[wplug] DSL Routing Issue
John Strange
john at strangeness.org
Wed May 7 15:29:02 EDT 2003
Why does eth1 have no ip address?
- john
On Wed, 2003-05-07 at 15:07, Wise, Jeremey wrote:
> I have setup a site with Linux and DSL. Alltel supplied a Efficient 5200
> bridge so I had to load PPPoE client. It actually installed and worked like
> a charm. I can get on the internet from the system and have done all my
> updates for the host. I tried to get the DSL shared out for all the Windows
> 98 clients
>
>
> The PPPoE client I used was http://www.roaringpenguin.com/pppoe/
> <http://www.roaringpenguin.com/pppoe/>
> (The http://www.roaringpenguin.com/pppoe/how-to-connect.txt
> <http://www.roaringpenguin.com/pppoe/how-to-connect.txt> document is really
> well documented)
>
>
> The issue I have is that the Masquerading documents reflect IPChains which
> is no longer supported on the kernel I have. I tried to translate this to
> IPTables, and thought I did successfully but it still does not work.
>
> Here are the rules they say to use for IPChains:
> [root at Helper ppp]# cat firewall-masq
> #!/bin/sh
> #
> # firewall-masq This script sets up firewall rules for a machine
> # acting as a masquerading gateway
> #
> # Copyright (C) 2000 Roaring Penguin Software Inc. This software may
> # be distributed under the terms of the GNU General Public License, version
> # 2 or any later version.
>
> # Interface to Internet
> EXTIF=ppp+
>
> ANY=0.0.0.0/0
>
> ipchains -P input ACCEPT
> ipchains -P output ACCEPT
> ipchains -P forward DENY
>
> ipchains -F forward
> ipchains -F input
> ipchains -F output
>
> # Deny TCP and UDP packets to privileged ports
> ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY
> ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY
>
> # Deny TCP connection attempts
> ipchains -A input -l -i $EXTIF -p tcp -y -j DENY
>
> # Deny ICMP echo-requests
> ipchains -A input -l -i $EXTIF -s $ANY echo-request -p icmp -j DENY
>
> # Do masquerading
> ipchains -A forward -j MASQ
> echo 1 > /proc/sys/net/ipv4/ip_forward
> [root at Helper ppp]#
>
> Here is what I type to get basic routing up (don't care about firewall at
> the moment).
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
> Anyone have it working?!?
>
> Thanks in advance
>
>
>
>
> *****************
> Some additional information
> [root at Helper root]# ifconfig
> eth0 Link encap:Ethernet HWaddr 00:00:F8:04:A4:2A
> inet addr:10.0.0.200 Bcast:10.0.0.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:108751 errors:1 dropped:0 overruns:0 frame:0
> TX packets:119628 errors:3 dropped:0 overruns:0 carrier:6
> collisions:6658 txqueuelen:100
> RX bytes:25378181 (24.2 Mb) TX bytes:92931213 (88.6 Mb)
> Interrupt:11 Base address:0xac00
>
> eth1 Link encap:Ethernet HWaddr 00:A0:C9:6F:A7:BF
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:17195 errors:0 dropped:0 overruns:0 frame:0
> TX packets:22435 errors:0 dropped:0 overruns:5548 carrier:0
> collisions:0 txqueuelen:100
> RX bytes:1440364 (1.3 Mb) TX bytes:1004526 (980.9 Kb)
> Interrupt:10 Base address:0x6000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:34 errors:0 dropped:0 overruns:0 frame:0
> TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:2320 (2.2 Kb) TX bytes:2320 (2.2 Kb)
>
> ppp0 Link encap:Point-to-Point Protocol
> inet addr:162.40.172.62 P-t-P:151.213.10.83 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
> RX packets:40 errors:0 dropped:0 overruns:0 frame:0
> TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:3
> RX bytes:2385 (2.3 Kb) TX bytes:2746 (2.6 Kb)
>
>
>
> [root at Helper root]#
> ******************************************************
> PPPoE Config file:
> [root at Helper ppp]# cat pppoe.conf
> #***********************************************************************
> #
> # pppoe.conf
> #
> # Configuration file for rp-pppoe. Edit as appropriate and install in
> # /etc/ppp/pppoe.conf
> #
> # NOTE: This file is used by the adsl-start, adsl-stop, adsl-connect and
> # adsl-status shell scripts. It is *not* used in any way by the
> # "pppoe" executable.
> #
> # Copyright (C) 2000 Roaring Penguin Software Inc.
> #
> # This file may be distributed under the terms of the GNU General
> # Public License.
> #
> # LIC: GPL
> # $Id: pppoe.conf,v 1.10 2002/04/09 17:28:38 dfs Exp $
> #***********************************************************************
>
> # When you configure a variable, DO NOT leave spaces around the "=" sign.
>
> # Ethernet card connected to ADSL modem
> ETH='eth1'
>
> # ADSL user name. You may have to supply "@provider.com" Sympatico
> # users in Canada do need to include "@sympatico.ca"
> # Sympatico uses PAP authentication. Make sure /etc/ppp/pap-secrets
> # contains the right username/password combination.
> # For Magma, use xxyyzz at magma.ca
> USER='landmark01'
>
> # Bring link up on demand? Default is to leave link up all the time.
> # If you want the link to come up on demand, set DEMAND to a number
> indicating
> # the idle time after which the link is brought down.
> DEMAND=no
> #DEMAND=300
>
> # DNS type: SERVER=obtain from server; SPECIFY=use DNS1 and DNS2;
> # NOCHANGE=do not adjust.
> DNSTYPE=NOCHANGE
>
> # Obtain DNS server addresses from the peer (recent versions of pppd only)
> # In old config files, this used to be called USEPEERDNS. Changed to
> # PEERDNS for better Red Hat compatibility
> PEERDNS=no
>
> DNS1=
> DNS2=
> # Make the PPPoE connection your default route. Set to
> # DEFAULTROUTE=no if you don't want this.
> DEFAULTROUTE=yes
>
> ### ONLY TOUCH THE FOLLOWING SETTINGS IF YOU'RE AN EXPERT
>
> # How long adsl-start waits for a new PPP interface to appear before
> # concluding something went wrong. If you use 0, then adsl-start
> # exits immediately with a successful status and does not wait for the
> # link to come up. Time is in seconds.
> #
> # WARNING WARNING WARNING:
> #
> # If you are using rp-pppoe on a physically-inaccessible host, set
> # CONNECT_TIMEOUT to 0. This makes SURE that the machine keeps trying
> # to connect forever after adsl-start is called. Otherwise, it will
> # give out after CONNECT_TIMEOUT seconds and will not attempt to
> # connect again, making it impossible to reach.
> CONNECT_TIMEOUT=30
>
> # How often in seconds adsl-start polls to check if link is up
> CONNECT_POLL=2
>
> # Specific desired AC Name
> ACNAME=
>
> # Specific desired service name
> SERVICENAME=
>
> # Character to echo at each poll. Use PING="" if you don't want
> # anything echoed
> PING="."
>
> # File where the adsl-connect script writes its process-ID.
> # Three files are actually used:
> # $PIDFILE contains PID of adsl-connect script
> # $PIDFILE.pppoe contains PID of pppoe process
> # $PIDFILE.pppd contains PID of pppd process
> CF_BASE=`basename $CONFIG`
> PIDFILE="/var/run/$CF_BASE-adsl.pid"
>
> # Do you want to use synchronous PPP? "yes" or "no". "yes" is much
> # easier on CPU usage, but may not work for you. It is safer to use
> # "no", but you may want to experiment with "yes". "yes" is generally
> # safe on Linux machines with the n_hdlc line discipline; unsafe on others.
> SYNCHRONOUS=no
>
> # Do you want to clamp the MSS? Here's how to decide:
> # - If you have only a SINGLE computer connected to the ADSL modem, choose
> # "no".
> # - If you have a computer acting as a gateway for a LAN, choose "1412".
> # The setting of 1412 is safe for either setup, but uses slightly more
> # CPU power.
> CLAMPMSS=1412
> #CLAMPMSS=no
>
> # LCP echo interval and failure count.
> LCP_INTERVAL=20
> LCP_FAILURE=3
>
> # PPPOE_TIMEOUT should be about 4*LCP_INTERVAL
> PPPOE_TIMEOUT=80
>
> # Firewalling: One of NONE, STANDALONE or MASQUERADE
> FIREWALL=NONE
>
> # Linux kernel-mode plugin for pppd. If you want to try the kernel-mode
> # plugin, use LINUX_PLUGIN=/etc/ppp/plugins/rp-pppoe.so
> LINUX_PLUGIN=
>
> # Any extra arguments to pass to pppoe. Normally, use a blank string
> # like this:
> PPPOE_EXTRA=""
>
> # Rumour has it that "Citizen's Communications" with a 3Com
> # HomeConnect ADSL Modem DualLink requires these extra options:
> # PPPOE_EXTRA="-f 3c12:3c13 -S ISP"
>
> # Any extra arguments to pass to pppd. Normally, use a blank string
> # like this:
> PPPD_EXTRA=""
>
>
> ########## DON'T CHANGE BELOW UNLESS YOU KNOW WHAT YOU ARE DOING
> # If you wish to COMPLETELY overrride the pppd invocation:
> # Example:
> # OVERRIDE_PPPD_COMMAND="pppd call dsl"
>
> # If you want adsl-connect to exit when connection drops:
> # RETRY_ON_FAILURE=no
> [root at Helper ppp]#
>
>
>
> Current Firewall Script:
> [root at Helper network-scripts]# cat iptablescript.scp
> #!/bin/bash
> # Jeremey Wise 4-25-2003 version 1.0
> # eth0=internal(10.0.0.200), eth1=external(pppoe Dynamic IP)
>
> # Check Module Status and Enable Active FTP Connection Tracking
> /sbin/modprobe -k ip_tables
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_conntrack_irc
> /sbin/modprobe ip_nat_ftp
>
> # Delete user made chains. Flush and zero chains
> /sbin/iptables -F
> /sbin/iptables -X
> /sbin/iptables -Z
>
> # Make default Accept
> /sbin/iptables -P INPUT ACCEPT
> /sbin/iptables -P OUTPUT ACCEPT
> /sbin/iptables -P FORWARD ACCEPT
>
> # Delete "NAT" and "Mangel" chains
> /sbin/iptables -t nat -F
> /sbin/iptables -t mangle -F
>
> # Create a new log & drop (LDROP) convenience chain
> /sbin/iptables -N LDROP
> /sbin/iptables -A LDROP -m limit --limit 15/minute -j LOG --log-prefix
> Firewall
> /sbin/iptables -A LDROP -j LOG
> /sbin/iptables -A LDROP -j DROP
>
> # Create a new Chain (EVIL) to test for evil intentions
> /sbin/iptables -N EVIL
> # Block nonroutable IP subnets
> /sbin/iptables -A EVIL -s 127.0.0.0/24 -j LDROP
> /sbin/iptables -A EVIL -s 128.66.0.0/16 -j LDROP
> /sbin/iptables -A EVIL -s 172.16.0.0/12 -j LDROP
> /sbin/iptables -A EVIL -s 192.168.0.0/16 -j LDROP
> /sbin/iptables -A EVIL -s 197.0.0.0/16 -j LDROP
> /sbin/iptables -A EVIL -s 201.0.0.0/8 -j LDROP
> /sbin/iptables -A EVIL -i ! eth1 -s 10.0.0.0/8 -j LDROP
> # Block NMAP port scan flooding
> /sbin/iptables -A INPUT -p TCP --tcp-flags ALL SYN,URG,PSH -j LDROP
> /sbin/iptables -A INPUT -p TCP --tcp-flags ALL ALL -j LDROP
> /sbin/iptables -A INPUT -p TCP --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LDROP
> /sbin/iptables -A INPUT -p TCP --tcp-flags ALL NONE -j LDROP
> /sbin/iptables -A INPUT -p TCP --tcp-flags SYN,RST SYN,RST -j LDROP
> /sbin/iptables -A INPUT -p TCP --tcp-flags SYN,FIN SYN,FIN -j LDROP
> # Block Back Orifice
> /sbin/iptables -A EVIL -p tcp -s 0/0 --dport 31337 -j LDROP
> /sbin/iptables -A EVIL -p udp -s 0/0 --dport 31337 -j LDROP
> # Block NetBus
> /sbin/iptables -A EVIL -p tcp -s 0/0 --dport 12345:12346 -j LDROP
> /sbin/iptables -A EVIL -p udp -s 0/0 --dport 12345:12346 -j LDROP
> # Block Trin00
> /sbin/iptables -A EVIL -p tcp -s 0/0 --dport 1524 -j LDROP
> /sbin/iptables -A EVIL -p udp -s 0/0 --dport 1524 -j LDROP
> /sbin/iptables -A EVIL -p tcp -s 0/0 --dport 27665 -j LDROP
> /sbin/iptables -A EVIL -p udp -s 0/0 --dport 27665 -j LDROP
> /sbin/iptables -A EVIL -p udp -s 0/0 --dport 27444 -j LDROP
> /sbin/iptables -A EVIL -p udp -s 0/0 --dport 31335 -j LDROP
> # Block Multicast
> /sbin/iptables -A EVIL -s 224.0.0.0/8 -j LDROP
> /sbin/iptables -A EVIL -d 244.0.0.0/8 -j LDROP
> # Block SAMBA
> /sbin/iptables -A EVIL -i ! eth1 -p tcp --dport 137:139 -j LDROP
> /sbin/iptables -A EVIL -i ! eth1 -p udp --dport 137:139 -j LDROP
> /sbin/iptables -A EVIL -i ! eth1 -p tcp --dport 455 -j LDROP
> /sbin/iptables -A EVIL -i ! eth1 -p udp --dport 455 -j LDROP
> # Block NFS
> /sbin/iptables -A EVIL -p tcp --dport 2049 -j LDROP
> /sbin/iptables -A EVIL -p udp --dport 2049 -j LDROP
> # Block Xwindows
> /sbin/iptables -A EVIL -p tcp --dport 6000:6010 -j LDROP
> /sbin/iptables -A EVIL -p udp --dport 6000:6010 -j LDROP
>
> # Create a new Chain (GOOD) to test for good intentions
> /sbin/iptables -N GOOD
> # Allow some ICMP
> /sbin/iptables -A GOOD -p icmp --icmp-type echo-request -m limit --limit 1/s
> -j ACCEPT
> /sbin/iptables -A GOOD -p icmp --icmp-type echo-reply -m limit --limit 1/s
> -j ACCEPT
> # /sbin/iptables -A GOOD -p icmp --icmp-type source-quench -m list --limit
> 2/s -j ACCEPT
> # Check State
> /sbin/iptables -A GOOD -m state --state ESTABLISHED,RELATED -j ACCEPT
> # SSH from Internal LAN only
> /sbin/iptables -A GOOD -p tcp --dport 22 -j ACCEPT
> # SMB from Internal LAN only
> /sbin/iptables -A GOOD -i eth1 -p tcp --dport 137:139 -j ACCEPT
> /sbin/iptables -A GOOD -i eth1 -p udp --dport 137:139 -j ACCEPT
>
> # Setting default INPUT rule to DROP
> /sbin/iptables -P INPUT DROP
> # Allow all traffic on the local interface
> /sbin/iptables -A INPUT -i eth1 -j ACCEPT
> # Test against evil intentions
> /sbin/iptables -A INPUT -j EVIL
> # Test for good intentions
> /sbin/iptables -A INPUT -j GOOD
> # Otherwise log packet and drop
> /sbin/iptables -A INPUT -j LDROP
>
> # Setting default FORWARD rule to DROP
> /sbin/iptables -P FORWARD DROP
> # Test against evil intentions
> /sbin/iptables -A FORWARD -j EVIL
> # Let non-evil packets out
> /sbin/iptables -A FORWARD -i eth1 -j ACCEPT
> # Test for good intentions
> /sbin/iptables -A FORWARD -j GOOD
> # Otherwise log packet and drop
> /sbin/iptables -A FORWARD -j LDROP
>
> # Setting default OUTPUT rule to ACCEPT
> /sbin/iptables -P OUTPUT ACCEPT
> # Allow all traffic to the loopback (lo) interface
> /sbin/iptables -A OUTPUT -o lo -j ACCEPT
> # Test against EVIL intentions
> /sbin/iptables -A OUTPUT -j EVIL
>
> # Global Redirects & Packet Shaping
> # VNC Client Access
> # /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 900 -j DNAT
> --to 10.0.0.200
> # Masquerade outgoing traffic Static IP
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
> # Kernel & System Level Modifications
> # Turn on source address verification in kernel
> echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
> echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
> echo 2 > /proc/sys/net/ipv4/conf/eth1/rp_filter
> echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter
> echo 2 > /proc/sys/net/ipv4/conf/lo/rp_filter
>
> # Turn on syn cookies protection in kernel
> if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
> then
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> fi
> # ICMP dead error messages protection
> if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
> then
> echo 1 >
> /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> fi
> # ICMP broadcast protection
> if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
> then
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> fi
> # Turn on dynamic TCP/IP address hacking
> if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
> then
> echo 1 > /proc/sys/net/ipv4/ip_dynaddr
> fi
> # Turn on IP forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
> [root at Helper network-scripts]#
>
>
> Thanks.
>
> Jeremey Wise (440)-519-6006
> (CNE,MCSE,CSE)
> Pioneer-Standard Electronics, Inc
> wisej at pios.com
>
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
More information about the wplug
mailing list