[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-diald
Subject: Re: it works !!! but there's a Big Bad Bug in diald.
From: Petre Rodan <rodan () subdimension ! com>
Date: 2000-08-09 13:20:01
[Download RAW message or body]
Jeffrey Hawkins wrote:
>
> Petre,
>
> Sorry, I haven't been paying much attention to the DIALD List Lately....
You've missed all the fun ;-)
> I have had DIALD99.4 Working on both RH6.1 and RH6.2, but I have
> dropped it since getting my Cable Modem. But, lets get to your problems....
>
> I see you are using the RH6.1 Distro, and thus firstly you need to
> install some of the RH6.1 Bug Fixes. In particular the INITSCRIPTS
> and PPPD Updates. There are a number of Network Related
> Fixes (in particular a DEFAULT ROUTE Problem in PPPD) that
> have been included.
I am not using the ppp from RH61, I use ppp-2.3.11-1 which I think is
the most up-to-date.
> With RH6.1, and above you will have to add the "noauth"
> option to your /etc/ppp/options file. This is required due
> to changes with PPPD in that the default configuration is
> "auth". This setting has to do with the requirement of
> External Systems having to authorize themself with your
> System.
I've put 'noauth' in the diald config file
pppd-options noauth user rodan@fx.ro
> Additionally, if your ISP uses CHAP or PAP for
> authentication, you will have to modify your
> /etc/ppp/chap-secrets and /etc/ppp/pap-secrets
> files. Here is the entry format:
>
> #client server secret IP address
> username * password *
This was done.
> Also, if you are using PAP or CHAP you will need
> a "pppd-options" directive in your diald config
> file.
>
> pppd-options name username
It was so ...
> With respect to IP Configuration Settings, you will need
> to enable IP Forwarding and IP Dynamic Address Hacking
> in the Kernel. This is done by setting to Run-Time Flags in
> the Kernel, "ip_forward" and "ip_dynaddr". The first flag
> enables IP Forwarding, while the second enables correct
> Dynamic IP Address Replacement on the first PACKET
> sent (the first Packet has the IP Address of "local" before
> you receive the Dynamic IP from your ISP). You set the
> flags by:
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
I run this all the time from my firewall script which starts after ip-up
I also have this ...
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
> You can have these settings activated at BOOT Time via adding
> these two lines to the "/etc/rc.d/rc.local" Boot Script.
>
> Also, you will need to setup some IPCHAINS rules for Forwarding
> and Masquerading your Internal Network, as well as, you will
> need to load the various Masquerading Modules (FTP, etc...).
I attach my firewall and you can have a look.
ip-up is triggering 'firewall external' and ip-down 'firewall internal'
I don't know why do I need masquerade for my LAN though, I works just
fine the way it is.
The other windoze boxes connect to 192.168.0.4 (me) to port 3128
(squid)(ftp) or 8000 (junkbuster)(http). I don't need for masquerade.
> You will need to setup DNS Name Resolution to point to DNS
> Name Servers on the Internet. You will have to modify the
> /etc/resolv.conf file. You can do this manually, or via using
> LINUXCONF.
my resolv.conf:
search localdomain
nameserver 127.0.0.1
nameserver 193.231.208.1
search localdomain
nameserver 127.0.0.1
nameserver 193.231.208.1
search localdomain
nameserver 127.0.0.1
nameserver 193.231.208.1
repeated to get a delay ...
I also use 5 * 'dnsserver -s 193.231.208.1' from squid.
> With RH6.x, the default System install does not always create the
> "/dev/modem" symbolic link, which points to your selected
> COM Port. You can set the symbolic link via LINUXCONF, or
> via use the "ln -s /dev/ttySx /dev/modem" command string (replace
> "x" with the appropiate COM port #, i.e. 0 = COM1).
trust me, no modem problems here ...
> I see you are trying to utilize some special PPP and DIALD Scripts
> for Activating and Controlling the Link. I would recommend you start
> out simple, and merely use the Chat Script generated by LINUXCONF,
> when configuring and PPP Device, for DIALD Connection.
don't like it simple ;-)
if you ask me, it's a BUG. 60% not in diald.
diald getts the command to make the defaultroute, but something happens
...
>
> I have to head to work, but I can help you later this evening...
>
> Jeff
that would be great.
Thanks,
Peter
["firewall" (text/plain)]
#!/bin/sh
# Script to control the firewall and packet filtering.
# Source function library.
. /etc/rc.d/init.d/functions
PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
extint="ppp0"
dialdint="tap0"
dialdip="192.168.1.5/24"
lanint="eth0"
lanip="192.168.0.0/24"
case "$1" in
start|restart|external)
#/sbin/modprobe -k ip_masq_ftp
#/sbin/modprobe -k ip_masq_raudio
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
#for static ip address uncoment the following:
extip="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
#extip="123.23.23.23"
echo $extip
export extip
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
route add -n default gw $extip
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 60 sec timeout for UDP traffic (MASQ'ed ICQ users must enable a 30sec firewall timeout in ICQ itself)
#
ipchains -M -S 7200 10 60
#############################################################################
# Incoming, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F input
#ipchains -P input REJECT
ipchains -P input DENY
# local interface, local machines, going anywhere is valid
#
ipchains -A input -i $lanint -s $lanip -d 0.0.0.0/0 -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
#
ipchains -A input -i $extint -s $lanip -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -i $extint -s $dialdip -d 0.0.0.0/0 -l -j REJECT
#DNS qerry
ipchains -A input -i $extint -p UDP -s 0.0.0.0/0 53:53 -j ACCEPT
#ipchains -A input -i $extint -p UDP -d $extip 53:53 -j ACCEPT
#HTTP ch
ipchains -A input -i $extint -p TCP -s 0.0.0.0/0 80:80 -j ACCEPT
ipchains -A input -i $extint -p TCP -d $extip 80:80 -j ACCEPT
#HTTP -secure- ch
ipchains -A input -i $extint -p TCP -s 0.0.0.0/0 443:443 -j ACCEPT
ipchains -A input -i $extint -p TCP -d $extip 443:443 -j ACCEPT
#FTP ch
ipchains -A input -i $extint -p TCP -s 0.0.0.0/0 20:21 -j ACCEPT
ipchains -A input -i $extint -p TCP -d $extip 20:21 -j ACCEPT
#mail ch
ipchains -A input -i $extint -p TCP -s 0.0.0.0/0 110:110 -j ACCEPT
ipchains -A input -i $extint -p TCP -d $extip 110:110 -j ACCEPT
#identd
#ipchains -A input -i $extint -p TCP -d $extip 113:113 -s 193.231.208.23 -j ACCEPT
ipchains -A input -i $extint -p TCP -d $extip 113:113 -s 0.0.0.0/0 -j ACCEPT
#ipchains -A input -i $extint -p TCP -d $extip 113:113 -j -l REJECT
#SMTP ch
ipchains -A input -i $extint -p TCP -s 0.0.0.0/0 25:25 -j ACCEPT
ipchains -A input -i $extint -p TCP -d $extip 25:25 -j ACCEPT
#other 0:1023 ports closed
ipchains -A input -i $extint -p TCP -s 0.0.0.0/0 0:1023 -l -j DENY
ipchains -A input -i $extint -p UDP -s 0.0.0.0/0 0:1023 -l -j DENY
ipchains -A input -i $extint -p TCP -d 0.0.0.0/0 0:1023 -l -j DENY
ipchains -A input -i $extint -p UDP -d 0.0.0.0/0 0:1023 -l -j DENY
# remote interface, any source, going to permanent PPP address is valid
#
ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
# loopback interface is valid.
#
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
#############################################################################
# Outgoing, flush and set default policy of reject. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F output
ipchains -P output REJECT
# local interface, any source going to local net is valid
#
ipchains -A output -i $lanint -s 0.0.0.0/0 -d $lanip -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#
ipchains -A output -i $extint -s 0.0.0.0/0 -d $lanip -l -j REJECT
ipchains -A output -i $extint -s 0.0.0.0/0 -d $dialdip -l -j REJECT
# outgoing from local net on remote interface, stuffed masquerading, deny
#
ipchains -A output -i $extint -s $lanip -d 0.0.0.0/0 -l -j REJECT
# anything else outgoing on remote interface is valid
#
ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
# loopback interface is valid.
#
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#DNS qUerry
ipchains -A output -i $extint -p UDP -s $extip 53:53 -j ACCEPT
ipchains -A output -i $extint -p UDP -d 0.0.0.0/0 53:53 -j ACCEPT
ipchains -A output -i $lanint -p UDP -s $lanip 53:53 -j ACCEPT
ipchains -A output -i $lanint -p UDP -d 0.0.0.0/0 53:53 -j ACCEPT
#HTTP ch
ipchains -A output -i $extint -p TCP -s $extip 80:80 -j ACCEPT
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 80:80 -j ACCEPT
#FTP ch
ipchains -A output -i $extint -p TCP -s $extip 20:21 -j ACCEPT
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 20:21 -j ACCEPT
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 20:21 -j ACCEPT
#mail ch
ipchains -A output -i $extint -p TCP -s $extip 110:110 -j ACCEPT
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 110:110 -j ACCEPT
#identd
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 113:113 -l -j REJECT
#SMTP ch
ipchains -A output -i $extint -p TCP -s $extip 25:25 -j ACCEPT
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 25:25 -j ACCEPT
#other 0:1023 ports closed
ipchains -A output -i $extint -p TCP -s 0.0.0.0/0 0:1023 -l -j REJECT
ipchains -A output -i $extint -p UDP -s 0.0.0.0/0 0:1023 -l -j REJECT
ipchains -A output -i $extint -p TCP -d 0.0.0.0/0 0:1023 -l -j REJECT
ipchains -A output -i $extint -p UDP -d 0.0.0.0/0 0:1023 -l -j REJECT
# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
#############################################################################
# Forwarding, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
ipchains -F forward
ipchains -P forward DENY
# Masquerade from local net on local interface to anywhere.
#
#ipchains -A forward -i $extint -s $lanip -d 0.0.0.0/0 -j MASQ
#ipchains -A forward -i $dialdint -s $lanip -d 0.0.0.0/0 -j MASQ
#
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
# for no diald uncomment this
#ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY
# for diald interface
ipchains -A forward -j MASQ -s $lanip
ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0
#ipchains -A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -l -j MASQ -m 10000
#ipchains -A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -l -j ACCEPT -f
#ipchains -A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j fwd
#ipchains -A fwd -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ -m 10001
exit 0
;;
internal)
echo -n "Starting internal firewall:"
echo 0 > /proc/sys/net/ipv4/ip_forward
ipchains -X
ipchains -F
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
#ipchains -A input -s 0.0.0.0/0.0.0.0 -d 192.168.0.4/255.255.255.255 -j ACCEPT
#ipchains -A output -s 192.168.0.4/255.255.255.255 -d 0.0.0.0/0.0.0.0 -j ACCEPT
#local interface ok
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#LAN ok
ipchains -A input -i $lanint -s $lanip -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i $lanint -s 0.0.0.0/0 -d $lanip -j ACCEPT
#diald ok
ipchains -A input -i $dialdint -s 0.0.0.0/0 -d $dialdip -j ACCEPT
ipchains -A output -i $dialdint -s $dialdip -d 0.0.0.0/0 -j ACCEPT
#anything else reject without log
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -j REJECT
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -j REJECT
route add default gw 192.168.1.10
echo "."
exit 0
;;
status)
echo "Firewall settings:"
/sbin/ipchains-save
exit 0
;;
stop|off)
echo "Shutting down firewall:"
ipchains -X
ipchains -F
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
exit 0
;;
*)
echo "Usage: firewall {internal|external|stop|status}"
exit 1
;;
esac
exit 0
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to majordomo@vger.rutgers.edu
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic