Linux-Networking Digest #583, Volume #10 Sun, 21 Mar 99 20:13:40 EST
Contents:
NFS starts diald? (James Ranson)
Re: ip-masq / port-forwarding question ? (Greg Weeks)
Re: RH5.1,PPP server to win95 with shadow (Rick Lim)
Re: Cable Modems & Linux (Randy Kayfish)
Re: network ("Ryan Lynch")
Re: NTP ...? (Peter Greenwood)
Re: NTP ...? (Desmond Coughlan)
Re: RH5.1,PPP server to win95 with shadow (Rick Lim)
Re: VPN with NT and Linux ("John Hardin")
Re: hooking linux box up to company LAN: opinions??? ("John Hardin")
Re: netstat hangs for gateway (Jim Roberts)
Cable Modem and Networking. (Randy Kayfish)
Problems with Nessus scanner ([EMAIL PROTECTED])
Re: ip-masq / port-forwarding question ? (Erik Myllymaki)
Need help setting up a Linux router (root)
----------------------------------------------------------------------------
From: James Ranson <[EMAIL PROTECTED]>
Subject: NFS starts diald?
Date: 21 Mar 1999 23:01:29 GMT
My diald link keeps coming up when any Linux machine on my
network starts up. I think it has something to do with NFS
because the link also comes up whenever I restart the NFS
daemons. Any ideas?
------------------------------
Reply-To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED] (Greg Weeks)
Subject: Re: ip-masq / port-forwarding question ?
Date: Sun, 21 Mar 1999 17:20:41 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Erik Myllymaki) writes:
> I am using ip-masq to
> allow the internal machines to use the internet through
> the one assigned IP number dynamically set (DHCP) by my
> cable provider. My idea is to forward all http requests
> aimed at 24.25.26.27:80 to my real web server at 192.168.0.3:80.
> (reason? -the router is an old 386, the webserver is a better
> machine more capable of handling the load).I have seen two packages
> that say the can do this - redir and rinetd.
>
> Does anyone have any experience with either of these packages that they
> would like to share? I am using RedHat 5.1.
================================================================
Question:
I want to run a web server inside my Linux IP Masquerade firewall that
can be accessed from the internet. How do I do this.
Standard Answer:
A pin hole allows incoming connection to go through a firewall to an
internal machine for a specific service. There are two ways that I know
of to open a pin hole in an IP Masq Linux firewall without proxying.
Both are mentioned at the IP Masq resource page at
http://ipmasq.cjb.net/ or http://www.tor.shaw.wave.ca/~ambrose/ They are
redir and ipportfw. I tried redir first, and while it works and has the
advantage that you can test it from inside the firewall it has the
disadvantage that the logs on the web server show all connections as
coming from the firewall. ipportfw is a kernel patch and a utility to
change the kernel tables. It's advantages are it's faster and the logs
show the correct source. It's biggest disadvantage is that it's only
testable from outside the firewall. ipportfw information is at
http://www.ox.compsoc.org.uk/~steve/portforwarding.html and redir is at
http://www.geocities.com/SiliconValley/Heights/2288/redir_0.7.orig.tar.gz
Any pin hole poses a security risk as it bypasses your firewall. Use
them with care.
=========================================
I've never tried rinet. I belive it's a little better than redir which
I've tried.
Greg Weeks
--
http://durendal.tzo.com/greg/
------------------------------
From: Rick Lim <[EMAIL PROTECTED]>
Subject: Re: RH5.1,PPP server to win95 with shadow
Date: 21 Mar 1999 23:25:52 GMT
Charles Weber <[EMAIL PROTECTED]> wrote:
: Rick Lim wrote:
:> I am trying to setup a RH5.1 box to be a ppp server
:> to win95 boxes.
:> The server has RH5.1, PPP2.2.0, shadow passwords and mgetty.
:> mgetty works ok for normal logins, ppp works ok for a user to dial
:> in and manually start, using pppd as a shell.
:>
:> but when I try to get mgetty to do autoppp then the win95
:> box gets a refused login.
:>
:> heres what the messages file says
:>
:> Mar 17 06:36:12 linux1 PAM_pwdb[337]: (login) session closed for user root
:> Mar 17 06:36:56 linux1 PAM_pwdb[372]: bad username [/AutoPPP/]
:> Mar 17 06:36:56 linux1 login[372]: FAILED LOGIN 1 FROM (null) FOR
:> /AutoPPP/, User not known to the underlying authentication module
:> Mar 17 06:36:56 linux1 PAM_pwdb[372]: bad username [u5u^Mu^Y9};~]
:> Mar 17 06:36:56 linux1 login[372]: FAILED LOGIN 2 FROM (null) FOR
:> u5u^Mu^Y9};~,
:> User not known to the underlying authentication module
:> Mar 17 06:36:59 linux1 PAM_pwdb[372]: bad username [~^?}#@]
:> Mar 17 06:36:59 linux1 login[372]: FAILED LOGIN 3 FROM (null) FOR ~^?}#@,
:> User not known to the underlying authentication module
:> Mar 17 06:36:59 linux1 PAM_pwdb[372]: bad username [!}!}"} }]
:> Mar 17 06:36:59 linux1 login[372]: FAILED LOGIN SESSION FROM (null) FOR
:> !}!}"} }, User not known to the underlying authentication module
:>
:> I have compiled mgetty with -DAUTO_PPP and
:> set the login.config to /AutoPPP/- - /usr/sbin/pppd
:>
:> What have I missed ???
:>
:> --
:> The wealth of reality, cannot be seen from your locality.
: Is your ppp compiled to support shadow passwords? We use rh5.2 but disabled
: shadow passwords as we wanted to use pam.smb. We are doing dialup for an nt
: domain and it does work like a charm. The 95 boxes even run a login script.
: I believe in our fumbling around that the 5.2 ppp supported shadow passwords,
: but couldnt swear to it.
: Chuck Weber
I am not so sure that ppp is complied with shadow password.
I have found the 2.2.0f source and tried to complied it
with make HAS_SHADOW=1 but I get some confusing error
and not being an expert I just gave up.
I'll give it another try, thanks for the info!!!
--
The wealth of reality, cannot be seen from your locality.
------------------------------
From: Randy Kayfish <[EMAIL PROTECTED]>
Subject: Re: Cable Modems & Linux
Date: Sun, 21 Mar 1999 23:35:50 GMT
Is it possible to have a Cable modem and a home lan work off the same nic? No
matter what I try it doesn't work. I don't want access between machines
through the internet I just want my lan and my internet to work from the same
nic. I would like to get Samba going. I have my Cable modem plugged into a
hub and both machines plugged in there as well. I thought if I had another
gateway (or something. I'm not a networking guru) I could use 1 nic for 2
different things. Is this at all possible or will I need 1 nic for the
Internet and 1 for my Lan? Does the Cable modem own the nic? How do you run
more than 1 network off of 1 nic? Any help appreciated as I am just trying to
get things going and am looking for any info/how to's I can find. Thanks.
Randy
Michael Copelin wrote:
> Sure this will work.
>
> 1) You'll need two network cards so you'll need to get them working first.
> 2) Setup eth0 using your cable modem setup. (May need dhcpcd if your ISP
> uses dhcp)
> 3) Setup a subnet on eth1 as your internal network (192.168.1.1 mask
> 255.255.255.0 network 192.168.1.0)
> 4) Use ipfwadm if < 2.2.0 kernel else use ipchains to set up masquerading.
>
> Look out for:
>
> When installing two network cards you may need to pass the kernel some info
> via lilo to get them detected.
> i.e. append = "ether=0,0,eth0 ether=0,0,eth1"
>
> If you compiled your network cards as modules you won't have to do this.
> Simply choose your network cards in the kernel config section of the control
> panel.
>
> Then of course there is the problem w/ conflicts...
>
> My ISP , Comcast @HOME , uses DHCP. However, my IP address is static. My
> machine is dual boot 95/Redhat 5.2. Once my config worked in 95, I simply
> set the static info for eth0 under Linux. Wala, I'm on the net 24/7 static
> IP masquerading as many machines as I want. Cool!
>
> Hmm... what else....
>
> Oh, beware of the hackers. You'll have have them hitting your telnet port
> within a day of putting the machine online. Look closely at your
> /etc/inetd.conf and get rid of everything you don't need. Setup
> /etc/hosts.allow /etc/hosts.deny properly! Deny ALL: ALL until you know what
> you are doing. Upgrade to 5.2 and get all the updates else you'll have
> holes for the hackers.
>
> Phrostbit wrote in message <[EMAIL PROTECTED]>...
> >
> >
> >I am considering using my Redhat 5.1 box as a Proxy server and
> >Firewall on my home LAN for my cable modem ... has anyone attempted
> >this??? What are some things I should be aware of or watch out for???
> >
> >THanks,
> >
> >Phrosty
> >
------------------------------
From: "Ryan Lynch" <[EMAIL PROTECTED]>
Subject: Re: network
Date: Sun, 21 Mar 1999 15:36:53 -0700
I found it fairly easy to configure my ISA PnP NIC with isapnptools. You
should be able to find it at:
www.linuxberg.com.
-Ryan
>I'm wonder if anyone could give the absoluotly easiest way to
>confgiure/install a ISA PnP network card!
>
>Regards, Olle
>
------------------------------
From: [EMAIL PROTECTED] (Peter Greenwood)
Subject: Re: NTP ...?
Date: 21 Mar 1999 22:51:23 GMT
In article <[EMAIL PROTECTED]>,
Desmond Coughlan <[EMAIL PROTECTED]> writes:
>I have a feeling I'm going to have to install Kernel 2.2 as few
>programmes install now ... does anyone know where I can get a copy of
>an NTP daemon *known* to work with Slackware 3.5 (kernel 2.0.34)?
No, but have you tried getting the source for xntpd and compiling it?
That usually gives fewer such compatibility problems than binary
packages.
--
Peter Greenwood [EMAIL PROTECTED]
Email advertisements received at this site are subject to a handling charge
of TWENTY-FIVE POUNDS STERLING. By sending such material you agree to be
bound by this condition.
------------------------------
From: Desmond Coughlan <[EMAIL PROTECTED]>
Subject: Re: NTP ...?
Date: 22 Mar 1999 00:17:58 +0100
[EMAIL PROTECTED] (Peter Greenwood) writes:
> >I have a feeling I'm going to have to install Kernel 2.2 as few
> >programmes install now ... does anyone know where I can get a copy of
> >an NTP daemon *known* to work with Slackware 3.5 (kernel 2.0.34)?
> No, but have you tried getting the source for xntpd and compiling it?
> That usually gives fewer such compatibility problems than binary
> packages.
Well I would if a) I knew how to programme, and b) I knew where to
find it ... :-)
--
Desmond Coughlan |Restez zen ... Linux peut le faire
[EMAIL PROTECTED]
[www site under construction]
------------------------------
From: Rick Lim <[EMAIL PROTECTED]>
Subject: Re: RH5.1,PPP server to win95 with shadow
Date: 21 Mar 1999 23:32:16 GMT
Rick Lim <[EMAIL PROTECTED]> wrote:
: Charles Weber <[EMAIL PROTECTED]> wrote:
: : Rick Lim wrote:
: :> I am trying to setup a RH5.1 box to be a ppp server
: :> to win95 boxes.
: :> The server has RH5.1, PPP2.2.0, shadow passwords and mgetty.
: :> mgetty works ok for normal logins, ppp works ok for a user to dial
: :> in and manually start, using pppd as a shell.
: :>
: :> but when I try to get mgetty to do autoppp then the win95
: :> box gets a refused login.
: :>
: :> heres what the messages file says
: :>
: :> Mar 17 06:36:12 linux1 PAM_pwdb[337]: (login) session closed for user root
: :> Mar 17 06:36:56 linux1 PAM_pwdb[372]: bad username [/AutoPPP/]
: :> Mar 17 06:36:56 linux1 login[372]: FAILED LOGIN 1 FROM (null) FOR
: :> /AutoPPP/, User not known to the underlying authentication module
: :> Mar 17 06:36:56 linux1 PAM_pwdb[372]: bad username [u5u^Mu^Y9};~]
: :> Mar 17 06:36:56 linux1 login[372]: FAILED LOGIN 2 FROM (null) FOR
: :> u5u^Mu^Y9};~,
: :> User not known to the underlying authentication module
: :> Mar 17 06:36:59 linux1 PAM_pwdb[372]: bad username [~^?}#@]
: :> Mar 17 06:36:59 linux1 login[372]: FAILED LOGIN 3 FROM (null) FOR ~^?}#@,
: :> User not known to the underlying authentication module
: :> Mar 17 06:36:59 linux1 PAM_pwdb[372]: bad username [!}!}"} }]
: :> Mar 17 06:36:59 linux1 login[372]: FAILED LOGIN SESSION FROM (null) FOR
: :> !}!}"} }, User not known to the underlying authentication module
: :>
: :> I have compiled mgetty with -DAUTO_PPP and
: :> set the login.config to /AutoPPP/- - /usr/sbin/pppd
: :>
: :> What have I missed ???
: :>
: :> --
: :> The wealth of reality, cannot be seen from your locality.
: : Is your ppp compiled to support shadow passwords? We use rh5.2 but disabled
: : shadow passwords as we wanted to use pam.smb. We are doing dialup for an nt
: : domain and it does work like a charm. The 95 boxes even run a login script.
: : I believe in our fumbling around that the 5.2 ppp supported shadow passwords,
: : but couldnt swear to it.
: : Chuck Weber
: I am not so sure that ppp is complied with shadow password.
: I have found the 2.2.0f source and tried to complied it
: with make HAS_SHADOW=1 but I get some confusing error
: and not being an expert I just gave up.
: I'll give it another try, thanks for the info!!!
: --
: The wealth of reality, cannot be seen from your locality.
forgot to add ...
how do you compile the stock RH5.1 ppp install with
make HAS_SHADOW=1?
instead of getting a chunk of source code from a site
and then trying to compile it, and get some strange
errors
--
The wealth of reality, cannot be seen from your locality.
------------------------------
From: "John Hardin" <[EMAIL PROTECTED]>
Subject: Re: VPN with NT and Linux
Date: Sun, 21 Mar 1999 15:15:07 -0800
Bill Keeler wrote in message <[EMAIL PROTECTED]>...
>I need to set up a secure network (VPN) using RedHat Linux 5.2 and NT
>4.0. Is that possible? Where can I find out how?
Take a look at the VPN Masq home page, at
ftp://ftp.rubyriver.com/pub/jhardin/ip_masq_vpn.html
--
John Hardin KA7OHZ [EMAIL PROTECTED]
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
=======================================================================
In the Lion
the Mighty Lion
the Zebra sleeps tonight...
Dee de-ee-ee-ee-ee de de de we um umma way!
------------------------------
From: "John Hardin" <[EMAIL PROTECTED]>
Subject: Re: hooking linux box up to company LAN: opinions???
Date: Sun, 21 Mar 1999 15:08:58 -0800
peter hatch wrote in message <[EMAIL PROTECTED]>...
>I'm looking for some opinions about this. Here's the situation:
>
>What I have:
>I work remotely (me: Illinois, company: California) and I need to be
>able to access nfs mounts that are served on a private network (10.x.x.x
>adresses). Currently, I have an NT box set up to connect to a PPTP
>server that is set up at the company. I hate it. First, it's really
>slow. Second, it seems to make NT crash about once a day. Third, I do
>all of my work on linux machines, so communicating with the remote
>filesystems is a drag since I have to do the file transfers manually on
>the NT box.
>
>What I want:
>I want to be able to just connect and mount those nfs shares. Also,
>there are servers on the private network that I need to be able to
>access. Ideally, I could use some mechanism that would give my linux
>boxes 2 network devices (eth0 and something else) so that I could
>participate in the company's private network. I've looked at
>pptp-linux, but i can't figure it out (neither can our sysadmin).
>
>any suggestions? It seems to me that something like this should be
>rather simple to set up. If changes are required to the company's
>firewall, that's ok (as long as security is maintained).
Simple; do what I do - use the NT PPTP client for routing. Then you can
live on your Linux box, and all you need to do on the NT box is bring the
PPTP link up and down. That will probably increase its reliability as well,
since you won't be *doing* much of anything on the NT box...
You'll need to add routes on your company network pointing to your home net
over the PPTP link, and routes on your home network for the corporate
network pointing over the PPTP link, but that's it.
It works pretty well, bearing in mind the throughput problems with PPTP. It
usually recovers quite well (transparently, within a minute or so) when my
ISP zaps my dialup connection. I've been doing this for a year and a half
now with no major problems.
Visit the VPN Masquerade page for more information. It's at:
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
Read through the HOWTO. Unfortunately I don't have the network-to-network
routing portion finished yet, which is what you'd need to do.
You might also want to take a look at FreeS/WAN, the free Linux IPSec
implementation. There's a link to it on the VPN Masq page.
--
John Hardin KA7OHZ [EMAIL PROTECTED]
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
=======================================================================
In the Lion
the Mighty Lion
the Zebra sleeps tonight...
Dee de-ee-ee-ee-ee de de de we um umma way!
------------------------------
From: [EMAIL PROTECTED] (Jim Roberts)
Subject: Re: netstat hangs for gateway
Crossposted-To: comp.os.linux
Date: Sun, 21 Mar 1999 23:44:29 GMT
In article <[EMAIL PROTECTED]>,
Ken <[EMAIL PROTECTED]> writes:
> Hello,
>
> I'm using Redhat 5.1 with kernel 2.0.35...
>
> I can't seem to get my gateway route to work. I'm using the scripts
> that come along with Redhat (/etc/sysconfig/network-scripts/*), and
> all seems well when I boot up. I have added comments to the scripts
> and I see the route command executed:
>
> route add default gw xxx.xxx.xxx.xxx eth0
>
> I also can check /proc/net/route and see that there are four entries:
>
> eth0 - the external network
> eth1 - my internal network
> lo - loopback
> eth0 - gateway (destination = 0.0.0.0, gw = xxx.xxx.xxx.xxx)
> (flags = 3)
>
> However, when I try "netstat -r" or "route" to look at the route table
> I get the first three entries, and then nothing... I have to CNTRL-C
> to get my prompt back.
>
> I can ping internally (on eth1), I see ARP messages going out when
> I ping the xxx.xxx.xxx.0 network (as I would expect since it's not
> connected to the external network), but nothing when I try to ping
> through to addresses beyond the gateway (anything but the two
> nets defined for the interfaces)... no ARP requests, nothing.
>
> Any thoughts ?
>
> Ken
Ken,
Your problem is DNS. Netstat tryes to 'lookup' the names for the ip
numbers given and what you are seeing is a hang until DNS times out.
Try netstat -nr to not use lookup.
Fix your DNS problem and netstat will work without the -n switch.
--
Jim Roberts Never enough time!
[EMAIL PROTECTED]
------------------------------
From: Randy Kayfish <[EMAIL PROTECTED]>
Subject: Cable Modem and Networking.
Date: Sun, 21 Mar 1999 23:36:09 GMT
Is it possible to have a Cable modem and a home lan work off the same
nic? No matter what I try it doesn't work. I don't
want access between machines through the internet I just want my lan and
my internet to work from the same nic. I would
like to get Samba going. I have my Cable modem plugged into a hub and
both machines plugged in there as well. I thought if
I had another gateway (or something. I'm not a networking guru) I could
use 1 nic for 2 different things. Is this at all possible
or will I need 1 nic for the Internet and 1 for my Lan? Does the Cable
modem own the nic? How do you run more than 1
network off of 1 nic? Any help appreciated as I am just trying to get
things going and am looking for any info/how to's I can
find. Thanks.
Randy
------------------------------
From: [EMAIL PROTECTED]
Subject: Problems with Nessus scanner
Date: Mon, 22 Mar 1999 00:00:41 GMT
Anyone able to help with this?
I'm running redhat 5.2, and have just installed the rpm compile of nessus. On
the first install, I was unable to get the client to logon to the server.
(both were running on the same machine. So I deinstalled, and reinstalled.
Now I'm getting a Spoof Alert: The public key has changed. And I am still
unable to log onto the server. I'm logged on as root, I'm attempting to logon
to the server as root. I've placed the root password into nessusd.users......
What am I missing??????????? Anyone have any idea's????????????? Thanks!!!
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Erik Myllymaki)
Subject: Re: ip-masq / port-forwarding question ?
Date: Mon, 22 Mar 1999 00:35:11 GMT
In article <zLdJ2.17218$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
>
>Rinetd will work. I have been told that redir will work. You can also use
>portfw in the kernel (you may have to recompile kernel, perhaps get newer
>one etc to get this, plus dig up the admin tools for it).
>
>Don't forget to add rule to allow port 80 in on your firewall.
>
Thanks for the info.
I tried ipportfwd, but the patch did not change my kernal config script to
allow the CONFIG_IP_MASQUERADE_IPPORTFWD option as it *should* have. So,
instead of wrestling with that, I tried the rinetd option. It was a
simple RPM install, but it isn't very happy. My rinetd.conf file looks
like this:
24.25.26.27 80 192.168.0.3 80
logfile /var/log/rinetd.log
When invoked, "/usr/sbin/rinted" it quits with:
rinetd: couldn't bind to address 24.25.26.27 port 80.
Any more help would be appreciated, thanks.
--
erik myllymaki
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (root)
Subject: Need help setting up a Linux router
Date: 22 Mar 1999 00:40:03 GMT
Reply-To: [EMAIL PROTECTED]
I am trying to build up a Linux router for my basement LAN (will be three
client PCs: two Linux and one Win95) using a PPro 233 with 72MB RAM, with
multiple 100baseT nics connected with Cat5 crossover cables. I have
Mandrake 5.3 installed on it with kernel 2.0.36. Bascially my problem is
that I can't seem to get the routing on it to work the way I need.
Routing table from the "router", mir:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
syrinx * 255.255.255.255 UH 0 0 1 eth2
daisy * 255.255.255.255 UH 0 0 1 eth3
192.168.3.0 * 255.255.255.0 U 0 0 19 eth3
192.168.3.0 * 255.255.255.0 U 0 0 0 eth2
192.168.3.0 * 255.255.255.0 U 0 0 0 eth1
192.168.3.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 4 lo
default 192.168.3.0 0.0.0.0 UG 0 0 32 eth3
Eth1 is not used yet; that will be the DHCP connection to my ADSL modem once
I get everything set up correctly. Eth0 is a 10baseT nic that will connect
to the other Linux PC; the others are all 100MB rtl8139 PCI nics. From mir,
I can ping syrinx (Linux) and daisy (Win95). I can ping mir from each of
those two machines. But from syrinx I cannot ping daisy, and vice versa. How
do I make a route to connect the two? Is this where I need masquerading, or
is that only needed for the Internet connection?
Thanks for any help; let me know if I need to provide more information.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
