[plug] Questions about a dialup server
Ian Kent
ian.kent at pobox.com
Tue Feb 9 16:24:30 WST 1999
At 11:34 AM 08-02-99 +0800, Michael Hunt wrote something like:
snip ...
>
>Which version of diald did you use. I downloaded one (gcc or libc I cant
>remember) and it came up with all sorts of compile errors.
>
My setup is for my RH systems. It has worked for me on 5.1 and 5.2.
rpm -qa|grep diald gives:
diald-0.16-3
diald-config-unmetered-0.2-2
diald-config-1.2.1-1
All three can be found at http://rufus.w3.org/linux/RPM/
You need to install diald-0.16 first then diald-config-unmetered-0.2 and
finally diald-config-1.2.1. This gives you all the config for a ppp0 setup.
You need to read the docs to fine tune it and work out how to add
additional ppp configs.
>
>On another note how does one set-up IP-Masquerading. I followed the
>instructions in the mini howto, compiled my Kernel add the appropriates
>lines to the rc files and it doesn't work. I also noticed the IP forwarding
>comes up as being off on bootup. Is this supposed to be right (doesn't make
>sense to me). If not how am I supposed to turn it on/get IP Masquerading
>working. Anyone's experience with setting this up on a RedHat 5.2 box from
>scratch would be helpful (step by step would be great).
>
Attached are three files:
/etc/rc.d/init.d/ipfw (linked to by approiate Sys V startup directories)
/etc/ppp/ip-up.local
/etc/ppp/ip-down.local
Again this is RH setup, but should provide an example of filtering (if you
want to do that). I am not sugesting that it is a good setup or that it is
bullet proof by anymeans. It was written with the aim of stopping most
incoming services and is used in combination with the TCP wrappers.
>Thanks in advance.
>Michael Hunt
-------------- next part --------------
#!/bin/bash
#
# Name: /etc/ppp/ip-down.local
#
# Source function library.
. /etc/rc.d/init.d/functions
case "$4" in
137.172.222.8)
/sbin/ipfwadm -I -d accept -W $1 -S any/0 -D any/0
/sbin/ipfwadm -O -d accept -W $1 -S any/0 -D any/0
/sbin/ipfwadm -F -d accept -W $1 -S any/0 -D any/0
;;
192.168.1.101)
/sbin/ipfwadm -I -d accept -W $1 -S any/0 -D any/0
/sbin/ipfwadm -O -d accept -W $1 -S any/0 -D any/0
/sbin/ipfwadm -F -d accept -W $1 -S any/0 -D any/0
;;
192.168.1.*)
;;
*)
DNS1=203.91.64.130/32
DNS2=203.91.64.135/32
DNS3=203.24.100.25/32
NPRIVPORTS=1024:65535
/usr/sbin/ndc restart &
# Forwarding filters
# Masquerade from local net on local interface to anywhere.
/sbin/ipfwadm -F -d accept -m -W $1 -S 192.168.1.0/24 -D any/0
# allow ping on remote interface
/sbin/ipfwadm -F -d accept -W $1 -P icmp -S any/0 -D any/0
# DNS filter rules to communication only between us and them
# UDP send and receive queries, primary and secondary DNS
/sbin/ipfwadm -I -d accept -P udp -W $1 \
-S $DNS1 domain -D $4/32 domain $NPRIVPORTS
/sbin/ipfwadm -O -d accept -P udp -W $1 \
-S $4/32 domain $NPRIVPORTS -D $DNS1 domain
/sbin/ipfwadm -I -d accept -P udp -W $1 \
-S $DNS2 domain -D $4/32 domain $NPRIVPORTS
/sbin/ipfwadm -O -d accept -P udp -W $1 \
-S $4/32 domain $NPRIVPORTS -D $DNS2 domain
/sbin/ipfwadm -I -d accept -P udp -W $1 \
-S $DNS3 domain -D $4/32 domain $NPRIVPORTS
/sbin/ipfwadm -O -d accept -P udp -W $1 \
-S $4/32 domain $NPRIVPORTS -D $DNS3 domain
# TCP send and receive queries, primary and secondary DNS
/sbin/ipfwadm -I -d accept -P tcp -W $1 \
-S $DNS1 domain -D $4/32 $NPRIVPORTS
/sbin/ipfwadm -O -d accept -P tcp -W $1 \
-S $4/32 $NPRIVPORTS -D $DNS1 domain
/sbin/ipfwadm -I -d accept -P tcp -W $1 \
-S $DNS2 domain -D $4/32 $NPRIVPORTS
/sbin/ipfwadm -O -d accept -P tcp -W $1 \
-S $4/32 $NPRIVPORTS -D $DNS2 domain
/sbin/ipfwadm -I -d accept -P tcp -W $1 \
-S $DNS3 domain -D $4/32 $NPRIVPORTS
/sbin/ipfwadm -O -d accept -P tcp -W $1 \
-S $4/32 $NPRIVPORTS -D $DNS3 domain
# Allow ICMP to and from DNS servers
/sbin/ipfwadm -I -d accept -P icmp -W $1 -S $DNS1 -D $4/32
/sbin/ipfwadm -O -d accept -P icmp -W $1 -S $4/32 -D $DNS1
/sbin/ipfwadm -I -d accept -P icmp -W $1 -S $DNS2 -D $4/32
/sbin/ipfwadm -O -d accept -P icmp -W $1 -S $4/32 -D $DNS2
/sbin/ipfwadm -I -d accept -P icmp -W $1 -S $DNS3 -D $4/32
/sbin/ipfwadm -O -d accept -P icmp -W $1 -S $4/32 -D $DNS3
# Input filters
# remote interface, claiming to be local machines, IP spoofing
/sbin/ipfwadm -I -d deny -W $1 -S 192.168.1.0/24 -D any/0 -o
# allow ping on remote interface
/sbin/ipfwadm -I -d accept -W $1 -P icmp -S any/0 0 -D any/0
/sbin/ipfwadm -I -d accept -P tcp -k -W $1 \
-S any/0 telnet ftp $NPRIVPORTS www pop nntp smtp \
-D $4/32 $NPRIVPORTS
/sbin/ipfwadm -I -d accept -P tcp -W $1 \
-S any/0 ftp-data $NPRIVPORTS -D $4/32 $NPRIVPORTS auth
# Catch all
/sbin/ipfwadm -I -d deny -W $1 -S any/0 -D $4/32 -o
# Output filters
# outgoing to local net on remote interface, stuffed routing, deny
/sbin/ipfwadm -O -d deny -W $1 -S any/0 -D 192.168.1.0/24 -o
# outgoing from local net on remote interface, bad masquerading, deny
/sbin/ipfwadm -O -d deny -W $1 -S 192.168.1.0/24 -D any/0 -o
# allow ping on remote interface
/sbin/ipfwadm -O -d accept -W ppp0 -P icmp -S any/0 8 -D any/0
/sbin/ipfwadm -O -d accept -P tcp -W $1 \
-S $4/32 $NPRIVPORTS \
-D any/0 telnet ftp $NPRIVPORTS www pop nntp smtp
/sbin/ipfwadm -O -d accept -P tcp -k -W $1 \
-S $4/32 $NPRIVPORTS auth -D any/0 ftp-data $NPRIVPORTS
# Catch all
/sbin/ipfwadm -O -d deny -W $1 -S $4/32 -D any/0 -o
wait
;;
esac
-------------- next part --------------
#! /bin/sh
#
# Name: /etc/rc.d/init.d/ipfw
#
# Source function library.
. /etc/rc.d/init.d/functions
# See how we were called.
case "$1" in
start)
echo -n "Setting up initial packet filters: "
SLIP_IF=192.168.0.0/24
LOCALNET=192.168.1.0/24
# Load the cwrequired masquerade modules
/sbin/modprobe ip_masq_ftp
# Flush filter lists and setup default policy
/sbin/ipfwadm -I -f; ipfwadm -I -p reject
/sbin/ipfwadm -O -f; ipfwadm -O -p deny
/sbin/ipfwadm -F -f; ipfwadm -F -p deny
# Set interface sl0 to allow diald autodial
# allow DNS querys to bring up diald
/sbin/ipfwadm -O -a accept \
-W sl0 -P udp -S $SLIP_IF -D any/0
# allow ping to bring up diald
/sbin/ipfwadm -F -a accept -W sl0 -P icmp -S any/0 8 -D any/0
/sbin/ipfwadm -O -a accept -W sl0 -P icmp -S any/0 8 -D any/0
# Incoming and outgoing DHCP broadcasts only on local interface
/sbin/ipfwadm -I -a accept \
-W eth0 -P udp -S any/0 bootpc -D any/0 bootps
/sbin/ipfwadm -O -a accept \
-W eth0 -P udp -S any/0 bootps -D any/0 bootpc
# Input filters for loopback and local interface(s)
# Redirect local http requests to local apache and rest to Squid
/sbin/ipfwadm -I -a accept -W eth0 -P tcp -D $LOCALNET 80 -r 88
/sbin/ipfwadm -I -a accept -W eth0 -P tcp -D any/0 80 -r 8080
# local interface, local machines, going anywhere is valid
/sbin/ipfwadm -I -a accept -W eth0 -S $LOCALNET -D any/0
# loopback interface is valid.
/sbin/ipfwadm -I -a accept -V 127.0.0.1 -S any/0 -D any/0
# Output filters for loopback and local interface(s)
# local interface, any source going to local net is valid
/sbin/ipfwadm -O -a accept -W eth0 -S any/0 -D $LOCALNET
# loopback interface is valid.
/sbin/ipfwadm -O -a accept -V 127.0.0.1 -S any/0 -D any/0
# Forwarding filters
# local interface, local machines, going anywhere is valid
/sbin/ipfwadm -F -a accept -W eth0 -S $LOCALNET -D any/0
# loopback interface is valid.
/sbin/ipfwadm -F -a accept -V 127.0.0.1 -S any/0 -D any/0
echo done.
;;
stop)
echo -n "Flushing packet filter rules: "
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -F -f
echo done.
;;
restart)
$0 start
;;
*)
echo "Usage: ipfw {start|stop|restart}"
exit 1
esac
exit 0
-------------- next part --------------
#!/bin/bash
#
# Name: /etc/ppp/ip-up.local
#
# Source function library.
. /etc/rc.d/init.d/functions
case "$4" in
137.172.222.8)
/sbin/ipfwadm -I -a accept -W $1 -S any/0 -D any/0
/sbin/ipfwadm -O -a accept -W $1 -S any/0 -D any/0
/sbin/ipfwadm -F -a accept -W $1 -S any/0 -D any/0
;;
192.168.1.101)
/sbin/ipfwadm -I -a accept -W $1 -S any/0 -D any/0
/sbin/ipfwadm -O -a accept -W $1 -S any/0 -D any/0
/sbin/ipfwadm -F -a accept -W $1 -S any/0 -D any/0
;;
192.168.1.*)
;;
*)
DNS1=203.91.64.130/32
DNS2=203.91.64.135/32
DNS3=203.24.100.25/32
NPRIVPORTS=1024:65535
# Forwarding filters
# Masquerade from local net on local interface to anywhere.
/sbin/ipfwadm -F -a accept -m -W $1 -S 192.168.1.0/24 -D any/0
# allow ping on remote interface
/sbin/ipfwadm -F -a accept -W $1 -P icmp -S any/0 -D any/0
# DNS filter rules to communication only between us and them
# UDP send and receive queries, DNS servers
/sbin/ipfwadm -I -a accept -P udp -W $1 \
-S $DNS1 domain -D $4/32 domain $NPRIVPORTS
/sbin/ipfwadm -O -a accept -P udp -W $1 \
-S $4/32 domain $NPRIVPORTS -D $DNS1 domain
/sbin/ipfwadm -I -a accept -P udp -W $1 \
-S $DNS2 domain -D $4/32 domain $NPRIVPORTS
/sbin/ipfwadm -O -a accept -P udp -W $1 \
-S $4/32 domain $NPRIVPORTS -D $DNS2 domain
/sbin/ipfwadm -I -a accept -P udp -W $1 \
-S $DNS3 domain -D $4/32 domain $NPRIVPORTS
/sbin/ipfwadm -O -a accept -P udp -W $1 \
-S $4/32 domain $NPRIVPORTS -D $DNS3 domain
# TCP send and receive queries, DNS servers
/sbin/ipfwadm -I -a accept -P tcp -W $1 \
-S $DNS1 domain -D $4/32 $NPRIVPORTS
/sbin/ipfwadm -O -a accept -P tcp -W $1 \
-S $4/32 $NPRIVPORTS -D $DNS1 domain
/sbin/ipfwadm -I -a accept -P tcp -W $1 \
-S $DNS2 domain -D $4/32 $NPRIVPORTS
/sbin/ipfwadm -O -a accept -P tcp -W $1 \
-S $4/32 $NPRIVPORTS -D $DNS2 domain
/sbin/ipfwadm -I -a accept -P tcp -W $1 \
-S $DNS3 domain -D $4/32 $NPRIVPORTS
/sbin/ipfwadm -O -a accept -P tcp -W $1 \
-S $4/32 $NPRIVPORTS -D $DNS3 domain
# Allow ICMP to and from DNS servers
/sbin/ipfwadm -I -a accept -P icmp -W $1 -S $DNS1 -D $4/32
/sbin/ipfwadm -O -a accept -P icmp -W $1 -S $4/32 -D $DNS1
/sbin/ipfwadm -I -a accept -P icmp -W $1 -S $DNS2 -D $4/32
/sbin/ipfwadm -O -a accept -P icmp -W $1 -S $4/32 -D $DNS2
/sbin/ipfwadm -I -a accept -P icmp -W $1 -S $DNS3 -D $4/32
/sbin/ipfwadm -O -a accept -P icmp -W $1 -S $4/32 -D $DNS3
# Input filters
# remote interface, claiming to be local machines, IP spoofing
/sbin/ipfwadm -I -a deny -W $1 -S 192.168.1.0/24 -D any/0 -o
# allow ping on remote interface
/sbin/ipfwadm -I -a accept -W $1 -P icmp -S any/0 0 -D any/0
/sbin/ipfwadm -I -a accept -P tcp -k -W $1 \
-S any/0 telnet ftp $NPRIVPORTS www pop nntp smtp \
-D $4/32 $NPRIVPORTS
/sbin/ipfwadm -I -a accept -P tcp -W $1 \
-S any/0 ftp-data $NPRIVPORTS -D $4/32 $NPRIVPORTS auth
# Catch all
/sbin/ipfwadm -I -a deny -W $1 -S 0.0.0.0/0 -D $4/32 -o
# Output filters
# outgoing to local net on remote interface, stuffed routing, deny
/sbin/ipfwadm -O -a deny -W $1 -S any/0 -D 192.168.1.0/24 -o
# outgoing from local net on remote interface, bad masquerading, deny
/sbin/ipfwadm -O -a deny -W $1 -S 192.168.1.0/24 -D any/0 -o
# allow ping on remote interface
/sbin/ipfwadm -O -a accept -W ppp0 -P icmp -S any/0 8 -D any/0
/sbin/ipfwadm -O -a accept -P tcp -W $1 \
-S $4/32 $NPRIVPORTS \
-D any/0 telnet ftp $NPRIVPORTS www pop nntp smtp
/sbin/ipfwadm -O -a accept -P tcp -k -W $1 \
-S $4/32 $NPRIVPORTS auth -D any/0 ftp-data $NPRIVPORTS
# Catch all
/sbin/ipfwadm -O -a deny -W $1 -S $4/32 -D 0.0.0.0/0 -o
;;
esac
-------------- next part --------------
--
Ian Kent
More information about the plug
mailing list