Iptables question about peer-to-peer rules

[Kam Leo]

On Apr 4, 2005 12:09 PM, Mark Nixon <manixdk at tiscali.dk> wrote:
> On Mon, 2005-04-04 at 14:36 -0300, Pedro Macedo wrote:
> > Em Seg, 2005-04-04 às 19:23 +0200, Mark Nixon escreveu:
> > > Darn, it's hard to formulate an appropriate subject sometimes.
> > >
> > > I have a little peer-to-peer network. I have an ADSL modem and a switch,
> > > to which I have 4 computers connected,
> > >
> > > As far as I have been able to suss out, my ADSL modem or my switch  is
> > > assigning the 10.0.* addresses.
> > >
> > > I have only one printer, attached to my Linux computer. At the moment,
> > > this is the most logical for my configuration.
> > >
> > > I have one computer running Win Me, another running Win XP, a third
> > > running Linux Core 3, and occasionally my laptop running Win XP.
> > >
> > > If there's any other info required, let me know.
> > >
> > > Up to now, I've been able to use my Linux machine as a print server by
> > > sending the command (as root) iptables -F.
> > >
> > > I know this is stupid.
> > >
> > > Of course, I want the other computers on my LAN to be able to see, and
> > > use, my share files *every* time.
> > >
> > > Which, of course, means that iptables rules should be read in at boot
> > > time.
> > >
> > > >From what I've been able to suss out from man iptables, Googling and
> > > reading "Red Hat Fedora Linux 3 Bible" I should do the following:
> > >
> > > stop iptables "/etc/init.d/iptables stop"
> > >
> > > from the command line "iptables -A INPUT -p ALL -i eth0 -s 10.0.0.0/6
> > > accept"
> > >
> > > then I should write "service iptables save"
> > >
> > > and then reboot?
> > >
> > > This seems a little weird, as 10.0.0.1 is my gateway to the internet.
> > >
> > > Shouldn't it be "10.0.0.2/6 accept"?
> > >
> > Nope.. It's 10.0.0.0/6 accept .... Look on google for some information
> > about CIDR notation and netmasks...
> > In fact , I'd preffer to do something more controlled.. Something like
> > 10.0.0.0/24 accept.. This means that only machines with IPs in the range
> > 10.0.0.1 - 10.0.0.254 can access your machine...
> >
> >
> > > My Linux computer is *not* the Internet gateway, as European energy
> > > costs rule out (for us, anyway) having my Linux computer always running.
> > > Each computer on my LAN should be able to access the Internet
> > > independently.
> > >
> > Let me see if I understood correctly... Your modem is connected to a
> > cable/dsl router, right? (like this:
> > modem --> router = all the machines )
> >
> 
> OK, I'm mixing up my terminology, my switch is connected to an ADSL
> router.
> 
> > If it is , then you shouldnt need to have your computer always turned on
> > to access the internet.. You would have to turn it on just to print ,
> > since the printer is connected to your computer...
> >
> > That iptables rule should do the trick of allowing anyone to print to
> > your printer , as long as cups (the print server) is properly configured
> > already..
> >
> 
> See, there you go. I didn't express myself clearly. My Linux machine is
> the only machine on my LAN connected to the printer. So if the other
> machines want to print, the Linux machine has to be on.
> 
> But all my machines can access the Internet, even if my Linux machine is
> turned off. They just can't print. Which is OK.
> 
> But I've solved the problem, I think.
> 
> I ran "iptables stop"
> 
> then ran "iptables -A INPUT -p -ALL -i eth0 -s 10.0.0.0/5"
> 
> then ran "service iptables start"
> 
> This seems to have worked, as I now can see my SAMBA share directories
> from my wife's (10.0.0.2) machine.
> 
> I don't think I need 10.0.0.0/24, as my switch can only take 4 machines,
> but maybe I'm wrong?
> 
> > --
> > Pedro Macedo
> >

It's not the number of machines that are attached to your switch that
matters.  It's the range of IP addresses. You would need to use fixed
IP addresses for all your machines or have your DHCP server restricted
to the range of addresses that it can assign.