Linux-Networking Digest #622, Volume #10 Wed, 24 Mar 99 22:14:06 EST
Contents:
Re: ipchains, ipforwarding, kernel 2.2.3ac1 and ftp (Aaron Mulder)
remote dump problems ([EMAIL PROTECTED])
Re: Almost there with PPP, except. . . ("Ronald BAL")
Re: Pacbell ADSL and Linux (Daniel Linux user)
Re: Knowledge Base (Daniel Linux user)
Re: ACE SecurID and PPP/chat (Clifford Kite)
Re: ICQ Client and socks... ("Curt")
IP Masqerading (Jason)
Re: 4mb Ram 386 router ([EMAIL PROTECTED])
How do I know? (Mark Andal)
Re: Linuxconf and passwd rules (Bill Unruh)
Re: help w/ppp dial out (Bill Unruh)
Re: Plain vanilla routing (Job Eisses)
Re: ipchains, masq, question (Job Eisses)
----------------------------------------------------------------------------
From: Aaron Mulder <[EMAIL PROTECTED]>
Subject: Re: ipchains, ipforwarding, kernel 2.2.3ac1 and ftp
Date: Wed, 24 Mar 1999 22:02:16 GMT
I am having the same problem (FTP errors like 425 Can't open data
connection and 426 data connection: broken pipe) with the same Linux
configuration (Red Hat 5.2, Kernel 2.2.3). I have loaded the ip_masq_ftp
module (it shows up when I run lsmod), so I don't understand the problem. My
ipchains initialization is only slightly more complicated (eth0 is for the
internet and uses DHCP, eth1 is the local network 10.x.x.x):
ipchains -A input -J ACCEPT -i eth0 -s 0/0 68 -d 0/0 67 -p udp
ipchains -P forward -l DENY
ipchains -A forward -s 10.0.0.0/8 -i eth0 -j MASQ
Any thoughts would be appreciated...
Aaron
In article <7cpoe1$eui$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> I am running a somewhat complicated (for me) network in my basement. Four
> PCs, some connected via 100MB Ethernet, some by 10base2. I have ip
> maqsquerading working fine on the other machines (2 more Linux and 1 Win95),
> in that web browsing,telnet and mail work fine. However, trying to ftp from
> any PC other than mine (which has the internet connection) fails on any
> command besides "pwd" and logging in to the ftp server (i.e. "ls", "mput",
etc).
>
> I am running RH5.2 with all upgrades needed for the 2.2.3ac1 kernel.
>
> I have 2 100MB PCI and 1 10MB ISA network cards in my PC. To enable ip
> forwarding, I have only this line in my rc.local:
>
> ipchains -A forward -i eth1 -j MASQ
>
> Eth1 being the card that is connected to the internet.
>
> My routing table:
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> syrinx * 255.255.255.255 UH 0 0 0 eth0
> daisy * 255.255.255.255 UH 0 0 0 eth0
> del * 255.255.255.255 UH 0 0 0 eth2
> 208.202.106.128 * 255.255.255.192 U 0 0 0 eth1
> 192.168.3.0 * 255.255.255.0 U 0 0 0 eth2
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
> default barbrady129.den 0.0.0.0 UG 0 0 0 eth1
>
> /etc/hosts:
> 127.0.0.0 localhost localhost.localdomain
> 127.0.0.1 localhost localhost.localdomain
> 192.168.1.1 syrinx syrinx
> 192.168.1.3 daisy daisy
> 192.168.2.1 adsl
> 192.168.3.3 del del
> 192.168.3.1 syria
> 192.168.3.5 mir mir
>
> ifconfig:
> eth0 Link encap:Ethernet HWaddr 00:10:5A:A9:CD:C8
> inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1711 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1430 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> Interrupt:11 Base address:0xe800
>
> eth1 Link encap:Ethernet HWaddr 00:A0:CC:20:7A:76
> inet addr:208.202.106.144 Bcast:208.202.106.191
Mask:255.255.255.192
> UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:63604 errors:0 dropped:0 overruns:0 frame:0
> TX packets:45375 errors:5 dropped:0 overruns:0 carrier:5
> collisions:0 txqueuelen:100
> Interrupt:12 Base address:0xec00
>
> eth2 Link encap:Ethernet HWaddr 10:00:5A:3D:96:E5
> inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:122714 errors:0 dropped:0 overruns:0 frame:0
> TX packets:317208 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> Interrupt:7 Base address:0x300
>
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: remote dump problems
Date: Wed, 24 Mar 1999 20:37:34 GMT
Hi! I have been trying to do remote tape backup of our systems using dump.
When I execute the following command I get the following errors. What is
misconfigured? Thank You.
/sbin/dump 0dsfu 42500 39368 tape.edgeglobal.com:/dev/nst0 /dev/hda2
[...snip]
DUMP: mapping (Pass II) [directories]
DUMP: estimated 1386729 tape blocks on 0.13 tape(s)
DUMP: Protocol to remote tape server botched (code "rmt: Command not found.")
rdump: Lost connection to remote host.
DUMP: Bad return code from dump: 1
Could you please send your respones to my email account.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: "Ronald BAL" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.misc,comp.os.linux.setup,linux.redhat.misc
Subject: Re: Almost there with PPP, except. . .
Date: Thu, 25 Mar 1999 22:40:44 +0100
Bill Unruh wrote in message <7d17u7$4ef$[EMAIL PROTECTED]>...
>In <HpAI2.17$[EMAIL PROTECTED]> "Brian E. Parker" <[EMAIL PROTECTED]>
writes:
>
>
>
>chmod +s /usr/sbin/pppd
>as root.
>
In that case you run pppd with the SUID-bit set. A hacker can cause a buffer
overflow and get root access .
Please read the message in comp.security.announce and the mentioned CERT
reports.
Greetings,
Ronald
------------------------------
From: Daniel Linux user <[EMAIL PROTECTED]>
Subject: Re: Pacbell ADSL and Linux
Date: Wed, 24 Mar 1999 13:19:38 -0800
jaydub wrote:
>
> hello all,
>
> I am getting ADSL setup at home this week. I am running
> Debian Slink/Potatoe and I was wondering if there
> is anything I need to be prepared for in setting up
> the DSL service. Any advice is appreciated.
>
> Jeff
> [EMAIL PROTECTED]
The installation from PacBell provides a Kensington card which is
supported in Linux(with a tulip driver I think?) but I bought a Netgear
card ahead of time so I could compile the kernel to support the card
before the guy showed up at my door. When he was installing the POTS
splitter outside, I took the IP and Gateway numbers and plugged them
in. Simple as that. After he was done wiring, we plugged the modem in
and nothing! He used his laptop(running Win95) to try to ping the
gateway, nothing! He called some phone number, waited for about an hour
and was told to turn off the modem and turn it back on. Of course it
worked. Everything works fine with the occasional dropped connection,
which is usually solved by turning the modem off/on. The frequency of
this occuring is lengthening. I figure I'll give them one month before
I call and start complaining. They have two more weeks.
You may want to check out the ADSL mini Howto
http://www.digitalvoodoo.org/LDP/HOWTO/mini/ADSL.html
Daniel
------------------------------
From: Daniel Linux user <[EMAIL PROTECTED]>
Subject: Re: Knowledge Base
Date: Wed, 24 Mar 1999 13:46:22 -0800
[EMAIL PROTECTED] wrote:
>
> Does anyone know of a good site for a LINUX beginner.
Start here by choosing a mirror closest to you:
http://metalab.unc.edu/LDP/mirrors.html
Also:
Josh's guide http://www.linux-howto.com/LinuxGuide/index.html
Linux Support Services http://support.marko.net/
------------------------------
From: [EMAIL PROTECTED] (Clifford Kite)
Subject: Re: ACE SecurID and PPP/chat
Date: 24 Mar 1999 16:21:59 -0600
Francis R Bridge ([EMAIL PROTECTED]) wrote:
: My company uses the ACE SecurID card to authenticate users. This SecurID
: card is a small credit-card size electronic device which displays a six
: digit numbers synchronized to the server which must be typed in after
: connecting to the terminal server. The number updates about once a minute.
: I've been using a DIP script for years to make a SLIP connection, but now
: I'm forced to use PPP/chat and would like to write a script to
: interactively query for the random numbers at the appropriate time during
: the login process
Here is an old post with patch for chat and chat man pages that allows
manual entry of a PIN and password. It is not mine and I haven't had
occasion to use it so I can't vouch for it but the code seems reasonable.
The idea could be warped into other types of manual entry that might
be necessary.
---
Date: Sat, 28 Nov 1998 01:57:05 +0000
From: Steve Falco
Subject: chat modification for SecurID support
I have to use a SecurID "one time password" authenticator to connect to
my employer's network. Since the password changes every minute, I can't
put the password in a script or file. So, I have made a small change to
the chat program to allow the password to be typed in when requested.
The syntax is simply \P, which causes a password prompt to be issued to
the controlling terminal. I use this with the "updetach" option to pppd
to retain the terminal connection until chat completes. My employer's
system also requires a PIN; this is simply added to the \P. For
example, the expect/send string:
Password: 12345678\P
will send 12345678 concatinated with whatever password is typed in. I
have attached the patches to chat.c and chat.8. I'd like to request
that this change be made to the official source, as I imagine there are
other folks using SecurID authenticators who would benefit.
Thanks,
Steve Falco
The chat patch --------------------------------------------------------------
*** chat.c.old Thu Jun 4 20:47:28 1998
--- chat.c Thu Jun 4 20:51:08 1998
***************
*** 650,655 ****
--- 650,658 ----
register char *s;
int sending; /* set to 1 when sending (putting) this string. */
{
+ char *getpass();
+ FILE *tp;
+ char *ep;
char temp[STR_LEN], cur_chr;
register char *s1, *phchar;
int add_return = sending;
***************
*** 695,700 ****
--- 698,724 ----
add_return = 0;
else
*s1++ = cur_chr;
+ break;
+
+ case 'P':
+ /* getpass writes its prompt to stderr, which pppd connects to a
+ * log file. We want it where the user can see it, so we write
+ * the prompt ourselves. We could re-implement getpass() or put
+ * a hack into pppd, but this is slightly cleaner.
+ */
+ if((tp = fopen("/dev/tty", "w")) == NULL) {
+ syslog(LOG_INFO, "Cannot open /dev/tty");
+ break;
+ }
+ fprintf(tp, "Password: ");
+ fclose(tp);
+ for(
+ ep = getpass("");
+ (*ep != 0) && (*ep != '\n');
+ /**/
+ ) {
+ *s1++ = *ep++;
+ }
break;
case '\\':
The chat man pages patch ----------------------------------------------------
*** chat.8.old Thu Jun 4 20:47:35 1998
--- chat.8 Thu Jun 4 20:53:13 1998
***************
*** 406,411 ****
--- 406,418 ----
Pause for a fraction of a second. The delay is 1/10th of a second.
.I (not valid in expect.)
.TP
+ .B \\\\P
+ Prompt for a password from the controlling terminal. The password will be
+ interpolated in place of \\P. You will probably want to set the updetach
+ option to pppd(8) to keep the controlling terminal until after the chat script
+ finishes. The -detach option to pppd(8) can be used instead, if you like.
+ .I (not valid in expect.)
+ .TP
.B \\\\q
Suppress writing the string to the SYSLOG file. The string ?????? is
written to the log in its place.
============================================================================
--
Clifford Kite <[EMAIL PROTECTED]> Not a guru. (tm)
/* 97.3% of all statistics are made up. */
------------------------------
From: "Curt" <[EMAIL PROTECTED]>
Subject: Re: ICQ Client and socks...
Date: Wed, 24 Mar 1999 20:13:06 -0500
ICQ will work thourgh a socks proxy server if you use a socks wrapper like
sockscap32
or another one from hummingbird. Take a look at www.socks.nec.com .
[EMAIL PROTECTED] wrote in message
<7dbp8m$vhc$[EMAIL PROTECTED]>...
>In article <lOkF2.27579$[EMAIL PROTECTED]>,
> "Paul Criswell" <[EMAIL PROTECTED]> wrote:
>> I was curious if anyone knows of an ICQ client that directly supports
socks
>> (other than the java one). For some reason I can't get the java client
to
>> log on properly (although it connects via socks to the server fine). I
have
>> seen a few clients that supports socks by using
./configure --enable-socks5,
>> but I have never been able to get that function to work properly. If
anyone
>> knows of another client that supports socks, knows of a how-to site to
use
>> the --enable-socks5 correctly, or actually knows how to "socksify" a
>> normally non-socks complient client, please let me know. Thanks.
>
>Hi Chris,
>
>Unfortunatelly, I'm having the same trouble. I get an error during the
make
>thatit can't find the socks.h file. I've search for that file, and it
>doesn't exist on my system. I think we are both missing a library
somewhere,
>but I'm to much of a newbie to figure it out. If I find a solution, I'll
>forward it on to you. I would appreciate it if you would forward any
>solutions you find as well.
>
>Thanks,
>
>Matthew
>
>-----------== Posted via Deja News, The Discussion Network ==----------
>http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Jason <[EMAIL PROTECTED]>
Subject: IP Masqerading
Date: Wed, 24 Mar 1999 17:46:43 -0500
I've got a problem setting up an IP masq system. Here's the situation.
I think I've followed this as documented in the IP Masqerading Mini
Howto at
sunsite.unc.edu/pub/Linux/distributions/slackware/3.6/docs/howto/mini.
My 2 '95 machines are both setup to use the LAN for internet access and
have a gateway set for 192.168.1.1 and dns settings to look for my ISP's
dns server. My machine (the one I'm using right now) is connected to
the internet and is bound for the local network on eth0 to 192.168.1.1
and internet access on ppp0 with a dynamic IP. My /etc/rc.d/rc.inet1
sets up a route for the network (192.168.1.0) using the netmask
255.255.255.0. I have ipfwadm setup an accept masq of 192.168.1.0/24
and target it to 0.0.0.0/0 with the command ipfwadm -F -a m -S
192.168.1.0/24 -D 0.0.0.0/0.
On the 95 machines, pinging my PC works fine but access to anything else
via IP or domain name does not work. The only thing that DOES work is
using the IP address of 192.168.1.1 to request a service (i.e.
http://192.168.1.1).
Anyone that can help please post and/or email me.
Thanks
Jason Lyons
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: 4mb Ram 386 router
Date: Thu, 25 Mar 1999 00:51:18 GMT
On Sun, 21 Mar 1999 15:41:32 GMT, [EMAIL PROTECTED] (mike dombrowski)
wrote:
>I'm currently using a 386sx with 4mb ram to route between my two
>networks. The software is dos based and requires that you register it
>or it only will run for an hour. So I was wondering if Linux could do
>the job. I headed over to the linux router project and it says that a
>486 with 12mb ram is needed. Now the 386 has a hard disk so couldn't
>an 8mb swap partition do the trick? It doesn't need to be high
>performance, just around 200kbs so mp3 transferrs won't take so long.
>If so how should I go about setting it up? Or is my best bet to stick
>with DOS?
>
>thanks
>Mike Dombrowski
>
I think an older version of slakware should do the trick,
just install the base system and the network disk sets. ( this should
only take about 30 meg HD space. you may also want the development to
build a new kernel if necessary) kernel version 2.0.36(even 1.2.x
would work for this and takes less ram but lacks hardware support) and
set up routing tables. an 8 meg swap partition should do.
once up, kill all the deamons. you dont need inet services, you don't
need mail, you wont need cron, etc. after proper set up, the computer
will only use the HD to boot because the only service it's doing is
routing, that would be done all in ram never needing the HD. the swap
partition would be used to kick the gettys (logins) out of ram and
after about 10 minutes or so, never touch the HD unless requested
tng
------------------------------
From: Mark Andal <[EMAIL PROTECTED]>
Crossposted-To: linux.redhat.ppp
Subject: How do I know?
Date: 14 Mar 1999 05:17:11 GMT
Okay,
When I log on to my ISP (worldnet)
How do I know exactly what speed I am connecting at?
If I use KPPP it says 115200?
Also I'm using a Zoom 2948 (External modems work best)
Does anyone have a great AT setup line i should use?
Thanks,
Mark Andal
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Crossposted-To: linux.redhat.misc
Subject: Re: Linuxconf and passwd rules
Date: 24 Mar 1999 22:54:33 GMT
In <[EMAIL PROTECTED]> Rick Miller <[EMAIL PROTECTED]> writes:
> Well, yes, it accepts it, for root. My users are not able to change the
>password unless they select something which Linux will accept which is usually
>something way off the wall. I don't want it to do this. It seems as though
>it is checking the password against a dictionary before assigning it. I do
>not want it to do this.
a) I would think carefully before you allow your users to use insecure
passwords. If your computer is never attached to the net, you are
probably OK ( but designing bad habits) If you are connected to the net,
then what you are doing is very dangerous, unless you do not care if
your machine is hacked. If those users are outsiders to whom you owe a
level of care, then you could find yourself liable for losses they
suffer due to your lack of due diligence.
b) pam is configured in /etc/pam.d/passwd
It will say that it requires pam_cracklib.so
remove that line.
(Again, think before you do this).
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: help w/ppp dial out
Date: 24 Mar 1999 22:58:56 GMT
In <7db9k5$[EMAIL PROTECTED]> "kari" <[EMAIL PROTECTED]> writes:
>IT WOULD BE GREAT IF YOU COULD GIVE SOME DETAIL AS THE
>"HOW TO" OF WHAT YOU SPEAK ABOUT.
It would be great if you gave details of your problem. You are the one
who wants help. People may try to help you out of the goodness of their
heart, by why should they if you then shout at them.
Are you running diald? Are yourunning named? Are you running gated?
Are you running sendmail -bd? ....
How can anyone give you help if all you say is "It does not work", and
then shout at people who despite that try to help you?
>>(snip)
>>> During boot, my modem dials out. Which I guess is ok, but last night it
...
>> This sounds like diald to me. I don't use it, but I believe that's
>>what it does, and it sounds like you've got a broken config that's
>>causing it to auto-dial at boot...
------------------------------
Date: Wed, 24 Mar 1999 23:53:26 +0100
From: Job Eisses <[EMAIL PROTECTED]>
Subject: Re: Plain vanilla routing
Armin Duske wrote:
> I can't make that box route. I have two NICs and I can reach
...
> Any ideas?
Tried "echo 1 > /proc/sys/net/ipv4/ip_forward" ? -job
------------------------------
Date: Wed, 24 Mar 1999 23:58:52 +0100
From: Job Eisses <[EMAIL PROTECTED]>
Subject: Re: ipchains, masq, question
Scott MacDonald wrote:
>
> Hi,
>
> If an ip address is being masqueraded behind a linux firewall, can the real
> ip address still be seen by other types of hacking software like port
> scanning software?
No, unless it is also port-forwarded
> Or will that ip only be seen from that subnetwork if it
> is active on the internet or passing packets through the firewall?
It can be sniffed on the outside in its translated form
-job
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
