Linux-Networking Digest #852, Volume #10 Wed, 14 Apr 99 07:13:43 EDT
Contents:
ipchains script ("Ramon Leon")
Re: ip port forwarding with ipchains ("Ramon Leon")
Help!! High packet collisions!! (Raphael)
setting clock remotely ("craigw")
Re: Playing BATTLE.NET and Age of Empires behind IP Masquerade ("Robert Hurst")
Re: SAMBA, GUI for dummies like me. (Richard Torkar)
Re: RedHat 5.2 and Samba on a Server, And a Win/95 Box...Help ("Ron van Middendorp")
Re: Mail server for Linux (Erlend Midttun)
Re: setting proper netmask for aliased ip's ("TaZzY-X")
Re: .shosts: Your host key cannot be verified: unknown or invalid host key? (Georg
Schwarz)
Re: 3 com 3c905b TX network card problems... (Jason Costomiris)
Re: Where do I go? ("Ng, Choon Hooi")
Re: Masquerade on Red Hat 5.2... ("Curt")
----------------------------------------------------------------------------
From: "Ramon Leon" <[EMAIL PROTECTED]>
Subject: ipchains script
Date: Tue, 13 Apr 1999 19:04:02 -0700
here's what I've got so far after two weeks of trying to make a secure
script. Can anyone please help me get this working.
___________________________________
#variables
SERVER="10.0.0.3"
LOCALIP="208.xxx.xx.xx"
LOCALNET="208.xxx.xx.0/32"
INTERNALIP="10.0.0.1"
INTERNALNET="10.0.0.0/8"
REMOTENET="0/0"
LOOPBACKIF="lo"
EXTERNAL_INTERFACE="eth0"
## Flush everything, start from scratch
ipchains -F
#Default Policy
ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward DENY
## Allow all connections within the network
ipchains -A input -s $INTERNALNET -d $INTERNALNET -j ACCEPT
ipchains -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT
## Allow loopback interface
ipchains -A input -i $LOOPBACKIF -s 0/0 -d 0/0 -j ACCEPT
ipchains -A output -i $LOOPBACKIF -s 0/0 -d 0/0 -j ACCEPT
## Masquerading
ipchains -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
## dont MasQ external interface direct
ipchains -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT
## masquerade all internal IP's going outside
ipchains -A forward -s $INTERNALNET -d $REMOTENET -j MASQ
## Allow all connections from the network to the outside
ipchains -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT
ipchains -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT
#Set telnet, www and FTP for minimum delay
ipchains -A output -p tcp -d 0/0 www -t 0x01 0x10
ipchains -A output -p tcp -d 0/0 telnet -t 0x01 0x10
ipchains -A output -p tcp -d 0/0 ftp -t 0x01 0x10
#Set ftp-data for maximum throughput
ipchains -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
## Specific port blocks on the external interface
## MS-SQL
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -l -j DENY
#
## NFS
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -l -j DENY
#
## postgresSQL
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -l -j DENY
#
## X11disp:0-:2-
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -l -j DENY
#
## Back Orifice
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 31337 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 31337 -l -j DENY
#
## NetBus
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -l -j DENY
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -l -j DENY
## High unpriv ports
#this open all unpriv ports, hense the need to port blocks above
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j ACCEPT
## Basic Services allowed on external interface
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
ipchains -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT
ipchains -A input -p tcp -s $REMOTENET -d $LOCALNET 308 -j ACCEPT
#Forward Services to Internal Server
echo "Forwarding Needed Services"
ipmasqadm portfw -a -P tcp -L $LOCALIP 21 -R $SERVER 21
ipmasqadm portfw -a -P tcp -L $LOCALIP 23 -R $SERVER 23
ipmasqadm portfw -a -P tcp -L $LOCALIP 25 -R $SERVER 25
ipmasqadm portfw -a -P udp -L $LOCALIP 53 -R $SERVER 53
ipmasqadm portfw -a -P tcp -L $LOCALIP 53 -R $SERVER 53
ipmasqadm portfw -a -P tcp -L $LOCALIP 80 -R $SERVER 80
ipmasqadm portfw -a -P tcp -L $LOCALIP 110 -R $SERVER 110
ipmasqadm portfw -a -P tcp -L $LOCALIP 308 -R $SERVER 308
## ICMP
#
# Deny
# Use this to deny ICMP attacks from specific addresses
#ipchains -A input -b -i $EXTERNALIF -p icmp -s <address> -d 0/0 -l -j DENY
#
# Allow incoming ICMP
ipchains -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
ipchains -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
# Allow outgoing ICMP
ipchains -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
ipchains -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
ipchains -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
ipchains -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
#Bi-Directional Ping
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 0 -d
$LOCALIP -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 3 -d
$LOCALIP -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 4 -d
$LOCALIP -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 11 -d
$LOCALIP -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -s $REMOTENET 12 -d
$LOCALIP -j ACCEPT
echo "Firewall Enabled"
__________________________________________
just put this here to stop some spam from automated scanners
no spam please
------------------------------
From: "Ramon Leon" <[EMAIL PROTECTED]>
Subject: Re: ip port forwarding with ipchains
Date: Tue, 13 Apr 1999 15:22:46 -0700
try this
ipmasqadm portfw -a -P tcp -L x.x.x.x 21 -R 192.168.1.2 21
where x.x.x.x is your external IP. ipportfw and ipfwadm don't work with
ipchains as far as I know.
> That's the command line I'm trying for the ftp port:
>
> ipchains -A forward -p tcp -j REDIRECT 21 -s 192.168.1.1 21 -d 192.168.1.2
21
>
> What's wrong with it? or... where's an updated port-forwarding howto?
>
------------------------------
From: Raphael <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.hardware
Subject: Help!! High packet collisions!!
Date: Wed, 14 Apr 1999 00:49:58 -0700
Reply-To: [EMAIL PROTECTED]
I am getting extremely high packet collisions on my 10bT network!! With
Samba, it is so slow you won't believe it, while using FTP, it's better
(at least I get a transfer rate of up to 250+bps/sec). BTW this goes
both ways.
What I did to troubleshoot (but didn't work)
Changing NIC's
Changing Cat5 cables.
Switching OS on boxes
I have 2 10BT networked boxes, one with win98 and the other with Linux.
The Win box uses a DEC21041 NIC while the Linux box has 2 RealTek 8029
PCI (NE2000 compat.) NICs, one for internal network and the other
connected to cable modem. The hub is a 3ComTPO. I am suspecting that the
collisions are due to the low quality of the NE2K NICs, but I don't
understand why there is such a big difference between Samba and FTP
performance. I have a laptop running Win/Linux as well, and that is fine
with both protocols when talking to the Win98/DEC21041 machine, while
it's acting weird with the Linux gateway/server as well.
Can someone please give me some suggestions??
Thanks in advance!!
Raphael
P.S. pls cc: a copy to my email when you reply, thanks.
------------------------------
From: "craigw" <[EMAIL PROTECTED]>
Subject: setting clock remotely
Date: Wed, 14 Apr 1999 11:29:10 +0900
How do I set just the hour of the clock on OS Red hat 5.6
I tried the command
date '%H' -s 'HH' but it reset the minute when I set the hour.
------------------------------
From: "Robert Hurst" <[EMAIL PROTECTED]>
Subject: Re: Playing BATTLE.NET and Age of Empires behind IP Masquerade
Date: Tue, 13 Apr 1999 22:53:30 GMT
Thanks for your help, loser.
Eugene wrote in message
>do *NOT* post to newsgroups in HTML format since many news readers cannot
>read it.
>*NEVER* put stupid pictures in the background of your messages.
------------------------------
From: Richard Torkar <[EMAIL PROTECTED]>
Subject: Re: SAMBA, GUI for dummies like me.
Date: Wed, 14 Apr 1999 11:44:38 +0200
Windows98NOT! wrote:
>
> http://us1.samba.org/samba/GUI/
> That is the link for the GUI's for SAMBA. I have been cruizing the samba
> web page. Very useful information.
> Hope those confused by SAMBA find this helpful.
On that site they don't have the best GUI for SAMBA though.
LinNeighborhood.
The rpm's for RedHat 5.x are at:
http://milkyway.thn.htu.se/~ds98rito/
The homepage for LinNeighborhood is at:
http://www.bnro.de/~schmidjo/
Richard Torkar
--
I _like_ using goto's every once in a while:
it can often mess up the gcc optimizer just enough
to get better code out of it.
(Linus Torvalds)
------------------------------
From: "Ron van Middendorp" <[EMAIL PROTECTED]>
Subject: Re: RedHat 5.2 and Samba on a Server, And a Win/95 Box...Help
Date: Wed, 14 Apr 1999 11:12:12 +0200
Reply-To: "Ron van Middendorp" <[EMAIL PROTECTED]>
> how do I edit the SMB.conf file in REdHat 5.2?
Eeeeh, vi?
------------------------------
From: Erlend Midttun <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.misc
Subject: Re: Mail server for Linux
Date: 14 Apr 1999 10:13:30 +0200
* [EMAIL PROTECTED]
| What program do I use and can someone point me to a FAQ or something so I can
| learn how to do this?
There is a Mail howto. My nearest mirror is
<URL:http://www.linux.no/biblioteket/HOWTO/Mail-HOWTO.html>
but there is probably a nearer site to you.
It does not cover my preferred mail system, Exim, but you can get the idea
of how a mail system works from that HOWTO. As for Exim, you can find
more information on
<URL:http://www.exim.org/>
and if you wish, RPM's off
<URL:http://developer.redhat.com/rhcn/browse/conventional/packageinfo.php3?package=exim>
| - Steve
Erlend..
--
Erlend Midttun [EMAIL PROTECTED]
Network administrator at Funcom Oslo AS. Speaking by myself, for myself.
IRC: Golle http://www.tihlde.hist.no/~erlendbm/
Have you ever wondered why there is no "uptime" command in NT?
------------------------------
From: "TaZzY-X" <[EMAIL PROTECTED]>
Crossposted-To:
alt.comp.linux.isp,alt.linux,linux.admin.isp,linux.redhat.misc,local.linux-isp
Subject: Re: setting proper netmask for aliased ip's
Date: Tue, 13 Apr 1999 16:37:39 -1000
Scott,
My suggestion would be to save the trouble of having to map out different
IP's for different domains on your web server by having only one IP address
listen for the different domains and have the header information point to
the right directory. This is located in the virtualhost section of
httpd.conf.
<VirtualHost users.inix.com>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /your_virtual_domain_directory
ServerName www.yourvirtualdomain.com <- the name it will answer to
ErrorLog logs/yourvirtualdomain/error_log <- better to keep the logs
seperate from other virtual domains
TransferLog logs/yourvirtualdomain/access_log<- better to keep the
logs seperate from other virtual domains
</VirtualHost>
once this modification is made, kill and re-start your http daemon and don't
forget to make the change in your DNS (or who ever your DNS is being hosted
with) to the IP address of the machine.
Using this configuration also helps use of IP addresses that are slowly
getting scarce.
Ferdinand Navarro
System Operations - INiX
C. Scott Megna wrote in message <[EMAIL PROTECTED]>...
>I am new to linux and am running a webserver with redhat 5.2 as the OS. I
>have found out how to add ip aliases but i have not found out how to set
the
>proper netmask for them. also, some of the ip's are on a different
network,
>do i need to add some host based route or something or will it just
>automatically route them properly?
>
>csm
>
>--
>Thank you,
>
>AAA Universal Networks, Inc
>Serving the world from Southwest Florida!
>
>---------- www.gulfcoast.net ------------
>---------- [EMAIL PROTECTED] ------------
>
>941-948-2700 (Bonita/Naples)
>941-573-2700 (Cape Coral/ Ft. Myers)
>FAX 941-948-2701
>
>
------------------------------
From: [EMAIL PROTECTED] (Georg Schwarz)
Crossposted-To: comp.security.ssh
Subject: Re: .shosts: Your host key cannot be verified: unknown or invalid host key?
Date: 14 Apr 1999 09:12:29 GMT
[EMAIL PROTECTED] (Neil Rickert) writes:
>It is looking for information which could be in either the system
>'ssh_known_hosts' file, or in your $HOME/.ssh/known_hosts file. Each
>system should have known_hosts information about the other. When you
>login to system B from system A, that puts the information about B
>into the 'known_hosts' file on A. Then login the other way, to put
>the information needed into the 'known_hosts' file on B. Thereafter
>you should be set for using '.shosts' validation.
Thanks. The problem turned out that ssh_known_hosts only contained entries
with the hostname, not the FQDN of the originating host. After creating an
appropriate entry (by reverse loging in using the *FQDN* as the
destination; actually what sshd suggested [if you understand what it wants
to tell you :-)]) it now works as desired.
--
Georg Schwarz ([EMAIL PROTECTED], [EMAIL PROTECTED], PGP 2.6ui)
Institut f�r Theoretische Physik +49 30 314-24254 FAX -21130 IRC kuroi
Technische Universit�t Berlin http://home.pages.de/~schwarz/
------------------------------
From: [EMAIL PROTECTED] (Jason Costomiris)
Subject: Re: 3 com 3c905b TX network card problems...
Date: 14 Apr 1999 01:25:07 GMT
On Wed, 14 Apr 1999 16:26:00 +0800, kctiw <[EMAIL PROTECTED]> wrote:
: i am a new comer of linux, i have installed redhat 5.2 with kernel ver.
: 2.0.36-0.7. Now i have problem with the 3c905b nic. I read thru quite a
: number of the Qs posted in newsgroup, but none of the suggestion or help are
: understadable to me.
:
: So, to simplify the question, can really this version of linux support for
: 3c905b nic?? Or should i upgrade to the latest version of the kernel??
Works fine. No voodoo or magic required.
If you're getting the "mac address is ff:ff:ff:ff:ff:ff" problem, check
to make sure your bios has Plug and Play OS set to "no". Also might
be helpful to remove the card, startup the machine so that it completes
the initial hardware stuff, no need to actually boot an OS, and then
stick the card back in. What's that do? It causes the PCI bios to
reconfigure itself, then when you put the card back, it reconfigs again,
and all should be well.
--
Jason Costomiris <><
Technologist, cryptogeek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
------------------------------
From: "Ng, Choon Hooi" <[EMAIL PROTECTED]>
Subject: Re: Where do I go?
Date: Wed, 14 Apr 1999 17:49:50 +0800
Well, what u can do, assuming that XWindow in installed in the better
machine, is to telnet from the 'tiny HD' machine to the better machine and
run XWin from there. Somehting like below:
On your 'tiny HD' machine, at the prompt, do the following:
xhost <the other machine hostname>
rlogin <the other machine hostname>
export DISPLAY=<your tiny hd machine hostname>:0.0
startx&
I think this should do it. Basically, you u r trying to do here is to run
the XWin on your better machine, but displayed it on the tiny HD machine. By
doing this, you dont really install XWin server on the tiny hd machine at
all.
Hope this helps.
Matthew King wrote:
> please cc to [EMAIL PROTECTED]
>
> I have RH4.2 and two computers. One has a tiny HD and a different
> graphics card to the other (server) and I probably won't be able to
> install X on the smaller one.
>
> Could you please tell me where to go in the mountains of READMEs and
> HOWTOs to find out about installing linux on a tiny HD with the X server
> elsewhere on the network.
>
> Many Thanks,
> Matthew King,
> [EMAIL PROTECTED]
------------------------------
From: "Curt" <[EMAIL PROTECTED]>
Crossposted-To: linux.net.masquerade,comp.os.linux.help
Subject: Re: Masquerade on Red Hat 5.2...
Date: Wed, 14 Apr 1999 06:04:13 -0500
Here is a copy of a working setup for masquerading on RH5.2
in /etc/rc.d/rc.local:
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprove ip_masq_cuseeme
ipfwadm -F -p deny
ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0
in /etc/sysconfig/network:
NETWORKING=yes
FORWARD_IPV4=yes
HOSTNAME=mynet.myhost
DOMAINNAME=mynet
GATEWAY=0.0.0.0
GATEWAYDEV=
My guess is that if you followed the guides, you're may only be missing the
'FORWARD_IPV4=yes' line .
Jarmo wrote in message <[EMAIL PROTECTED]>...
>Hello!
>
>I have two windows computers, and i would like to connect them to internet
>through a "server" with a modem.
>
>I found a book that seemd to explain it all and no linux or unix experience
>required!, so i bought it; Linux Network Toolkit by Paul G. Sery.
>Included with this book was a cd that contained Linux 5.0, diald and other
>utilities and some firewall scripts.
>Nothing in this book seems to work! i have followed the instructions
>carefully...
>
>I have printed out and read trough every ppp, firewall, masquerade and
>networking howto included with linux.
>Nothing works... (they do not seem to be redhat specific, differet
>commands, sceens and so)
>
>I have searched on the web and found pages about how to setup "small office
>networks", "home networks"...
>Nothing works...
>
>I got Red Hat 5.2 with a magazine, so i have installed it with printer
>support, smb and network managment workstation, options.
>I can share files and printer with samba, so the basic network is
>functional.
>
>I configured modem port and ppp from the control-panel in X.
>I have also installed diald 0.16.5a and diald-config 0.16.5a.
>In diald's connect file i have only changed to phone.filter, modem init and
>phone nr, and in diald.conf i modyfied the line with pppd-options to have
my
>"pap name"
>
>If i try to get out on the net from a windows machine, nothing happens...
>If i from the command prompt type, for example, telnet host01.algonet.se
>the modem dials up and nothing more happens.
>Now i press ctrl-c to get back the command prompt.
>If i type ifconfig, i can see that ppp0 has my server IP and have been
>assigned a "p-t-p" IP from the ISP.
>
>This has been my starting point for various ipfwadm configurations.
>Have i missed something obvious?
>
>Is there other simpler options than masquerade?
>Routing? Proxxy? Other?
>
>Hope someone can help, or point me in the right direction...
>
>
>/Jarmo
>
>[EMAIL PROTECTED]
>
>
>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
