"McEntire, Chad" wrote:
> I'm trying to configure diald to initialize it's ppp connection when I
> initiate IP requests from another machine (A Win NT box) on my network.
> I've got the diald server running masquerading and once I've established my
> ppp connection, I can ping any internet site or ip from the NT box.
> However, I can only make the diald server establish a connection if the IP
> request originates from itsself. If the request originates from another
> machine, diald does not attempt to dial. The default gateway on my NT box
> is the eth0 IP address on my diald box and the default gateway on the diald
> box is sl0.
>
> Any ideas would be greatly appreciated.
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-diald" in
> the body of a message to [EMAIL PROTECTED]
If you're using kernel 2.2 and diald-0.99.x, you must have masquerading off and
forwarding on while the link is down. Check 'route -n' to make sure you've got
the default routes you think you do. Here're scripts that work for me.
/etc/diald/diald.conf:
# diald configuration
#
include /etc/diald/my.filter
#
# debug 31 # uncomment this line for detailed packet rule messages
# use "/usr/sbin/diald debug 31 -daemon" on command line for foreground
#
mode ppp # use pppd not slip
connect /etc/ppp/ppp-on-dialer # chat script
device /dev/ttyS1 # serial device
speed 115200 # port speed
modem # what's attached to ttyS1
lock # lock port while in use
dynamic # ISP assigns ppp addresses
local 192.168.0.101 # used as address of virtual ppp
remote 192.168.0.102 # dynamic causes this to be ignored
netmask 255.255.255.0 # IP addresses' netmask
ip-up /etc/ppp/pppfw_up # adjust firewall for ppp0 link and add default route
thru ppp0
ip-down /etc/ppp/pppfw_down # remove firewall's ppp0-in rules
crtscts # use hardware flow control
pppd-options asyncmap 0xa0000
pppd-options passive
pppd-options noipdefault
redial-timeout 10 # wait 10 secs to redail
redial-backoff-start 2 # double wait to redial after 2nd
dial-fail-limit 5 # give up after 5 tries
fifo /etc/diald/diald.ctl # file for dcntl and diald-top
firewall rules set at boot time:
#!/bin/sh
# this script is called by /etc/rc.d/init.d/network
# the ppp IP addresses
# ppp_isp_ip=$(/sbin/ifconfig ppp0 | grep inet | awk '{ print $3 }' | sed -e
s/P-t-P://)"/32"
# my LAN's address
my_lan="192.168.0.0/24"
# turn on antispoofing for all interfaces
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
# flush, then set all policies
ipchains -F
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
# create user chains
ipchains -N icmp-err
ipchains -N ppp-out
ipchains -N ppp-in
# set icmp-err chain
ipchains -A icmp-err -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-err -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-err -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-err -p icmp --icmp-type parameter-problem -j ACCEPT
# set ppp-out chain
ipchains -A ppp-out -j DENY -l
ipchains -A ppp-out -p tcp --dport http -t 0x01 0x10
ipchains -A ppp-out -p tcp --dport telnet -t 0x01 0x10
ipchains -A ppp-out -p tcp --dport ftp-data -t 0x01 0x02
ipchains -A ppp-out -p tcp --dport nntp -t 0x01 0x02
ipchains -A ppp-out -p tcp --dport pop -t 0x01 0x02
# set ppp-in chain
ipchains -A ppp-in -s $my_lan -j DENY -l
ipchains -A ppp-in -p tcp --dport 6000:6010 -j DENY
ipchains -A ppp-in -p udp --dport 61000:65096 -j ACCEPT
ipchains -A ppp-in -p tcp --dport 1024:65096 -j ACCEPT
ipchains -A ppp-in -p udp --dport 1024:65096 -j ACCEPT
ipchains -A ppp-in -p udp -s 207.66.20.12 53 -j ACCEPT
ipchains -A ppp-in -p udp -s 207.66.20.13 53 -j ACCEPT
ipchains -A ppp-in -p tcp -s 207.66.20.12 53 -j ACCEPT
ipchains -A ppp-in -p tcp -s 207.66.20.13 53 -j ACCEPT
ipchains -A ppp-in -p icmp --icmp-type pong -j ACCEPT
ipchains -A ppp-in -p icmp -j icmp-err
ipchains -A ppp-in -s 224.0.0.10:65596 -j DENY
ipchains -A ppp-in -j DENY -l
# set input chain
ipchains -A input -i ppp0 -j DENY
# set output chain
ipchains -A output -i ppp0 -j DENY
firewall rules set when IP link comes up on ppp0 (/etc/ppp/pppfw_up), ie, ip-up
script:
#!/bin/sh
# this script is called by diald as addroute script
ppp_dyn_ip=$(/sbin/ifconfig ppp0 | grep inet | awk '{ print $2 }' | sed -e
s/addr://)"/32"
# load per protocol masquerading module for ftp
/sbin/insmod ip_masq_ftp
# set forwarding rules
/sbin/ipchains -A forward -i ppp0 -j MASQ
/sbin/ipchains -A forward -j DENY -l
# replace first rule in ppp-out chain
/sbin/ipchains -R ppp-out 1 -s ! $3 -j DENY
# reset input rules
/sbin/ipchains -F input
/sbin/ipchains -A input -i ppp0 -j ppp-in
# reset output rules
/sbin/ipchains -F output
/sbin/ipchains -A output -i ppp0 -j ppp-out
# add newly brought up route
/sbin/route add default gw $4 ppp0
firewall rules set when IP link comes up on ppp0 (/etc/ppp/pppfw_down), ie,
ip-down script:
#!/bin/sh
# this script is called by diald as delroute script
# default route to tap0
/sbin/route add default gw 192.168.0.102 tap0
# unload ftp masquerading module
/sbin/rmmod ip/masq_ftp
# reset forward chain to plain ACCEPT policy
/sbin/ipchains -F forward
# reset input chain
/sbin/ipchains -F input
/sbin/ipchains -A input -i ppp0 -j DENY
# reset output chain
/sbin/ipchains -F output
/sbin/ipchains -A output -i ppp0 -j DENY
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
