Re: [Leaf-user] How to adjust the fw rules to access my ADSL modem

[Eyal Lebedinsky]

Eyal Lebedinsky wrote:
> 
> The alcatel "speed touch" has a web server on 10.0.0.138. I can do:
>         ifconfig eth0 10.0.0.1 netmask 255.255.255.0
> and then ping it (from the leaf machine). However I cannot do it
> from any other machine on my internal netwrok.
> 
> I assume the firewall rules stop the access (the 10.* range is not
> forwarded).
> 
> I want to allow explicit access to 10.0.0.138 (and nothing else) and
> still deny any incoming connections.

I would like to hear any comment of the setup I chose, especially if
anyone thinks the added rules expose the firewall in any way.

After carefull consideration and much trialing I found that the way to
go is to masquarade the connection to the modem. This is done in a very
simple way. For starters I configure the modem eth0 connection with an
IP
(it normally has none), I picked 10.0.0.1 and a class C subnet is
enough:

        ifconfig eth0 10.0.0.1 netmask 255.255.255.0

Note thet you must pick a subnet that includes the ADSL modem server
which is on 10.0.0.138.

Next I add one rule to the firewall. My internal net is 192.168.0.0/24
and the modem server is always on 10.0.0.138. Note that I only
masquarade
the one specific host and only port www (80). Note that I add the rule
at
the start of the chain to avoid hitting the later DENY.

        /sbin/ipchains -I forward 1 -j MASQ \
                -p tcp \
                -s 192.168.0.0 \
                -d 10.0.0.138 www \
                -i eth0

A similar rule with '-p icmp' and no port will enable ping to the modem
(but I do not need it).


The final question is where to put these commands in the LRP setup. To
configure eth0 edit network.conf to say something like:

eth0_IPADDR=10.0.0.1
eth0_MASKLEN=24        
eth0_BROADCAST=10.0.0.255

By default these lines a commented out.

Aa easy place for the forward rule is /etc/ipfilter.conf, at the very
end, as the last command in the startup function ipfilter_firewall_cfg:

# Allow access to the ADSL modem server
#
ADSL_SERVER_IP="10.0.0.138"
for NET in $INTERN_NET; do
        $IPCH -I forward 1 -j MASQ -p tcp \
                -s $NET -d $ADSL_SERVER_IP www -i eth0
done

The address of the www server probably belongs is network.conf rather
than set it here.

--
Eyal Lebedinsky ([EMAIL PROTECTED]) <http://samba.anu.edu.au/eyal/>

_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user