comments #1
comments #1
Conversation
| -A INPUT -i eth0 -p icmp -j ACCEPT | ||
| -A INPUT -i wlan0 -p icmp -m icmp --icmp-type 8 -j ACCEPT | ||
| -A INPUT -i wlan0 -p icmp -m icmp --icmp-type 0 -j ACCEPT | ||
| -A FORWARD ! -i wlan0 -j ACCEPT |
There was a problem hiding this comment.
Accept any traffic that is forwarded between ethernet interfaces. In other words, anything that is not coming from wlan0.
| -A INPUT -i wlan0 -p icmp -m icmp --icmp-type 8 -j ACCEPT | ||
| -A INPUT -i wlan0 -p icmp -m icmp --icmp-type 0 -j ACCEPT | ||
| -A FORWARD ! -i wlan0 -j ACCEPT | ||
| -A FORWARD -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
There was a problem hiding this comment.
Accept traffic coming from outside as long as it is related to established sessions.
| @@ -0,0 +1,6 @@ | |||
| allow-hotplug eth1 | |||
There was a problem hiding this comment.
eth1 will be used as routing link with customers
| @@ -0,0 +1,3 @@ | |||
| allow-hotplug wlan0 | |||
There was a problem hiding this comment.
interface file for wlan0 for the wireless access point
| :INPUT ACCEPT [3:180] | ||
| :OUTPUT ACCEPT [4:308] | ||
| :POSTROUTING ACCEPT [1:96] | ||
| -A POSTROUTING -o wlan0 -j MASQUERADE |
There was a problem hiding this comment.
use wlan0 to provide access to public Internet to customers
| :INPUT ACCEPT [0:0] | ||
| :OUTPUT ACCEPT [0:0] | ||
| :POSTROUTING ACCEPT [0:0] | ||
| -A POSTROUTING -o eth0 -j MASQUERADE |
There was a problem hiding this comment.
Adds MASQUERADE rule so traffic exit on a public-facing interface (eth0)
| -A INPUT -i wlan0 -p icmp -m icmp --icmp-type 8 -j ACCEPT | ||
| -A INPUT -i wlan0 -p icmp -m icmp --icmp-type 0 -j ACCEPT | ||
| -A FORWARD -i wlan0 -o eth0 -j ACCEPT | ||
| -A FORWARD -i eth0 -o wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
There was a problem hiding this comment.
Allowing packets to be forwarded from wlan0 and outgoing if related or established for wireless access point.
| allow-hotplug eth1 | ||
|
|
||
| iface eth1 inet manual | ||
| iface eth1 inet6 auto |
There was a problem hiding this comment.
Use ipv6 instead of ipv4. Run ipv6 in auto configuration mode to configure address on ipv6 link.
| @@ -0,0 +1,3 @@ | |||
| auto dummy2 | |||
| iface dummy2 inet static | |||
| address 172.23.45.131/32 | |||
| allow-hotplug eth0 | ||
|
|
||
| iface eth0 inet static | ||
| address 172.23.45.1/24 |
| @@ -0,0 +1,3 @@ | |||
| auto dummy0 | |||
| iface dummy0 inet static | |||
| address 172.23.44.130/32 | |||
There was a problem hiding this comment.
Use dummy0 interface for authoritative server. 172.23.44.130 which is in IP range for external services, this IP address is the authoritative server.
| @@ -0,0 +1,3 @@ | |||
| auto dummy0 | |||
| iface dummy0 inet static | |||
| address 172.23.45.130/32 | |||
There was a problem hiding this comment.
interface for authoritative server
| neighbor eth1 capability extended-nexthop | ||
| ! | ||
| address-family ipv4 unicast | ||
| network 0.0.0.0/0 |
There was a problem hiding this comment.
advertise 0.0.0.0 so that customers have access to internet/network
| no ipv6 nd suppress-ra | ||
| ! | ||
| interface lo | ||
| ip address 172.23.44.129/32 |
There was a problem hiding this comment.
configure loopback interface and attach BGP router ID
| interface lo | ||
| ip address 172.23.44.129/32 | ||
| ! | ||
| router bgp 65100 |
There was a problem hiding this comment.
setup the BGP daemon to peer on the specified interface
| @@ -0,0 +1,16 @@ | |||
| ; | |||
There was a problem hiding this comment.
This file is the public DNS zone
| router bgp 65100 | ||
| bgp router-id 172.23.44.129 | ||
| coalesce-time 1000 | ||
| neighbor eth0 interface remote-as external |
There was a problem hiding this comment.
Set up router peers by using neighbor configuration. Remote as external since they are a part of a separate autonomous system.
| @@ -0,0 +1,16 @@ | |||
| ; | |||
There was a problem hiding this comment.
This file is the private DNS zone
| address-family ipv4 unicast | ||
| network 0.0.0.0/0 | ||
| network 10.10.10.0/24 | ||
| network 172.23.44.0/24 |
There was a problem hiding this comment.
Advertise this network (172.23.44.0/24)
| ! | ||
| address-family ipv4 unicast | ||
| network 0.0.0.0/0 | ||
| network 10.10.10.0/24 |
| 604800 ) ; Negative Cache TTL | ||
| ; | ||
| mimosa.pi. IN NS ns1.mimosa.pi. | ||
| ns1 IN A 172.23.44.130 |
There was a problem hiding this comment.
public DNS zone includes external IP addresses for authoritative server (172.23.44.130) and mail (172.23.44.131)
| 2419200 ; Expire | ||
| 604800 ) ; Negative Cache TTL | ||
| ; | ||
| sangria.pi. IN NS ns1.sangria.pi. |
There was a problem hiding this comment.
Public DNS zone contains the authoritative and mail addresses.
| mimosa IN A 172.23.44.1 | ||
|
|
||
| corp.mimosa.pi. IN MX 10 mail.corp.mimosa.pi. | ||
| mail IN A 172.23.44.66 |
There was a problem hiding this comment.
private DNS zone uses IP addresses in lower internal range (172.23.44.1 and 172.23.44.66) for the corporate server and mail.
| 2419200 ; Expire | ||
| 604800 ) ; Negative Cache TTL | ||
| ; | ||
| corp.sangria.pi. IN NS sangria.corp.sangria.pi. |
There was a problem hiding this comment.
Private DNS zone contains the authoritative and mail internal addresses.
| // organization | ||
| //include "/etc/bind/zones.rfc1918"; | ||
|
|
||
| view "internal" { |
There was a problem hiding this comment.
Create internal zone for customers inside our network and allow them to query corporate domains and services. Allow recursion.
| include "/etc/bind/named.conf.default-zones"; | ||
| }; | ||
|
|
||
| view "external" { |
There was a problem hiding this comment.
Create external view. Only allow external users to query mimosa.pi and NOT internal domains/services. Do not allow recursion.
| include "/etc/bind/named.conf.default-zones"; | ||
| }; | ||
|
|
||
| view "external" { |
There was a problem hiding this comment.
External view allows only the public to be able to query zone sangria.pi
| @@ -0,0 +1,32 @@ | |||
| view "internal" { | |||
There was a problem hiding this comment.
Internal view allows only the localhost and internal servers to query from corp.sangria.pi and sangria.pi and pi.
No description provided.