExample (2015-02-18, RonaldoGarcia)
EditAttach
CF Web>Research>ResearchGroups>BioInformatics>M160>DNSMASQ>NatMasqFirewallExample (2015-02-18, RonaldoGarcia) EditAttach -- MikeGore - 14 Feb 2012
Files
- Location: asimov.uwaterloo.ca:/images/exports/scripts/remote
- Install: rsync -a cscf-adm@asimov.uwaterloo.ca:/images/exports/scripts /
Dependencies
- DNSMASQ - the dnsmasq package has to be installed and configured
Documentation
- See also CSApplicationServer for another detailed example
How to setup
- Details in the following sections
- Update setvars
- Optionally update firewall
- Install firewall.rc
Primary Configuration files
setvars
- common interface names and networks for the firewall scripts
- EXTIP is the IP for your External interface
- EXTIF is teh name of the external interface
- COMM is the name of your private network
- VLAN_COMM is the address scope of the private network
# Your external network address and interface # CHANGE ME EXTIP="129.97.nnn.nnn" EXTIF=eth0 # Private NAT/MASQ network # Compute Node COMM traffic COMM=eth1 VLAN_COMM="192.168.2.0/24"
- Notes: to add more private networks just you need create new entries and duplicate the COMM rules in the firewall script with a new keyword
- Example we can add NFS like this
# NFS network # Compute Node COMM traffic NFS=eth2 VLAN_NFS="10.0.1.0/24"
- Example we can add NFS like this
firewall
- This is the actual firewall script
features of the firewall script example
- Forwards using NAT/MASQ traffic between internal network COMM and the external interface
- Blocks sending SMTP port 25 from the COMM network to the outside world
- Blocks all outbound SMB destine to port 137:139 445 outside of UofW address space
- Commented out example that allows SAMBA access from the University networks
- Allows SSH from the University Networks
- Allows WEB and CUPS access from 129.97.15 University Network
- Allows access for backup.cs
firewall.rc
- firewall init.d service script
- Install:
- cp -p firewall.rc /etc/init.d/firewall
- update-rc.d firewall defaults
- Install:
Helper scripts
allow
- resets and disable the firewall NAT MASQ Forwarding functions
addhost IP
- add a host IP for SSH access - until reboot
delhost IP
- remove a host IP for SSH access - until reboot
checkhost
- check if a host has SSH access
openhost IP
- add a host IP for ALL access - until reboot
blockhost MAC
- block a host by MAC - untill reboot
Edit | Attach | Topic revision: r2 - 2015-02-18 - RonaldoGarcia
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
- CF Web
- CF Web Home
- Changes
- Index
- Search
- Administration
- Communication
- Hardware
- HelpDeskGuide
- Infrastructure
- InternalProjects
- Linux
- MachineNotes
- Macintosh
- Management
- Networking
- Printing
- Research
- Security
- Software
- Solaris
- StaffStuff
- TaskGroups
- TermGoals
- Teaching
- UserSupport
- Vendors
- Windows
- XHier
- Other Webs
- My links
 |
|
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback