--- Lourdes Jones <[EMAIL PROTECTED]> wrote:
> Hi Jim,
Hi Lourds. I hope all's well with you.
>
> > I am using diald .99.4, Redhat 6.1 (2.2.12-20).
> > I've been trying to connect to the Internet from a
> > client machine (W98) on my little network. I
> already
> > have diald working somewhat from my Linux server.
> I
> > have added the ip address of the Linux server to
> the
> > gateway list in the TCP/IP properties tab in the
> > Windows networking thingie.
>
> 1. [windows] did you set the DNS address in the
> Windows Networking
> Properties dialog?
I enabled DNS, set the host to "mudbug" which is the
name of the Linux server, set the domain jebg.com
which is the name for my home netork domain. included
mudbug's ip as well as the ips of my ISP's DNS in the
DNS Server search order. included jebg.com and
concentric.net in the domain suffix search order. use
the ip for mudbug as the only installed gateway.
somewhere else I told w98 to look to the net for the
Internet rather than a modem (can't remember where)
> 2. [linux] did you enable forwarding in the linux
> kernel?
I did "echo 1 >| /proc/sys/net/ipv4/ip_forward" I
think that's what you're asking.
> 3. [linux] did you enable forwarding to the diald
> device using ipchains?
> 4. [linux] did you remember to masquerade private
> addresses leaving the pppd
> device?
I'm not really sure what you mean by the previous two
questions. I'll include my diald.conf:
-----
mode ppp
device /dev/modem
pppd-options noauth
#pppd-options asyncmap 0
speed 57600
crtscts
defaultroute
lock
modem
dynamic
demasq
debug 0x001c
local 10.0.0.2
remote 10.0.0.3
connect "/usr/sbin/chat -f
/etc/sysconfig/network-scripts/chat-ppp0"
fifo /etc/diald/diald.ctl
addroute /etc/diald_up
ip-up /etc/ip_up
ip-down /etc/diald_up
----
my chat script
----
ABORT 'BUSY'
"" AT
OK ATDT<ISP phone number>
CONNECT \c
TIMEOUT 120
user:--user: <userid> ssword: <password>
----
my diald_up script
----
!/bin/bash
#ipchains --flush
echo 1 >| /proc/sys/net/ipv4/ip_forward
echo 1 >| /proc/sys/net/ipv4/ip_dynaddr
----
my ip_up script
----
#!/usr/bin/perl
($if,$arg_mask,$local,$remote) = @ARGV;
sub inspect_ip {
my($ip) = @_;
my($octet1,$octet2,$octet3,$octet4,$net,$bcast,$mask);
($octet1,$octet2,$octet3,$octet4) =
split(/\./,$ip);
if (192 <= octet1) { # class C
$net = "$octet1.$octet2.$octet3.0";
$bcast = "$octet1.$octet2.$octet3.255";
$mask = "255.255.255.0"
} elsif (128 <= $octet1) { # class B
$net = "$octet1.$octet2.0.0";
$bcast = "$octet1.$octet2.255.255";
$mask = "255.255.0.0";
} else {
$net = "$octet1.0.0.0";
$bcast = "$octet1.255.255.255";
$mask = "255.0.0.0";
}
return ($net,$bcast,$mask);
}
($net,$bcast,$mask) = &inspect_ip($local);
system "/etc/firewall", $if, $local, $net, $bcast,
$mask, $remote;
and I'm sorry to do this to you, but because I got
this off the net, I'm including all of my firewall
script
----
#! /bin/bash
### $Id$
### IPChains firewall rules for a masqueraded network.
###
### These rules assume that the firewall box is
connected to the
### Internet (whether this connection is on a DMZ
network or just
### plugged into a router is irrelevant). The DMZ and
all the
### hosts on the Internet are considered insecure.
People on the
### internal networks can use any TCP protocol going
out because we
### check the SYN (initiate connection) flag to
prevent outsiders from
### coming in with TCP. UDP doesn't have a SYN
connection (it is
### connectionless) so this won't work. Therefore, UDP
packets are
### restricted going from the internal net out, unlike
TCP packets.
### TCP services can run:
### 1. In the DMZ. In this case, the firewall just
treats the DMZ
### server machine as another hostile host.
### 2. On the firewall. This isn't recommended as
anybody who
### compromises your firewall can possibly get to
your internal
### network. It is probably OK for home users
though where the home
### user may not have a hub where he can connect
another
### machine or he doesn't wish to allocate another
machine. This
### strategy will probably be popular with cable
modem users (where
### your firewall machine ethernet card plugs into
your cable modem box).
### 3. Internally on your masqueraded machines. In
this case you will
### have to use port forwarding to "reverse
masquerade" since
### Internet hosts can't see your internal machines
(you don't own
### the IP numbers stupid or you wouldn't be
masquerading!).
###
### The variables you can set are
### UDPFWONLY UDP ports to allow to the firewall
machine only. For
### UDP services running on the firewall.
### UDPPASSOUT UDP ports to pass outward through the
firewall. There is
### no UDPPASSIN because outside machines can't
address our
### internal machines. We are masquerading!
### TCPFWONLY TCP ports to the firewall only. For TCP
services
### running on the firewall. All TCP connections
are allowed
### outward and none are allowed inward (since we
are
### masquerading inward won't work anyways).
###
### I don't like the ipchains-save and
ipchains-restore scripts
### because all comments are lost.
### Currently, is assumed you have patched your
kernel with
### Michael Hasenstein's ftp-data patch. If you
haven't, active
### ftp connections will not work. Get the patch from
### http://www.suse.de/~mha/index-next.html.
###
### Scott Simpson, [EMAIL PROTECTED]
# 6970-7170 are RealPlayer ports. We let them through
the input rules
# so the ip_masq_raudio module can handle them. ntp
uses the reserved port
# for both source and destination, we need to let the
inward ntp port
# through.
UDPFWONLY="6970:7170 ntp"
# identd (auth) and 504 & 7070
TCPFWONLY="auth realplayer1 realplayer2"
# These are return ports (i.e., "outgoing" UDP).
UDPPASSOUT="domain ntp"
## DMZ
DMZINF=$1
DMZIP=$2
DMZNET=$3
DMZBCAST=$4
DMZMASK=$5
## IN = internal network
ININF=eth0
I=ipchains
LOG=--log
## Delete all chain rules.
$I --flush
## Turn forwarding on. It won't work unless we do
this.
echo 1 > /proc/sys/net/ipv4/ip_forward
## Turn off spoofing.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi
## Enable SYN cookies to prevent resource attacks.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
## Load ftp masquerade module so ftp works.
insmod ip_masq_ftp
## Load RealAudio helper.
insmod ip_masq_raudio
### All forward rules from this point onward.
## Create user defined chains for both forwarding
directions
## and restricted icmp.
$I -N int2dmz
$I -N dmz2int
$I -N icmp-acc
## Create the ftp-data chain so ftp works with the
kernel
## patch. If the patch isn't installed, this will
cause no harm.
$I -N ftp-data
## Setup up jumps from built-in chains to user defined
chains.
## Other forwarding is denied.
$I -A forward -i $DMZINF -j int2dmz
$I -A forward -i $ININF -j dmz2int
$I -A forward -j DENY $LOG
#
# these were added by me on 3-24-00 to try to get
diald to work from a
# network box
#
$I -A forward -i sl0
$I -A forward -s 192.168.0.0/24 -j MASQ
## Set up icmp-acc chain which limits ICMP messages
from
## the DMZ.
$I -A icmp-acc -p icmp --icmp-type
destination-unreachable -j ACCEPT
$I -A icmp-acc -p icmp --icmp-type source-quench -j
ACCEPT
$I -A icmp-acc -p icmp --icmp-type time-exceeded -j
ACCEPT
$I -A icmp-acc -p icmp --icmp-type parameter-problem
-j ACCEPT
$I -A icmp-acc -p icmp --icmp-type ping -j ACCEPT
$I -A icmp-acc -p icmp --icmp-type pong -j ACCEPT
$I -A icmp-acc -p icmp -j DENY $LOG
## Internal->DMZ forwarding. Everything allowed.
$I -A int2dmz -j MASQ
## DMZ->Internal.
# Now block any reserved number UDP ports.
$I -A dmz2int -p udp -d $DMZIP/32 1:1023 -j REJECT
$LOG
# Also block udp services >= 1024 used by the RPC
services. Naturally,
# we need to run this script *after* all the services
come up and are
# registered with the portmapper but we live with
this.
for p in `rpcinfo -p | grep udp | awk '{print $4}'`;do
if [ 1024 -le $p ]; then
$I -A dmz2int -p udp -d $DMZIP/32 $p -a REJECT
$LOG
fi
done
## UDP return packets are OK.
for p in $UDPPASSOUT ""; do
if [ -n "$p" ]; then
$I -A dmz2int -p udp -j ACCEPT --sport $p \
-d $DMZIP/32 1024:65535
if [ $p = ntp ]; then
# NTP uses the reserved port for both source and
destination.
# Therefore, we enable it through in the
incoming direction.
# Notice how the -I (insert at beginning) is
used instead
# of -A (append) so the rule precedes the "block
all incoming
# reserved ports" rule above.
$I -I dmz2int -p udp -s 0.0.0.0/0 $p -d
$DMZIP/32 $p \
-j ACCEPT
fi
fi
done
# Restrict ICMP from outside.
$I -A dmz2int -p icmp -j icmp-acc
# Allow all TCP response packets.
$I -A dmz2int -p tcp ! --syn -j ACCEPT
$I -A dmz2int -j DENY $LOG
### All input rules from this point onward. We don't
set
### output rules.
## Create user-defined input chain for DMZ interface
## and jump to it.
$I -N dmz-if
$I -A input -i $DMZINF -j dmz-if
## DMZ interface input.
# Only allow special ICMP.
$I -A dmz-if -p icmp -j icmp-acc
# Accept broadcast packets on net.
$I -A dmz-if -s $DMZNET/$DMZMASK -d $DMZBCAST/32 -p
udp -j ACCEPT
$I -A dmz-if -s $DMZNET/$DMZMASK -d 255.255.255.255/32
-p udp -j ACCEPT
# Since we are masquerading, packets must be destined
for
# this machine.
# Incoming opened UDP ports are OK.
for p in $UDPFWONLY ""; do
if [ -n "$p" ]; then
$I -A dmz-if -p udp -d $DMZIP/32 $p -j ACCEPT
fi
done
# Incoming TCP ports are OK.
for p in $TCPFWONLY ""; do
if [ -n "$p" ]; then
$I -A dmz-if -p tcp -d $DMZIP/32 $p -j ACCEPT
fi
done
# Netbios packets can be received when doing name
resolution.
# Don't log them.
$I -A dmz-if -p udp -d $DMZIP/32 netbios-ns -j REJECT
# Now block any reserved number UDP ports.
$I -A dmz-if -p udp -d $DMZIP/32 1:1023 -j REJECT $LOG
# Also block udp services >= 1024 used by the RPC
services. Naturally,
# we need to run this script *after* all the services
come up and are
# registered with the portmapper but we live with
this.
for p in `rpcinfo -p | grep udp | awk '{print $4}'`;do
if [ 1024 -le $p ]; then
$I -A dmz-if -p udp -d $DMZIP/32 $p -j REJECT
$LOG
done
# Return UDP packets on opened ports are OK. If the
destination port is a
# privileged port (which is illegal), it will be
blocked above, but we
# check for it here anyways.
for p in $UDPPASSOUT ""; do
if [ -n "$p" ]; then
$I -A dmz-if -p udp --sport $p -d $DMZIP/32
1024:65535 -j ACCEPT
fi
done
# Let ftp-data through. The *source port* is ftp-data
so we
# can't add it to TCPFWONLY. This port is not
forwarded through though
# because the kernel patch and ip_masq_ftp module
takes care of
# the forwarding.
$I -A dmz-if -p tcp --sport ftp-data --syn -d
$DMZIP/32 1024:65535 -j ACCEPT
# Non-SYN connection TCP packets destined for the
firewall are allowed.
$I -A dmz-if -p tcp ! --syn -d $DMZIP/32 -j ACCEPT
# New connection on illegal ports get an ICMP reject
error.
$I -A dmz-if -p tcp --syn -d $DMZIP/32 -j REJECT $LOG
$I -A dmz-if -j DENY $LOG
----
>
> > When I try to access a
> > website from that machine, it dials the modem, but
> > sometimes it hangs up because the connect script
> > failed or it gives me errors (the page is never
> > displayed on the browser):
>
> How about a log listing without information like
> timing being removed.
>
> I have no idea what program is putting out the
> messages much less what to
> suggest to correct them (or more likely add more of
> them since this snippet
> tells me nothing).
hmmmm.... I tried to bring up the list of newsgroups
again this time after setting the log level in dctrl
to "debug" or (0x0700017f). I got some interesting
messages about the return value from forking pppd (I
think - my Linux box crashed before I could save it:-(
) but no other messages. It received a lot of packets
and then stopped receiving them after a while. Maybe
you could point me at a way to get better information.
>
> > I have also had trouble bringing up news-groups.
>
> Is this on the linux machine or still on the Windows
> box?
Sorry, I wasn't clear. I'm having trouble bringing up
news groups on my Linux box.
>
> > When
> > I try to subscribe to one, netscape trys to bring
> up a
> > list. There is furious activity (as shown by
> dctrl)
> > and then it trails off. If I don't stop it, I
> can't do
> > anything else with netscape. At this point, I'm
> > guessing these problems might be related.
> > Is there anything else you need to help me with
> this?
>
> Configuration information, diald.conf, ipchains
> rules being run etc.
see above.
>
> > Any help would be greatly appreciated
> > Thanks,
>
> --
> #!/bin/sh
> # [EMAIL PROTECTED] 2000-03-17
> # only use this to debug connections
> # then replace with a firewall script
> # that actually protects your network
> # rather than letting everything through.
>
> path=/bin:/sbin/:/usr/sbin:/usr/bin
>
> # enable the kernel changing the ipaddress on
> # dynamic connections
> echo 2 > /proc/sys/net/ipv4/ip_dynaddr
>
> # enable the kernel to forward ip packets
> # This should already be set by init scripts
> # at boot when using RedHat as long as you set
> # 'FORWARD_IP$="yes"' in /etc/sysconfig/network
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # change these defines to match your setup
> LOCALNET=192.168.0.1/24
> EXTERN=ppp0
> INTERN=eth0
> DIALD-DEV=tap0
> DIALD-IP=10.0.0.1
>
> # First you set policies,
> # this is what happens if a rule to match
> # the packet is not found
> ipchains -P input ACCEPT
> ipchains -P output ACCEPT
> ipchains -P forward DENY
>
> # Then you clear out any existing rules
> # this way you actually know what's happening
> ipchains -F
>
> # forward to the diald device
> ipchains -A forward -i $DIALD-DEV -s $LOCALNET -j
> ACCEPT
>
> # masq local traffic going out the external device
> ipchains -A forward -i $EXTERN -s $LOCALNET -j MASQ
>
> # this is required for traffic on the diald machine
> # that brought up the link
> ipchains -A forward -i $EXTERN -s $DIALD-IP -j MASQ
> --
>
> Hope this helps,
>
> Lourdes
Thanks for including this script. It's too late for me
to try it now, I'll try it tomorrow.
Also let me appologize for this long post. I'm just
not smart enough to know what I can leave out and what
I can't :-/.
As always, your help is very appreciated.
Jim
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
