[wplug] DSL Routing Issue
Wise, Jeremey
WISEJ at PIOS.com
Wed May 7 15:07:50 EDT 2003
I have setup a site with Linux and DSL. Alltel supplied a Efficient 5200
bridge so I had to load PPPoE client. It actually installed and worked like
a charm. I can get on the internet from the system and have done all my
updates for the host. I tried to get the DSL shared out for all the Windows
98 clients
The PPPoE client I used was http://www.roaringpenguin.com/pppoe/
<http://www.roaringpenguin.com/pppoe/>
(The http://www.roaringpenguin.com/pppoe/how-to-connect.txt
<http://www.roaringpenguin.com/pppoe/how-to-connect.txt> document is really
well documented)
The issue I have is that the Masquerading documents reflect IPChains which
is no longer supported on the kernel I have. I tried to translate this to
IPTables, and thought I did successfully but it still does not work.
Here are the rules they say to use for IPChains:
[root at Helper ppp]# cat firewall-masq
#!/bin/sh
#
# firewall-masq This script sets up firewall rules for a machine
# acting as a masquerading gateway
#
# Copyright (C) 2000 Roaring Penguin Software Inc. This software may
# be distributed under the terms of the GNU General Public License, version
# 2 or any later version.
# Interface to Internet
EXTIF=ppp+
ANY=0.0.0.0/0
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward DENY
ipchains -F forward
ipchains -F input
ipchains -F output
# Deny TCP and UDP packets to privileged ports
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY
# Deny TCP connection attempts
ipchains -A input -l -i $EXTIF -p tcp -y -j DENY
# Deny ICMP echo-requests
ipchains -A input -l -i $EXTIF -s $ANY echo-request -p icmp -j DENY
# Do masquerading
ipchains -A forward -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward
[root at Helper ppp]#
Here is what I type to get basic routing up (don't care about firewall at
the moment).
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Anyone have it working?!?
Thanks in advance
*****************
Some additional information
[root at Helper root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:00:F8:04:A4:2A
inet addr:10.0.0.200 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:108751 errors:1 dropped:0 overruns:0 frame:0
TX packets:119628 errors:3 dropped:0 overruns:0 carrier:6
collisions:6658 txqueuelen:100
RX bytes:25378181 (24.2 Mb) TX bytes:92931213 (88.6 Mb)
Interrupt:11 Base address:0xac00
eth1 Link encap:Ethernet HWaddr 00:A0:C9:6F:A7:BF
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17195 errors:0 dropped:0 overruns:0 frame:0
TX packets:22435 errors:0 dropped:0 overruns:5548 carrier:0
collisions:0 txqueuelen:100
RX bytes:1440364 (1.3 Mb) TX bytes:1004526 (980.9 Kb)
Interrupt:10 Base address:0x6000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:34 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2320 (2.2 Kb) TX bytes:2320 (2.2 Kb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:162.40.172.62 P-t-P:151.213.10.83 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:40 errors:0 dropped:0 overruns:0 frame:0
TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:2385 (2.3 Kb) TX bytes:2746 (2.6 Kb)
[root at Helper root]#
******************************************************
PPPoE Config file:
[root at Helper ppp]# cat pppoe.conf
#***********************************************************************
#
# pppoe.conf
#
# Configuration file for rp-pppoe. Edit as appropriate and install in
# /etc/ppp/pppoe.conf
#
# NOTE: This file is used by the adsl-start, adsl-stop, adsl-connect and
# adsl-status shell scripts. It is *not* used in any way by the
# "pppoe" executable.
#
# Copyright (C) 2000 Roaring Penguin Software Inc.
#
# This file may be distributed under the terms of the GNU General
# Public License.
#
# LIC: GPL
# $Id: pppoe.conf,v 1.10 2002/04/09 17:28:38 dfs Exp $
#***********************************************************************
# When you configure a variable, DO NOT leave spaces around the "=" sign.
# Ethernet card connected to ADSL modem
ETH='eth1'
# ADSL user name. You may have to supply "@provider.com" Sympatico
# users in Canada do need to include "@sympatico.ca"
# Sympatico uses PAP authentication. Make sure /etc/ppp/pap-secrets
# contains the right username/password combination.
# For Magma, use xxyyzz at magma.ca
USER='landmark01'
# Bring link up on demand? Default is to leave link up all the time.
# If you want the link to come up on demand, set DEMAND to a number
indicating
# the idle time after which the link is brought down.
DEMAND=no
#DEMAND=300
# DNS type: SERVER=obtain from server; SPECIFY=use DNS1 and DNS2;
# NOCHANGE=do not adjust.
DNSTYPE=NOCHANGE
# Obtain DNS server addresses from the peer (recent versions of pppd only)
# In old config files, this used to be called USEPEERDNS. Changed to
# PEERDNS for better Red Hat compatibility
PEERDNS=no
DNS1=
DNS2=
# Make the PPPoE connection your default route. Set to
# DEFAULTROUTE=no if you don't want this.
DEFAULTROUTE=yes
### ONLY TOUCH THE FOLLOWING SETTINGS IF YOU'RE AN EXPERT
# How long adsl-start waits for a new PPP interface to appear before
# concluding something went wrong. If you use 0, then adsl-start
# exits immediately with a successful status and does not wait for the
# link to come up. Time is in seconds.
#
# WARNING WARNING WARNING:
#
# If you are using rp-pppoe on a physically-inaccessible host, set
# CONNECT_TIMEOUT to 0. This makes SURE that the machine keeps trying
# to connect forever after adsl-start is called. Otherwise, it will
# give out after CONNECT_TIMEOUT seconds and will not attempt to
# connect again, making it impossible to reach.
CONNECT_TIMEOUT=30
# How often in seconds adsl-start polls to check if link is up
CONNECT_POLL=2
# Specific desired AC Name
ACNAME=
# Specific desired service name
SERVICENAME=
# Character to echo at each poll. Use PING="" if you don't want
# anything echoed
PING="."
# File where the adsl-connect script writes its process-ID.
# Three files are actually used:
# $PIDFILE contains PID of adsl-connect script
# $PIDFILE.pppoe contains PID of pppoe process
# $PIDFILE.pppd contains PID of pppd process
CF_BASE=`basename $CONFIG`
PIDFILE="/var/run/$CF_BASE-adsl.pid"
# Do you want to use synchronous PPP? "yes" or "no". "yes" is much
# easier on CPU usage, but may not work for you. It is safer to use
# "no", but you may want to experiment with "yes". "yes" is generally
# safe on Linux machines with the n_hdlc line discipline; unsafe on others.
SYNCHRONOUS=no
# Do you want to clamp the MSS? Here's how to decide:
# - If you have only a SINGLE computer connected to the ADSL modem, choose
# "no".
# - If you have a computer acting as a gateway for a LAN, choose "1412".
# The setting of 1412 is safe for either setup, but uses slightly more
# CPU power.
CLAMPMSS=1412
#CLAMPMSS=no
# LCP echo interval and failure count.
LCP_INTERVAL=20
LCP_FAILURE=3
# PPPOE_TIMEOUT should be about 4*LCP_INTERVAL
PPPOE_TIMEOUT=80
# Firewalling: One of NONE, STANDALONE or MASQUERADE
FIREWALL=NONE
# Linux kernel-mode plugin for pppd. If you want to try the kernel-mode
# plugin, use LINUX_PLUGIN=/etc/ppp/plugins/rp-pppoe.so
LINUX_PLUGIN=
# Any extra arguments to pass to pppoe. Normally, use a blank string
# like this:
PPPOE_EXTRA=""
# Rumour has it that "Citizen's Communications" with a 3Com
# HomeConnect ADSL Modem DualLink requires these extra options:
# PPPOE_EXTRA="-f 3c12:3c13 -S ISP"
# Any extra arguments to pass to pppd. Normally, use a blank string
# like this:
PPPD_EXTRA=""
########## DON'T CHANGE BELOW UNLESS YOU KNOW WHAT YOU ARE DOING
# If you wish to COMPLETELY overrride the pppd invocation:
# Example:
# OVERRIDE_PPPD_COMMAND="pppd call dsl"
# If you want adsl-connect to exit when connection drops:
# RETRY_ON_FAILURE=no
[root at Helper ppp]#
Current Firewall Script:
[root at Helper network-scripts]# cat iptablescript.scp
#!/bin/bash
# Jeremey Wise 4-25-2003 version 1.0
# eth0=internal(10.0.0.200), eth1=external(pppoe Dynamic IP)
# Check Module Status and Enable Active FTP Connection Tracking
/sbin/modprobe -k ip_tables
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
# Delete user made chains. Flush and zero chains
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
# Make default Accept
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
# Delete "NAT" and "Mangel" chains
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
# Create a new log & drop (LDROP) convenience chain
/sbin/iptables -N LDROP
/sbin/iptables -A LDROP -m limit --limit 15/minute -j LOG --log-prefix
Firewall
/sbin/iptables -A LDROP -j LOG
/sbin/iptables -A LDROP -j DROP
# Create a new Chain (EVIL) to test for evil intentions
/sbin/iptables -N EVIL
# Block nonroutable IP subnets
/sbin/iptables -A EVIL -s 127.0.0.0/24 -j LDROP
/sbin/iptables -A EVIL -s 128.66.0.0/16 -j LDROP
/sbin/iptables -A EVIL -s 172.16.0.0/12 -j LDROP
/sbin/iptables -A EVIL -s 192.168.0.0/16 -j LDROP
/sbin/iptables -A EVIL -s 197.0.0.0/16 -j LDROP
/sbin/iptables -A EVIL -s 201.0.0.0/8 -j LDROP
/sbin/iptables -A EVIL -i ! eth1 -s 10.0.0.0/8 -j LDROP
# Block NMAP port scan flooding
/sbin/iptables -A INPUT -p TCP --tcp-flags ALL SYN,URG,PSH -j LDROP
/sbin/iptables -A INPUT -p TCP --tcp-flags ALL ALL -j LDROP
/sbin/iptables -A INPUT -p TCP --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LDROP
/sbin/iptables -A INPUT -p TCP --tcp-flags ALL NONE -j LDROP
/sbin/iptables -A INPUT -p TCP --tcp-flags SYN,RST SYN,RST -j LDROP
/sbin/iptables -A INPUT -p TCP --tcp-flags SYN,FIN SYN,FIN -j LDROP
# Block Back Orifice
/sbin/iptables -A EVIL -p tcp -s 0/0 --dport 31337 -j LDROP
/sbin/iptables -A EVIL -p udp -s 0/0 --dport 31337 -j LDROP
# Block NetBus
/sbin/iptables -A EVIL -p tcp -s 0/0 --dport 12345:12346 -j LDROP
/sbin/iptables -A EVIL -p udp -s 0/0 --dport 12345:12346 -j LDROP
# Block Trin00
/sbin/iptables -A EVIL -p tcp -s 0/0 --dport 1524 -j LDROP
/sbin/iptables -A EVIL -p udp -s 0/0 --dport 1524 -j LDROP
/sbin/iptables -A EVIL -p tcp -s 0/0 --dport 27665 -j LDROP
/sbin/iptables -A EVIL -p udp -s 0/0 --dport 27665 -j LDROP
/sbin/iptables -A EVIL -p udp -s 0/0 --dport 27444 -j LDROP
/sbin/iptables -A EVIL -p udp -s 0/0 --dport 31335 -j LDROP
# Block Multicast
/sbin/iptables -A EVIL -s 224.0.0.0/8 -j LDROP
/sbin/iptables -A EVIL -d 244.0.0.0/8 -j LDROP
# Block SAMBA
/sbin/iptables -A EVIL -i ! eth1 -p tcp --dport 137:139 -j LDROP
/sbin/iptables -A EVIL -i ! eth1 -p udp --dport 137:139 -j LDROP
/sbin/iptables -A EVIL -i ! eth1 -p tcp --dport 455 -j LDROP
/sbin/iptables -A EVIL -i ! eth1 -p udp --dport 455 -j LDROP
# Block NFS
/sbin/iptables -A EVIL -p tcp --dport 2049 -j LDROP
/sbin/iptables -A EVIL -p udp --dport 2049 -j LDROP
# Block Xwindows
/sbin/iptables -A EVIL -p tcp --dport 6000:6010 -j LDROP
/sbin/iptables -A EVIL -p udp --dport 6000:6010 -j LDROP
# Create a new Chain (GOOD) to test for good intentions
/sbin/iptables -N GOOD
# Allow some ICMP
/sbin/iptables -A GOOD -p icmp --icmp-type echo-request -m limit --limit 1/s
-j ACCEPT
/sbin/iptables -A GOOD -p icmp --icmp-type echo-reply -m limit --limit 1/s
-j ACCEPT
# /sbin/iptables -A GOOD -p icmp --icmp-type source-quench -m list --limit
2/s -j ACCEPT
# Check State
/sbin/iptables -A GOOD -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH from Internal LAN only
/sbin/iptables -A GOOD -p tcp --dport 22 -j ACCEPT
# SMB from Internal LAN only
/sbin/iptables -A GOOD -i eth1 -p tcp --dport 137:139 -j ACCEPT
/sbin/iptables -A GOOD -i eth1 -p udp --dport 137:139 -j ACCEPT
# Setting default INPUT rule to DROP
/sbin/iptables -P INPUT DROP
# Allow all traffic on the local interface
/sbin/iptables -A INPUT -i eth1 -j ACCEPT
# Test against evil intentions
/sbin/iptables -A INPUT -j EVIL
# Test for good intentions
/sbin/iptables -A INPUT -j GOOD
# Otherwise log packet and drop
/sbin/iptables -A INPUT -j LDROP
# Setting default FORWARD rule to DROP
/sbin/iptables -P FORWARD DROP
# Test against evil intentions
/sbin/iptables -A FORWARD -j EVIL
# Let non-evil packets out
/sbin/iptables -A FORWARD -i eth1 -j ACCEPT
# Test for good intentions
/sbin/iptables -A FORWARD -j GOOD
# Otherwise log packet and drop
/sbin/iptables -A FORWARD -j LDROP
# Setting default OUTPUT rule to ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
# Allow all traffic to the loopback (lo) interface
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Test against EVIL intentions
/sbin/iptables -A OUTPUT -j EVIL
# Global Redirects & Packet Shaping
# VNC Client Access
# /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 900 -j DNAT
--to 10.0.0.200
# Masquerade outgoing traffic Static IP
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Kernel & System Level Modifications
# Turn on source address verification in kernel
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/lo/rp_filter
# Turn on syn cookies protection in kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
# ICMP dead error messages protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo 1 >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
# ICMP broadcast protection
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
# Turn on dynamic TCP/IP address hacking
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
[root at Helper network-scripts]#
Thanks.
Jeremey Wise (440)-519-6006
(CNE,MCSE,CSE)
Pioneer-Standard Electronics, Inc
wisej at pios.com
More information about the wplug
mailing list