[plug] Questions about a dialup server

Ian Kent ian.kent at pobox.com
Tue Feb 9 16:24:30 WST 1999


At 11:34 AM 08-02-99 +0800, Michael Hunt wrote something like:

snip ...

>
>Which version of diald did you use. I downloaded one (gcc or libc I cant
>remember) and it came up with all sorts of compile errors.
>

My setup is for my RH systems. It has worked for me on 5.1 and 5.2.

rpm -qa|grep diald gives:

diald-0.16-3
diald-config-unmetered-0.2-2
diald-config-1.2.1-1

All three can be found at http://rufus.w3.org/linux/RPM/
You need to install diald-0.16 first then diald-config-unmetered-0.2 and
finally diald-config-1.2.1. This gives you all the config for a ppp0 setup.
You need to read the docs to fine tune it and work out how to add
additional ppp configs.

>
>On another note how does one set-up IP-Masquerading. I followed the
>instructions in the mini howto, compiled my Kernel add the appropriates
>lines to the rc files and it doesn't work. I also noticed the IP forwarding
>comes up as being off on bootup. Is this supposed to be right (doesn't make
>sense to me). If not how am I supposed to turn it on/get IP Masquerading
>working. Anyone's experience with setting this up on a RedHat 5.2 box from
>scratch would be helpful (step by step would be great).
>

Attached are three files:

/etc/rc.d/init.d/ipfw (linked to by approiate Sys V startup directories)
/etc/ppp/ip-up.local
/etc/ppp/ip-down.local

Again this is RH setup, but should provide an example of filtering (if you
want to do that). I am not sugesting that it is a good setup or that it is
bullet proof by anymeans. It was written with the aim of stopping most
incoming services and is used in combination with the TCP wrappers.

>Thanks in advance.
>Michael Hunt
-------------- next part --------------
#!/bin/bash
#
# Name: /etc/ppp/ip-down.local
#
# Source function library.
. /etc/rc.d/init.d/functions

case "$4" in
    137.172.222.8)
        /sbin/ipfwadm -I -d accept -W $1 -S any/0 -D any/0
        /sbin/ipfwadm -O -d accept -W $1 -S any/0 -D any/0
        /sbin/ipfwadm -F -d accept -W $1 -S any/0 -D any/0
        ;;
        
    192.168.1.101)
        /sbin/ipfwadm -I -d accept -W $1 -S any/0 -D any/0
        /sbin/ipfwadm -O -d accept -W $1 -S any/0 -D any/0
        /sbin/ipfwadm -F -d accept -W $1 -S any/0 -D any/0
        ;;
        
    192.168.1.*)
        ;;

    *)
        DNS1=203.91.64.130/32
        DNS2=203.91.64.135/32
        DNS3=203.24.100.25/32

        NPRIVPORTS=1024:65535

        /usr/sbin/ndc restart &

        # Forwarding filters

        # Masquerade from local net on local interface to anywhere.
        /sbin/ipfwadm -F -d accept -m -W $1 -S 192.168.1.0/24 -D any/0

        # allow ping on remote interface
        /sbin/ipfwadm -F -d accept -W $1 -P icmp -S any/0 -D any/0

        # DNS filter rules to communication only between us and them

        # UDP send and receive queries, primary and secondary DNS
        /sbin/ipfwadm -I -d accept -P udp -W $1 \
                      -S $DNS1 domain -D $4/32 domain $NPRIVPORTS
        /sbin/ipfwadm -O -d accept -P udp -W $1 \
                      -S $4/32 domain $NPRIVPORTS -D $DNS1 domain

        /sbin/ipfwadm -I -d accept -P udp -W $1 \
                      -S $DNS2 domain -D $4/32 domain $NPRIVPORTS
        /sbin/ipfwadm -O -d accept -P udp -W $1 \
                      -S $4/32 domain $NPRIVPORTS -D $DNS2 domain

        /sbin/ipfwadm -I -d accept -P udp -W $1 \
                      -S $DNS3 domain -D $4/32 domain $NPRIVPORTS
        /sbin/ipfwadm -O -d accept -P udp -W $1 \
                      -S $4/32 domain $NPRIVPORTS -D $DNS3 domain

        # TCP send and receive queries, primary and secondary DNS
        /sbin/ipfwadm -I -d accept -P tcp -W $1 \
                      -S $DNS1 domain -D $4/32 $NPRIVPORTS
        /sbin/ipfwadm -O -d accept -P tcp -W $1 \
                      -S $4/32 $NPRIVPORTS -D $DNS1 domain

        /sbin/ipfwadm -I -d accept -P tcp -W $1 \
                      -S $DNS2 domain -D $4/32 $NPRIVPORTS
        /sbin/ipfwadm -O -d accept -P tcp -W $1 \
                      -S $4/32 $NPRIVPORTS -D $DNS2 domain

        /sbin/ipfwadm -I -d accept -P tcp -W $1 \
                      -S $DNS3 domain -D $4/32 $NPRIVPORTS
        /sbin/ipfwadm -O -d accept -P tcp -W $1 \
                      -S $4/32 $NPRIVPORTS -D $DNS3 domain

        # Allow ICMP to and from DNS servers
        /sbin/ipfwadm -I -d accept -P icmp -W $1 -S $DNS1 -D $4/32
        /sbin/ipfwadm -O -d accept -P icmp -W $1 -S $4/32 -D $DNS1
        
        /sbin/ipfwadm -I -d accept -P icmp -W $1 -S $DNS2 -D $4/32
        /sbin/ipfwadm -O -d accept -P icmp -W $1 -S $4/32 -D $DNS2
        
        /sbin/ipfwadm -I -d accept -P icmp -W $1 -S $DNS3 -D $4/32
        /sbin/ipfwadm -O -d accept -P icmp -W $1 -S $4/32 -D $DNS3
 
        # Input filters

        # remote interface, claiming to be local machines, IP spoofing
        /sbin/ipfwadm -I -d deny -W $1 -S 192.168.1.0/24 -D any/0 -o

        # allow ping on remote interface
        /sbin/ipfwadm -I -d accept -W $1 -P icmp -S any/0 0 -D any/0

        /sbin/ipfwadm -I -d accept -P tcp -k -W $1 \
                      -S any/0 telnet ftp $NPRIVPORTS www pop nntp smtp \
                      -D $4/32 $NPRIVPORTS 

        /sbin/ipfwadm -I -d accept -P tcp -W $1 \
                      -S any/0 ftp-data $NPRIVPORTS -D $4/32 $NPRIVPORTS auth

        # Catch all
        /sbin/ipfwadm -I -d deny -W $1 -S any/0 -D $4/32 -o

        # Output filters

        # outgoing to local net on remote interface, stuffed routing, deny
        /sbin/ipfwadm -O -d deny -W $1 -S any/0 -D 192.168.1.0/24 -o

        # outgoing from local net on remote interface, bad masquerading, deny
        /sbin/ipfwadm -O -d deny -W $1 -S 192.168.1.0/24 -D any/0 -o

        # allow ping on remote interface
        /sbin/ipfwadm -O -d accept -W ppp0 -P icmp -S any/0 8 -D any/0

        /sbin/ipfwadm -O -d accept -P tcp -W $1 \
                      -S $4/32 $NPRIVPORTS \
                      -D any/0 telnet ftp $NPRIVPORTS www pop nntp smtp

        /sbin/ipfwadm -O -d accept -P tcp -k -W $1 \
                      -S $4/32 $NPRIVPORTS auth -D any/0 ftp-data $NPRIVPORTS

        # Catch all
        /sbin/ipfwadm -O -d deny -W $1 -S $4/32 -D any/0 -o

        wait
        ;;

esac

-------------- next part --------------
#! /bin/sh
#
# Name: /etc/rc.d/init.d/ipfw
#
# Source function library.
. /etc/rc.d/init.d/functions

# See how we were called.
case "$1" in
  start)
	echo -n "Setting up initial packet filters: "

        SLIP_IF=192.168.0.0/24
        LOCALNET=192.168.1.0/24

        # Load the cwrequired masquerade modules
        /sbin/modprobe ip_masq_ftp

        # Flush filter lists and setup default policy

        /sbin/ipfwadm -I -f; ipfwadm -I -p reject
        /sbin/ipfwadm -O -f; ipfwadm -O -p deny
        /sbin/ipfwadm -F -f; ipfwadm -F -p deny

        # Set interface sl0 to allow diald autodial

        # allow DNS querys to bring up diald
        /sbin/ipfwadm -O -a accept \
                      -W sl0 -P udp -S $SLIP_IF -D any/0

        # allow ping  to bring up diald
        /sbin/ipfwadm -F -a accept -W sl0 -P icmp -S any/0 8 -D any/0
        /sbin/ipfwadm -O -a accept -W sl0 -P icmp -S any/0 8 -D any/0

        # Incoming and outgoing DHCP broadcasts only on local interface
        /sbin/ipfwadm -I -a accept \
                      -W eth0 -P udp -S any/0 bootpc -D any/0 bootps
        /sbin/ipfwadm -O -a accept \
                      -W eth0 -P udp -S any/0 bootps -D any/0 bootpc

        # Input filters for loopback and local interface(s)

        # Redirect local http requests to local apache and rest to Squid
        /sbin/ipfwadm -I -a accept -W eth0 -P tcp -D $LOCALNET 80 -r 88 
        /sbin/ipfwadm -I -a accept -W eth0 -P tcp -D any/0 80 -r 8080

        # local interface, local machines, going anywhere is valid
        /sbin/ipfwadm -I -a accept -W eth0 -S $LOCALNET -D any/0

        # loopback interface is valid.
        /sbin/ipfwadm -I -a accept -V 127.0.0.1 -S any/0 -D any/0

        # Output filters for loopback and local interface(s)

        # local interface, any source going to local net is valid
        /sbin/ipfwadm -O -a accept -W eth0 -S any/0 -D $LOCALNET

        # loopback interface is valid.
        /sbin/ipfwadm -O -a accept -V 127.0.0.1 -S any/0 -D any/0

        # Forwarding filters

        # local interface, local machines, going anywhere is valid
        /sbin/ipfwadm -F -a accept -W eth0 -S $LOCALNET -D any/0

        # loopback interface is valid.
        /sbin/ipfwadm -F -a accept -V 127.0.0.1 -S any/0 -D any/0

	echo done.
	;;
  stop)
	echo -n "Flushing packet filter rules: "

        /sbin/ipfwadm -I -f
        /sbin/ipfwadm -O -f
        /sbin/ipfwadm -F -f

	echo done.
	;;
  restart)
        $0 start
        ;;
  *)
	echo "Usage: ipfw {start|stop|restart}"
	exit 1
esac

exit 0

-------------- next part --------------
#!/bin/bash
#
# Name: /etc/ppp/ip-up.local
#
# Source function library.
. /etc/rc.d/init.d/functions

case "$4" in
    137.172.222.8)
        /sbin/ipfwadm -I -a accept -W $1 -S any/0 -D any/0
        /sbin/ipfwadm -O -a accept -W $1 -S any/0 -D any/0
        /sbin/ipfwadm -F -a accept -W $1 -S any/0 -D any/0
        ;; 

    192.168.1.101)
        /sbin/ipfwadm -I -a accept -W $1 -S any/0 -D any/0
        /sbin/ipfwadm -O -a accept -W $1 -S any/0 -D any/0
        /sbin/ipfwadm -F -a accept -W $1 -S any/0 -D any/0
        ;; 

    192.168.1.*)
        ;;

    *)
        DNS1=203.91.64.130/32
        DNS2=203.91.64.135/32
        DNS3=203.24.100.25/32

        NPRIVPORTS=1024:65535

        # Forwarding filters

        # Masquerade from local net on local interface to anywhere.
        /sbin/ipfwadm -F -a accept -m -W $1 -S 192.168.1.0/24 -D any/0

        # allow ping on remote interface
        /sbin/ipfwadm -F -a accept -W $1 -P icmp -S any/0 -D any/0

        # DNS filter rules to communication only between us and them

        # UDP send and receive queries, DNS servers
        /sbin/ipfwadm -I -a accept -P udp -W $1 \
                      -S $DNS1 domain -D $4/32 domain $NPRIVPORTS
        /sbin/ipfwadm -O -a accept -P udp -W $1 \
                      -S $4/32 domain $NPRIVPORTS -D $DNS1 domain

        /sbin/ipfwadm -I -a accept -P udp -W $1 \
                      -S $DNS2 domain -D $4/32 domain $NPRIVPORTS
        /sbin/ipfwadm -O -a accept -P udp -W $1 \
                      -S $4/32 domain $NPRIVPORTS -D $DNS2 domain

        /sbin/ipfwadm -I -a accept -P udp -W $1 \
                      -S $DNS3 domain -D $4/32 domain $NPRIVPORTS
        /sbin/ipfwadm -O -a accept -P udp -W $1 \
                      -S $4/32 domain $NPRIVPORTS -D $DNS3 domain

        # TCP send and receive queries, DNS servers
        /sbin/ipfwadm -I -a accept -P tcp -W $1 \
                      -S $DNS1 domain -D $4/32 $NPRIVPORTS
        /sbin/ipfwadm -O -a accept -P tcp -W $1 \
                      -S $4/32 $NPRIVPORTS -D $DNS1 domain

        /sbin/ipfwadm -I -a accept -P tcp -W $1 \
                      -S $DNS2 domain -D $4/32 $NPRIVPORTS
        /sbin/ipfwadm -O -a accept -P tcp -W $1 \
                      -S $4/32 $NPRIVPORTS -D $DNS2 domain

        /sbin/ipfwadm -I -a accept -P tcp -W $1 \
                      -S $DNS3 domain -D $4/32 $NPRIVPORTS
        /sbin/ipfwadm -O -a accept -P tcp -W $1 \
                      -S $4/32 $NPRIVPORTS -D $DNS3 domain

        # Allow ICMP to and from DNS servers
        /sbin/ipfwadm -I -a accept -P icmp -W $1 -S $DNS1 -D $4/32
        /sbin/ipfwadm -O -a accept -P icmp -W $1 -S $4/32 -D $DNS1

        /sbin/ipfwadm -I -a accept -P icmp -W $1 -S $DNS2 -D $4/32
        /sbin/ipfwadm -O -a accept -P icmp -W $1 -S $4/32 -D $DNS2

        /sbin/ipfwadm -I -a accept -P icmp -W $1 -S $DNS3 -D $4/32
        /sbin/ipfwadm -O -a accept -P icmp -W $1 -S $4/32 -D $DNS3

        # Input filters

        # remote interface, claiming to be local machines, IP spoofing
        /sbin/ipfwadm -I -a deny -W $1 -S 192.168.1.0/24 -D any/0 -o

        # allow ping on remote interface
        /sbin/ipfwadm -I -a accept -W $1 -P icmp -S any/0 0 -D any/0

        /sbin/ipfwadm -I -a accept -P tcp -k -W $1 \
                      -S any/0 telnet ftp $NPRIVPORTS www pop nntp smtp \
                      -D $4/32 $NPRIVPORTS 

        /sbin/ipfwadm -I -a accept -P tcp -W $1 \
                      -S any/0 ftp-data $NPRIVPORTS -D $4/32 $NPRIVPORTS auth

        # Catch all
        /sbin/ipfwadm -I -a deny -W $1 -S 0.0.0.0/0 -D $4/32 -o

        # Output filters

        # outgoing to local net on remote interface, stuffed routing, deny
        /sbin/ipfwadm -O -a deny -W $1 -S any/0 -D 192.168.1.0/24 -o

        # outgoing from local net on remote interface, bad masquerading, deny
        /sbin/ipfwadm -O -a deny -W $1 -S 192.168.1.0/24 -D any/0 -o

        # allow ping on remote interface
        /sbin/ipfwadm -O -a accept -W ppp0 -P icmp -S any/0 8 -D any/0

        /sbin/ipfwadm -O -a accept -P tcp -W $1 \
                      -S $4/32 $NPRIVPORTS  \
                      -D any/0 telnet ftp $NPRIVPORTS www pop nntp smtp

        /sbin/ipfwadm -O -a accept -P tcp -k -W $1 \
                      -S $4/32 $NPRIVPORTS auth -D any/0 ftp-data $NPRIVPORTS

        # Catch all 
        /sbin/ipfwadm -O -a deny -W $1 -S $4/32 -D 0.0.0.0/0 -o

        ;;

esac

-------------- next part --------------
--
Ian Kent


More information about the plug mailing list