I am using Eigerstein, straight from charle's sight, and I can not setup a
www server using port forwarding. I have read numerous, postings, faqs, etc.
I am still lost. My computer is behind a Road Runner Cable modem. I have no
other problems than port forwarding. I want to use my redhat server at
192.168.1.4 I will atch my network.conf file from my lrp.
VERBOSE=YES
MAX_LOOP=10
IPFWDING_KERNEL=YES
IPALWAYSDEFRAG_KERNEL=YES
CONFIG_HOSTNAME=YES
CONFIG_HOSTSFILE=YES
CONFIG_DNS=NO
############################################################################
###
# Interfaces
############################################################################
###
# Start pppd PPP interfaces first as pppd's use of DNS can delay startup.
#
# Interfaces to start on boot go here - ie "ppp0 eth0"
IF_AUTO="eth1"
# List of all configured interfaces, manual start and boot start
IF_LIST="$IF_AUTO"
# Accept ICMP Redirects on ALL interfaces, also depends on /proc
# per interface IP forwarding flag. - YES/NO
ALLIF_ACCEPT_REDIRECTS=NO
# Need these both for interfaces run by daemons - ie PPP, CIPE, some
# WAN interfaces
# IP spoofing protection by default for interfaces - YES/NO
DEF_IP_SPOOF=YES
# Kernel logging of spoofed packets by default for interfaces - YES/NO
DEF_IP_KRNL_LOGMARTIANS=NO
# Bridge Setup - Global stuff
#
# Enable bridging - YES/NO
BRG_SWITCH=NO
# Exempt ethernet protocol types - type "brcfg list" to find out allowed
# values
BRG_EXEMPT_PROTOS=""
eth0_IPADDR=0.0.0.0
eth0_MASKLEN=0
eth0_BROADCAST=0.0.0.0
# Use this to set the default route if required - ONLY one to be set.
# routed or gated could be used to set this so only use if not running
these.
eth0_DEFAULT_GW=0.0.0.0
# Secondary IP addresses/networks on same wire - add them here
#eth0_IP_EXTRA_ADDRS="192.168.1.193 192.168.2.1/24"
# IP spoofing protection on this interface - YES/NO
eth0_IP_SPOOF=YES
# Kernel logging of spoofed packets on this interface - YES/NO
eth0_IP_KRNL_LOGMARTIANS=NO
# This setting affects the processing of ICMP redirects. Setting it to NO
# makes this more secure. Don't turn this off if you have two IP
# networks/subnets on the same media - YES/NO
eth0_IP_SHARED_MEDIA=NO
# Bridge this interface - YES/NO
eth0_BRIDGE=NO
# Proxy-arp from this interface, no other config required to turn on proxy
ARP!
# - YES/NO
eth0_PROXY_ARP=NO
# Simple QoS/fair queueing support
# Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO
eth0_FAIRQ=NO
# Ethernet Transmit Queue Length
# eth0_TXQLEN=100
# Complex QoS - Enable all of these + above to turn it on
#eth0_BNDWIDTH=10Mbit # Device bandwidth
#eth0_HNDL=2 # Queue Handle - must be unique
#eth0_IABURST=100 # Interactive Burst
#eth0_IARATE=1Mbit # Interactive Rate
#eth0_PXMTU=1514 # Physical MTU - includes Link Layer header
eth1_IPADDR=192.168.1.254
eth1_MASKLEN=24
eth1_BROADCAST=192.168.1.255
eth1_IP_SPOOF=YES
eth1_IP_KRNL_LOGMARTIANS=NO
eth1_IP_SHARED_MEDIA=NO
eth1_BRIDGE=NO
eth1_PROXY_ARP=NO
eth1_FAIRQ=NO
# Sangoma FR example
#fr498_IPADDR=10.0.10.1
#fr498_PTPADDR=10.0.10.2
#fr498_IP_SPOOF=YES
#fr498_IP_KRNL_LOGMARTIANS=YES
# Simple QoS support
#fr498_FAIRQ=YES
#fr498_TXQLEN=50
# Complex FR QoS - Enable ALL of these + above to turn it on
#fr498_FRBURST=960Kbit # FR Burst capacity (a rate)
#fr498_BULKRATE=320Kbit # Usually you set this to the CIR
#fr498_BULKBURST=50 # Number of packets that can burst in bulk class
#fr498_BNDWIDTH=1920Kbit # The bandwidth of the interface
#fr498_IABURST=512 # No of Interactive Burst packets
#fr498_IARATE=640Kbit # Burst capicity bandwith between
# BURST and CIR
#fr498_HNDL=2 # The queue handle - must be unique Dialup PPP is 1000+
#fr498_PXMTU=1508 # The Physical MTU of the interface (data + MAC header)
# PPP interface stuff - these apply to all ASYNC ppp interfaces, options
# same as ethernet above.
ppp_BNDWIDTH=30Kbit
ppp_FAIRQ=YES
ppp_TXQLEN=30
ppp_IABURST=20
ppp_IARATE=10Kbit
ppp_PXMTU=1500
############################################################################
###
# IP Filter setup - can pull in settings from above
############################################################################
###
# Set up the basic type of filtering. Can be one of (none|router|firewall)
# You must load the ip_masq_* modules to enable full IP masquerading, and
# ip_masq_portfw if you want to forward external ports pop-3, mtp, www
# to internal machines below.
IPFILTER_SWITCH=firewall
# This set of variables is used with both sets of filters
SNMP_BLOCK=YES # Block all SNMP (YES/NO)
# List of IP Nos used for SNMP management
SNMP_MANAGER_IPS=""
# Fair Queuing support
# List of Mark values
MRK_CRIT=1 # Critical traffic, routing, DNS
MRK_IA=2 # Interactive traffic - telnet, ssh, IRC
# List of traffic types and maps to mark values
# Setting this variable turns on the
# fairq chain
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route
${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain
${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
# This set of variables is used with the basic routing filter setup
# This set of variables is used with a basic IP masquerading firewall setup
#Notation - IP addresses/masklen
#
# NOTE: Do NOT turn on the DMZ network or ANY external port masquerading/
# port forwarding when EXTERN_DYNADDR is on because some security
# leaks will result. You may also want to limit the external open
# ports to domain (UDP) for DNS. Anyhow, these features are not that
# usable unless you have a static external address
#
EXTERN_IF="eth0" # External Interface
#
# Start of changes by Charles Steinkuehler for DHCP
#
# Added for DHCP support
# Setting this to YES causes the script to read EXTERN_IP directly from
# the interface
EXTERN_DHCP=YES # - YES/NO
# The interface to configure via dhcp
IF_DHCP=$EXTERN_IF
# If YES, your firewall filters use 0/0 for your IP address, instead of your
# actual IP address. Set this to NO for typical ethernet setups, even if
you
# are using DHCP
# External Address dynamically assigned
EXTERN_DYNADDR=NO # - YES/NO
# -- OR --
EXTERN_IP=0.0.0.0 # External Interface IP number
# If external interface is DHCP, read the IP address
# This should probably be moved to the init.d network script, but it seemed
# I put it here for now, as it is more obvious what it is doing, in case it
# messes something else up.
if [ "$EXTERN_DHCP" = "YES" ] || \
[ "$EXTERN_DHCP" = "Yes" ] || \
[ "$EXTERN_DHCP" = "yes" ]; then
# This computes the IP address of $EXTERN_IF
# Grep extracts just the line(s) with IP address information from the
output
# of ip addr. The first sed gets rid of all but the first line (in case
# there are several IP addresses for some reason), and next sed extracts
# just the IP address in dot quad notation.
EXTERN_IP=`ip addr list label $EXTERN_IF | \
grep inet | \
sed '1!d' | \
sed 's/^[^.0-9]*\([.0-9]*\).*$/\1/'`
# Debugging - Remove if you like
# echo Extern IP: $EXTERN_IP
# If the external address is not configured, use a bogus address for the
# external interface to prevent a bunch of (harmless) errors that spit out
# when the IPCHAINS script is called.
if [ x$EXTERN_IP = x ]; then
EXTERN_IP=192.168.254.254
fi
fi
# UDP Services open to outside world
# - srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
EXTERN_UDP_PORTS="0/0_domain 0/0_ntp 0/0_bootpc 0/0_www"
#
# End of changes made by Charles Steinkuehler for dhcp support
#
# TCP services open to outside world
# - srcip/mask_dstport
EXTERN_TCP_PORTS="0/0_ssh 0/0_smtp 0/0_www"
# Internal interface
INTERN_IF="eth1" # Internal Interface
INTERN_NET=192.168.1.0/24 # Internal network (to be masqueraded)
INTERN_IP=192.168.1.254 # IP number of Internal Interface
# (to allow forwarding to external IP)
MASQ_SWITCH=YES # Masquerade internal network to outside
# world - YES/NO
# These services are not masqueraded from inside to outside.
proto_destnet_port
# Allows the firewall to be trusted for ssh access to routers...
# Override for below
#NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh"
# services not to be masqueraded
#NOMASQ_DEST="tcp_0/0_ssh"
# Uncomment following for internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
# <protocol>_<extern-ip>_<extern-port>_<intern-ip>_<intern-port>
INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp
tcp_${EXTERN_IP}_www_192.168.1.4_www"
# These lines use the primary external IP address...if you need to
port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available
INTERN_WWW_SERVER=192.168.1.4 #Internal WWW server to make available
#INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available
#INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available
#INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available
#INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available
#EXTERN_SSH_PORT=24 # External port to use for internal SSH access
############################################################################
###
# Interface activation/deactivation functions
# Here so that special interface commands can be called and daemons started
#
# Arps can be set up here, network/host routes and so forth.
#
# This appears to be a little messy but is needed to achieve maximum
# functionality and flexibility.
#
############################################################################
###
if_up () {
local ADDR
# sort out a few things to make life easier - here so that you
# can see what is done and so that you can add anything if needed
eval local IPADDR=\${"$1"_IPADDR:-""} # I am also a good genius
eval local MASKLEN=\${"$1"_MASKLEN:-""}
eval local BROADCAST=\${"$1"_BROADCAST:-""}
eval local PTPADDR=\${"$1"_PTPADDR:-""}
eval local DEFAULT_GW=\${"$1"_DEFAULT_GW:-""}
eval local IP_EXTRA_ADDRS=\${"$1"_IP_EXTRA_ADDRS:-""}
eval local FAIRQ=\${"$1"_FAIRQ:-""}
eval local TXQLEN=\${"$1"_TXQLEN:-""}
eval local IP_SPOOF=\${"$1"_IP_SPOOF:-""}
eval local IP_KRNL_LOGMARTIANS=\${"$1"_IP_KRNL_LOGMARTIANS:-""}
eval local IP_SHARED_MEDIA=\${"$1"_IP_SHARED_MEDIA:-""}
eval local BRIDGE=\${"$1"_BRIDGE:-""}
eval local PROXY_ARP=\${"$1"_PROXY_ARP:-""}
if [ -n "$BROADCAST" ] ; then
IFCFG_BROADCAST="broadcast $BROADCAST"
fi
# Do dee global bridge stuff
brg_global
# Set default interface flags here - used for PPP and WAN interfaces
if_setproc default rp_filter $DEF_IP_SPOOF
if_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS
if_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS
# Set up each interface
case $1 in
ppp0)
pppd call provider
;;
fr*)
wanconfig card wanpipe1 dev $1 start
ip addr add $IPADDR peer $PTPADDR dev $1
ip link set $1 up
# Fair queuing - this can be selected for any interface
ip_frQoS $1
;;
*) # default interface startup
brg_iface $1 up $BRIDGE
[ -n "$IPADDR" ] \
&& ip addr add $IPADDR/$MASKLEN $IFCFG_BROADCAST dev $1
for ADDR in $IP_EXTRA_ADDRS; do
ip addr add $ADDR dev $1
done
ip link set $1 up
# Fair queuing - this can be selected for any interface
ip_QoS $1
;;
esac
# Do universal interface config items here
# Default route support
[ -n "$DEFAULT_GW" ] \
&& ip route replace default nexthop via $DEFAULT_GW dev $1
# Set the TX Queue Length
[ -n "$TXQLEN" ] \
&& ip link set $1 txqlen $TXQLEN
# Spoof protection
if_setproc $1 rp_filter $IP_SPOOF
# Kernel logging of martians on this interface
if_setproc $1 log_martians $IP_KRNL_LOGMARTIANS
# Shared Media stuff
if_setproc $1 shared_media $IP_SHARED_MEDIA
# Proxy ARP support
if_setproc $1 proxy_arp $PROXY_ARP
return 0
}
if_down () {
# Do Dee global bridge stuff
brg_global
case $1 in
ppp*)
[ -f /var/run/$1.pid ] && qt kill `cat /var/run/$1.pid`
sleep 5 # Wait for pppd to die
;;
fr*)
qt ip link set $1 down
qt ip addr flush dev $1
qt wanconfig card wanpipe1 dev $1 stop
;;
*) # default action
brg_iface $1 down
ip link set $1 down # This also kills any routes
qt ip addr flush dev $1
;;
esac
# Clean up any QoS/fair queuing stuff
ip_QoSclear $1
true
} #END if_down
############################################################################
###
# Hostname Requires: CONFIG_HOSTNAME=YES
############################################################################
###
HOSTNAME=myrouter
############################################################################
###
# Hosts file (Static domainname entires) Requires: CONFIG_HOSTSFILE=YES
############################################################################
###
# IP FQDN hostname alias1 alias2..
HOSTS0="$eth0_IPADDR $HOSTNAME.private.network $HOSTNAME mr rtr"
#HOSTS1="192.168.1.22 host2.private.network host2 h2"
############################################################################
###
# Domain Search Order and Name Servers Requires: CONFIG_DNS=YES
############################################################################
###
DOMAINS="private.network"
DNS0=192.168.1.254
#DNS1=0.0.0.0
############################################################################
###
# QoS/Fariqueing functions
############################################################################
###
ip_QoSclear () {
[ -x /sbin/tc ] \
&& qt tc qdisc del dev $1 root
return 0
}
ip_frQoS () {
# Set some vaiables
eval local FAIRQ=\${"$1"_FAIRQ:-""}
eval local BULKRATE=\${"$1"_BULKRATE:-""}
eval local BULKBURST=\${"$1"_BULKBURST:-""}
eval local FRBURST=\${"$1"_FRBURST:-""}
eval local HNDL=\${"$1"_HNDL:-""}
eval local BNDWIDTH=\${"$1"_BNDWIDTH:-""}
eval local IARATE=\${"$1"_IARATE:-""}
eval local IABURST=\${"$1"_IABURST:-""}
eval local PXMTU=\${"$1"_PXMTU:-""}
if [ ! -x /sbin/tc ]; then
return 1
fi
if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ]
then
return 1
fi
if [ -z "$BULKRATE" -o -z "$FRBURST" -o -z "$HNDL" -o -z "$PXMTU" \
-o -z "$BNDWIDTH" -o -z "$IARATE" -o -z "$IABURST" \
-o -z "$BULKBURST" ]; then
tc qdisc replace dev $1 root sfq
return 0
fi
# Attach CBQ to device
tc qdisc add dev $1 root handle $HNDL: cbq \
bandwidth $BNDWIDTH avpkt 1000
# Set up classes
# Bulk class
tc class add dev $1 parent $HNDL:0 classid :1 \
est 1sec 8sec cbq bandwidth $BNDWIDTH \
rate $BULKRATE allot $PXMTU bounded weight 1 prio 6 \
avpkt 1000 maxburst $BULKBURST \
split $HNDL:0 defmap ff7f
tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15
# Interactive Class
tc class add dev $1 parent $HNDL:0 classid :2 \
est 2sec 16sec cbq bandwidth $BNDWIDTH \
rate $IARATE allot $PXMTU bounded weight 1 prio 6 \
avpkt 1000 maxburst $IABURST \
split $HNDL:0 defmap 80
tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15
# Priority class
tc class add dev $1 parent $HNDL:0 classid :3 \
est 1sec 8sec cbq bandwidth $BNDWIDTH \
rate $FRBURST allot $PXMTU bounded weight 1 prio 1 \
avpkt 1000 maxburst 21
tc qdisc add dev $1 parent $HNDL:3 pfifo
# Add filters
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 50 handle $MRK_CRIT fw classid $HNDL:3
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 60 handle $MRK_IA fw classid $HNDL:2
return 0
}
ip_QoS () {
# Set some vaiables
eval local HNDL=\${"$1"_HNDL:-""}
eval local FAIRQ=\${"$1"_FAIRQ:-""}
if [ -z "$FAIRQ" -a -n "$2" ]; then
local FAIRQ=$2
fi
eval local BNDWIDTH=\${"$1"_BNDWIDTH:-""}
if [ -z "$BNDWIDTH" -a -n "$3" ]; then
local BNDWIDTH=$3
fi
eval local PXMTU=\${"$1"_PXMTU:-""}
if [ -z "$PXMTU" -a -n "$4" ]; then
local PXMTU=$4
fi
eval local IARATE=\${"$1"_IARATE:-""}
if [ -z "$IARATE" -a -n "$5" ]; then
local IARATE=$5
fi
eval local IABURST=\${"$1"_IABURST:-""}
if [ -z "$IABURST" -a -n "$6" ]; then
local IABURST=$6
fi
if [ ! -x /sbin/tc ]; then
return 1
fi
if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ]
then
return 1
fi
if [ -z "$BNDWIDTH" -o -z "$IABURST" -o -z "$IARATE" -o -z "$HNDL" \
-o -z "$PXMTU" ]; then
tc qdisc replace dev $1 root sfq
return 0
fi
# Attach CBQ to device
tc qdisc add dev $1 root handle $HNDL: cbq \
bandwidth $BNDWIDTH \
avpkt 1000
# Set up classes
# Bulk class
tc class add dev $1 parent $HNDL:0 classid :1 est 1sec 8sec \
cbq bandwidth $BNDWIDTH rate $BNDWIDTH \
allot $PXMTU avpkt 1000 bounded weight 1 prio 6 \
split $HNDL:0 defmap ff7f
tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15
# Interactive class
tc class add dev $1 parent $HNDL:0 classid :2 est 2sec 16sec \
cbq bandwidth $BNDWIDTH rate $IARATE maxburst $IABURST \
allot $PXMTU avpkt 1000 bounded isolated weight 1 \
prio 2 split $HNDL:0 defmap 80
tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15
# Priority class
tc class add dev $1 parent $HNDL:0 classid :3 est 1sec 8sec \
cbq bandwidth $BNDWIDTH rate $BNDWIDTH \
allot $PXMTU avpkt 1000 bounded weight 1 prio 1
tc qdisc add dev $1 parent $HNDL:3 pfifo
# Add filters
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 50 handle $MRK_CRIT fw classid $HNDL:3
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 60 handle $MRK_IA fw classid $HNDL:2 \
return 0
}
############################################################################
###
# End
############################################################################
###
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
