Iptables question about peer-to-peer rules

Mark Nixon manixdk at tiscali.dk
Mon Apr 4 19:09:23 UTC 2005 

On Mon, 2005-04-04 at 14:36 -0300, Pedro Macedo wrote:
> Em Seg, 2005-04-04 às 19:23 +0200, Mark Nixon escreveu:
> > Darn, it's hard to formulate an appropriate subject sometimes.
> > 
> > I have a little peer-to-peer network. I have an ADSL modem and a switch,
> > to which I have 4 computers connected,
> > 
> > As far as I have been able to suss out, my ADSL modem or my switch  is
> > assigning the 10.0.* addresses.
> > 
> > I have only one printer, attached to my Linux computer. At the moment,
> > this is the most logical for my configuration.
> > 
> > I have one computer running Win Me, another running Win XP, a third
> > running Linux Core 3, and occasionally my laptop running Win XP.
> > 
> > If there's any other info required, let me know.
> > 
> > Up to now, I've been able to use my Linux machine as a print server by
> > sending the command (as root) iptables -F.
> > 
> > I know this is stupid.
> > 
> > Of course, I want the other computers on my LAN to be able to see, and
> > use, my share files *every* time.
> > 
> > Which, of course, means that iptables rules should be read in at boot
> > time.
> > 
> > >From what I've been able to suss out from man iptables, Googling and
> > reading "Red Hat Fedora Linux 3 Bible" I should do the following:
> > 
> > stop iptables "/etc/init.d/iptables stop"
> > 
> > from the command line "iptables -A INPUT -p ALL -i eth0 -s 10.0.0.0/6
> > accept"
> > 
> > then I should write "service iptables save"
> > 
> > and then reboot?
> > 
> > This seems a little weird, as 10.0.0.1 is my gateway to the internet.
> > 
> > Shouldn't it be "10.0.0.2/6 accept"?
> > 
> Nope.. It's 10.0.0.0/6 accept .... Look on google for some information
> about CIDR notation and netmasks... 
> In fact , I'd preffer to do something more controlled.. Something like
> 10.0.0.0/24 accept.. This means that only machines with IPs in the range
> 10.0.0.1 - 10.0.0.254 can access your machine...
> 
> 
> > My Linux computer is *not* the Internet gateway, as European energy
> > costs rule out (for us, anyway) having my Linux computer always running.
> > Each computer on my LAN should be able to access the Internet
> > independently.
> > 
> Let me see if I understood correctly... Your modem is connected to a
> cable/dsl router, right? (like this: 
> modem --> router = all the machines )
> 

OK, I'm mixing up my terminology, my switch is connected to an ADSL
router.

> If it is , then you shouldnt need to have your computer always turned on
> to access the internet.. You would have to turn it on just to print ,
> since the printer is connected to your computer...
> 
> That iptables rule should do the trick of allowing anyone to print to
> your printer , as long as cups (the print server) is properly configured
> already..
> 

See, there you go. I didn't express myself clearly. My Linux machine is
the only machine on my LAN connected to the printer. So if the other
machines want to print, the Linux machine has to be on.

But all my machines can access the Internet, even if my Linux machine is
turned off. They just can't print. Which is OK.

But I've solved the problem, I think. 

I ran "iptables stop"

then ran "iptables -A INPUT -p -ALL -i eth0 -s 10.0.0.0/5"

then ran "service iptables start"

This seems to have worked, as I now can see my SAMBA share directories
from my wife's (10.0.0.2) machine. 

I don't think I need 10.0.0.0/24, as my switch can only take 4 machines,
but maybe I'm wrong?

> --
> Pedro Macedo
>

More information about the fedora-list mailing list