Re: [expert] Masq f/w and DHCPd on dynamic Internet address
JASON SNYDER wrote: A year and some change ago I scrounged together a computer, put mdk on it, and set it up as a masquerade firewall and DHCPd server for my cable modem at home. I have a script that is run at boot (and is set up to be rerun at any time) to set up all of my ipchain rules and load kernel modules (like for ftp and such) and of course DHCPd has its config file. (The ipchains script has global [script] variables to store IP address for interfaces, store interface is which and stuff like that.) This sho8uld be useful information: I have a cable modem which I installed to use dhcp. After troubles at the vendor, they suggested a fixed address, which I have been using ever since. Fossils of the dhcp installation still exist (in case I have to return to it). dhcp of course collects all the information needed from the dhcp server, but it places it all in environment variables which are of course lost when dhcp terminates. However dhcp repeatedly calls dh-client-script, so I placed a call to my two firewall scripts into dhclient-script at the right point (where x$reason = xBOUND). The caller's environment variables are available to the callee. The first script flushes all the ipchains rules, sets the default policies, and sets up masquerading on the FORWARD chain. It contains CABLE="eth1" and uses $CABLE appropriately. The second script (containing LOOPBACK_INTERFACE="lo" and CABLE="eth1") adds all the other rules, making use of the following dhcp environment variables: $new_ip_address $new_network_number $nameserver1 $nameserver2 This two-script structure is useful so that with my present fixed IPs I can for diagnostic purposes take the firewall down without losing the masquerading any time by manually running the first script and put it back up again by manually running the second. -- Regards, Ron. [AU] Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] Masq f/w and DHCPd on dynamic Internet address
So sprach JASON SNYDER am Thu, Oct 19, 2000 at 12:29:46PM -0700: This seems like a cluggy way to do things. Is there a more elegant way to keep ipchains and dhcpd information up to date? I would especially Hmm, you might have a look at one of the dhclient packages that are available for the Linux Router Project (www.linuxrouter.org). This might get you started in some direction. These .lrp files are in reality nothing but tar.gz files, so there's no problem to use them on a "real" Linux like Mandrake. Alexander Skwar -- Homepage: http://www.digitalprojects.com | http://www.dp.ath.cx Sichere Mail? Mail an [EMAIL PROTECTED] fuer GnuPG Keys ICQ:7328191 Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] Masq f/w and DHCPd on dynamic Internet address
Download and examine the pmfirewall scripts from http://www.pointman.org. They do exactly what you need and you might be able to simply incorporate those scripts into your current firewall scripts...or, vice versa. --Greg - Original Message - From: "JASON SNYDER" [EMAIL PROTECTED] A year and some change ago I scrounged together a computer, put mdk on it, and set it up as a masquerade firewall and DHCPd server for my cable modem at home. I have a script that is run at boot (and is set up to be rerun at any time) to set up all of my ipchain rules and load kernel modules (like for ftp and such) and of course DHCPd has its config file. (The ipchains script has global [script] variables to store IP address for interfaces, store interface is which and stuff like that.) A couple of my friends saw what I did and realized that they needed something like that, so I set up computers for them. The problem is that my address never changes, so everything is always happy for me, but their addresses are dynamic and keep on changing. The current mdk 7.1 seems to be able keep rolling along when the IP address and default gateway change, but problems arise when the cable modem providers change the DNS servers and also in the rare instance that a machine gets rebooted. (Linux has been a solid performer, but there are others factors that come into play. One household got switched to a different network and was issued a new cable modem along with that and things chugged along ok until a month or so down the road when the computer was rebooted.) A possible solution that I thought of, but haven't tried yet would be to do the following: Write a script to update the ipchains and dhcpd config file when addresses change then have the script reload dhcpd and rerun the ipchains config file. Set up an hourly cron job to run this update script. 1. First have the script archive any pre-existing Sed scripts to update dhcpd and ipchains. Also have it look for a saved copy of resolv.conf and archive the saved resolve.conf file if present. 2. Have the update script run ifconfig and an Awk script to pull the Internet IP address out of the ifconfig output and generate a Sed script to update the ipchains and dhcpd config files. Also make a new saved copy of resolv.conf 3. Run diff on the new and archived resolv.conf files. If the new one is different, then run an Awk script to append Sed commands to the Sed script to update the dhcpd config file. (Do nothing if there is no archived file.) 4. Then, if there are archived Sed scripts, run diff to check for differences between the new and archived scripts. If there is a difference, run the new Sed script and rerun the ipchains config or reload dhcpd. (Do nothing if there is no archived file. This seems like a cluggy way to do things. Is there a more elegant way to keep ipchains and dhcpd information up to date? I would especially like to do something that would be triggered to update everything necessary the moment that dhcpcd got new IP information from the ISP. Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list. __ Vous avez un site perso ? 2 millions de francs à gagner sur i(france) ! Webmasters : ZE CONCOURS ! http://www.ifrance.com/_reloc/concours.emailif Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
RE: [expert] Masq f/w and DHCPd on dynamic Internet address
Seems overly complex to me. You should run dhclient to get a IP address from you ISP for one NIC card. Set the other NIC card for your private LAN IP address (say 192.168.0.1). Run dhcpd to serve out private IP addresses for the other computers. Run a DNS server on your box so you don't need the ISP's name servers. One ipchains rule is all you need to setup IP masquerading and it doesn't require the IP address of the dhclient NIC. Just use 0.0.0.0/0.0.0.0 for the internet and 192.168.0.0/24 for the private LAN. Or am I missing something here? Bill PS You can prohibit dhclient from changing your resolv.conf by using: supersede domain-name "my.domain"; supersede domain-name-servers 192.168.0.1; in the /etc/dhclient.conf file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of JASON SNYDER Sent: Thursday, October 19, 2000 3:30 PM To: [EMAIL PROTECTED] Subject: [expert] Masq f/w and DHCPd on dynamic Internet address A year and some change ago I scrounged together a computer, put mdk on it, and set it up as a masquerade firewall and DHCPd server for my cable modem at home. I have a script that is run at boot (and is set up to be rerun at any time) to set up all of my ipchain rules and load kernel modules (like for ftp and such) and of course DHCPd has its config file. (The ipchains script has global [script] variables to store IP address for interfaces, store interface is which and stuff like that.) A couple of my friends saw what I did and realized that they needed something like that, so I set up computers for them. The problem is that my address never changes, so everything is always happy for me, but their addresses are dynamic and keep on changing. The current mdk 7.1 seems to be able keep rolling along when the IP address and default gateway change, but problems arise when the cable modem providers change the DNS servers and also in the rare instance that a machine gets rebooted. (Linux has been a solid performer, but there are others factors that come into play. One household got switched to a different network and was issued a new cable modem along with that and things chugged along ok until a month or so down the road when the computer was rebooted.) A possible solution that I thought of, but haven't tried yet would be to do the following: Write a script to update the ipchains and dhcpd config file when addresses change then have the script reload dhcpd and rerun the ipchains config file. Set up an hourly cron job to run this update script. 1. First have the script archive any pre-existing Sed scripts to update dhcpd and ipchains. Also have it look for a saved copy of resolv.conf and archive the saved resolve.conf file if present. 2. Have the update script run ifconfig and an Awk script to pull the Internet IP address out of the ifconfig output and generate a Sed script to update the ipchains and dhcpd config files. Also make a new saved copy of resolv.conf 3. Run diff on the new and archived resolv.conf files. If the new one is different, then run an Awk script to append Sed commands to the Sed script to update the dhcpd config file. (Do nothing if there is no archived file.) 4. Then, if there are archived Sed scripts, run diff to check for differences between the new and archived scripts. If there is a difference, run the new Sed script and rerun the ipchains config or reload dhcpd. (Do nothing if there is no archived file. This seems like a cluggy way to do things. Is there a more elegant way to keep ipchains and dhcpd information up to date? I would especially like to do something that would be triggered to update everything necessary the moment that dhcpcd got new IP information from the ISP. Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] Masq f/w and DHCPd on dynamic Internet address
One thing that has been worrying me for awhile is the number of people who use home brew ipchains scripts and who may not *really* understand how it works! I hope you have tested it for holes etc! Go the pmfirewall or other well known script way and be sure of what you are doing when you modify, and test afterwards! BillK Greg Stewart wrote: Download and examine the pmfirewall scripts from http://www.pointman.org. They do exactly what you need and you might be able to simply incorporate those scripts into your current firewall scripts...or, vice versa. --Greg Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.