Linux-Networking Digest #72, Volume #11 Fri, 7 May 99 16:13:52 EDT
Contents:
Re: IPX routing over ppp (Thomas Stoddard)
my "host name" repeats ([EMAIL PROTECTED])
Re: Multiple IP Addresses (Giovanni)
Re: Multiple Mailboxes for Linux (Andrzej Filip)
Re: Ipchains and lots of interfaces (Paul Black)
Re: pppd: 244000 not supported (Clifford Kite)
Re: Linux Uptimes (Steve Lamb)
ISAPNP card questions] ("Wm. Josiah Erikson")
Re: Best Free X Windows Server for Win95/98 Box on Samba/Linux Network? ("Curt")
Re: Q: how to communicate with my modem? (Michael Holzer)
Re: Routing and router redundancy ([EMAIL PROTECTED])
Re: Routing NTweb traffic to Apache on Linux w/private IP (Michael Balderas)
ipchains broken in Debian Potato? (Tomas Halvarsson)
Re: ipchains broken in Debian Potato? (Tomas Halvarsson)
----------------------------------------------------------------------------
From: Thomas Stoddard <[EMAIL PROTECTED]>
Subject: Re: IPX routing over ppp
Date: Fri, 07 May 1999 13:16:44 -0400
I beg to differ. IPX is routable. We do it over frame-relay to our other
locations and I route it locally with a Linux box between two full-time
ethernet segments. But I have had no success getting it to work over
"pop-up" connections. I would like to get it working over dialup ppp
connections but no luck.
Bill wrote:
>
> Michael,
>
> IPX protocol isn't routable, that is why your not getting anywhere.
> What version of Novell do you have? The best thing to do is see if you can
> set the novel to run TCP/IP don't know if it can be done on Novell haven't
> worked with it since 96. Hope this helps.
>
> Bill MacWilliams
--
Backup? What backup?
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.mail.sendmail
Subject: my "host name" repeats
Date: Fri, 07 May 1999 17:48:05 GMT
I have a weird problem. i am sending some local test messages over to my
machine. However, when I check the maillog file, I see the error:
May 7 11:42:41 ModelLinux qmail: 926102561.733810 delivery 78: failure:
Sorry,_I_couldn't_find_any_host_named_ModelLinux.ModelLinux._(#5.1.2)/
Apparently, it is trying to send an email over to [EMAIL PROTECTED]
when it should in fact send it to root@modellinux. I checked the
/var/qmail/control files and all of the just say "modellinux" and NONE of them
say "modellinux.modellinux". Why is the machine trying to send to this faulty
domain?
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Giovanni <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.setup,linux.redhat.misc,redhat.general
Subject: Re: Multiple IP Addresses
Date: Fri, 07 May 1999 18:47:59 +0200
Duncan Simpson wrote:
> In <Su5Y2.800$[EMAIL PROTECTED]> "Curt" <[EMAIL PROTECTED]> writes:
>
> >See http://metalab.unc.edu/LDP/HOWTO/mini/IP-Alias.html
>
> >Brian Carter <[EMAIL PROTECTED]> wrote in message
> >news:u$$qZG0l#GA.60@cpmsnbbsa02...
> >> I am trying to configure my Linux (Redhat 5.2) to run with multiple
> >domains,
> >> each having different IP addresses .. I know this can be done as my
> >> ex-provider had this set up for me (I then forgot what he did).
> >>
> >> I have two domains, and one NIC (eth0)
> >>
> >> Can somebody point me in the right direction .. assuming the following :
> >>
> >> domain 1 - cma1.com (195.60.36.1)
> >> domain 2 - cma2.com (195.60.37.1)
> >>
>
> If all Brian wants it to run two networks other the same piece of wire
> all he needs is a route command that tells the kernel both networks
> can be reached via the same interface with no gateway.
> route add -net <network> <interface>
> does this. (Been there and done that for a machine that needed the extra
> route to see it's default gateway).
>
> Duncan (-:
>
> --
> Duncan (-:
> "software industry, the: unique industry where selling substandard goods is
> legal and you can charge extra for fixing the problems."
------------------------------
From: Andrzej Filip <[EMAIL PROTECTED]>
Subject: Re: Multiple Mailboxes for Linux
Date: Fri, 07 May 1999 15:57:50 +0200
Martin Cameron wrote:
> Can anyone point me to a program that will allow mulitple mailboxes on a
> mail client for linux, in the vein of Outlook Express. As a recent
> migrant to linux - full time on my desktop and laptop - using KDE and
> Star Division 5.0 Office Suite, I am committed to making this OS work in
> an ordinary working environment. However, the inability of Netscape to
> provide for multiple mailboxes is proving to be seriously inconvenient .
You may use fetchmail to retrieve messages from multiple mailboxes to
THE mailbox.
--
Andrzej (Andrew) A. Filip -- IT Consultant
http://www,bigfoot.com/~anfi
Private: [EMAIL PROTECTED] Business: [EMAIL PROTECTED]
I NO LONGER USE [EMAIL PROTECTED]
Posting history (all addresses):
http://www.dejanews.com/profile.xp?author=Andrzej%20Filip&ST=PS
------------------------------
From: Paul Black <[EMAIL PROTECTED]>
Subject: Re: Ipchains and lots of interfaces
Date: Fri, 07 May 1999 13:17:59 +0100
Reply-To: Paul Black <[EMAIL PROTECTED]>
Paul Rusty Russell <[EMAIL PROTECTED]> wrote:
>
> "Jan Johansson" <[EMAIL PROTECTED]> writes:
>
> > A friend runs a machine with 5 ethernet devices (long story as to why)
> >
> > four of them have 192.168.[1-4].254 as their IP ( eth1 = .1.254 eth2 =
> > ..2.254 etc etc) and eth0 is connected via cable to the internet.
> >
> > Now.. if we just use "-A forward -s 192.168.1.0/0 -d 0/0 -b -j MASQ" (repeat
> > for all four internal nets) we get all traffic masqureaded which isnt
> > desirable, since we want the machine to work as a "transparent" router for
> > the four 192.168 nets.. i know i can fix this by writing 12 (or will it be
> > 16?) rules, but is there a magic way to do somehting like this?
>
> Use `-i eth0'.
Would that apply to the input, output or either interfaces used?
Paul
------------------------------
From: kite@NoSpam.%�inetport.com (Clifford Kite)
Crossposted-To: comp.os.linux.setup
Subject: Re: pppd: 244000 not supported
Date: 3 May 1999 08:55:11 -0500
Clifton T. Sharp Jr. ([EMAIL PROTECTED]) wrote:
: Clifford Kite wrote:
: > Now I'm curious. Can you speculate on what will happen if you have a
: > file with more than 4:1 compression that comes through a ppp circuit
: > with hardware compression on both sides? Say a file that consists many
: > bytes, each one identical to every other one in the file? An extreme
: > case granted, but you get the idea. Offhand it seems like it might
: > cause serious trouble.
: >
: > Hardware exchanging bytes at a 53 kilobaud rate might easily exceed the
: > 115200 top speed of the common PC 16550A UART and would likely cause
: > PPP fcs errors with files that have long sequences of duplicate bytes.
: > I'd believe - until show otherwise - that this also might account for
: > some of the problems with files hanging during download that are seen
: > posted here and on comp.protocol.ppp . The 4x rule seems to imply that
: > you need at least a 230400 kbaud UART for 53 kbaud connections and that
: > even a 38.6 kbaud modem might at times get some benefit from such a UART.
: >
: > Comments welcome.
: The modem-to-modem protocols include handshaking procedures. If you were
: to run your 56K modem at a DTE speed of 19200, you should be quite safe
: becaues once your modem's input buffer gets to its high-water mark, the
: modem tells the other modem to suspend until further notice. (Kind of a
: waste of bandwidth at 19200, though.) Similarly, if you run DTE of 115200,
: connect at 53333 and manage 4x compression (213333 BPS), the modem will
: sense reaching its high-water mark and throttle the other modem.
I have a picture like this in mind:
53kbaud rate Some higher rate pppd speed
compressed uncompressed 115200 115200
data data limit
ISP ----------->modem------------------>UART-------->pppd
I cheerfully admit that this could be wrong. But assuming that it's
correct, and that the modem does not exercise flow control _after_
decompression, then any rate greater than 115200 for the decompressed
data into the UART would seem likely to cause a problem. If the UART
itself exercises flow control then things would be OK, but I didn't think
they were that sophisticated.
: In handling real-world data, the modems reach 4:1 compression so seldom
: that you'd never notice the throttling if indeed it is needed.
: A nit about a comment you made earlier in the thread: the 16550A itself
: is capable of more than 115200 BPS. However, it needs a different crystal
: than is used in the typical PC serial-port hardware to do it. The port is
: limited, but not inherently by the chip itself.
Well, if we're picking nits, then note the qualifier "common PC." :)
--
Clifford Kite <kite@inet%�port.com> Not a guru. (tm)
/* The wealth of a nation is created by the productive labor of its
* citizens. */
------------------------------
From: [EMAIL PROTECTED] (Steve Lamb)
Subject: Re: Linux Uptimes
Date: 7 May 1999 18:12:08 GMT
Reply-To: [EMAIL PROTECTED]
On 28 Apr 1999 17:12:55 +0200, Desmond Coughlan
<[EMAIL PROTECTED]> wrote:
>Likewise. We had a power cut not that long ago, which means that I only
>have :
>lievre:~$ uptime
> 5:11pm up 10 days, 2:23, 4 users, load average: 0.01, 0.02, 0.00
>Before that, I was at thirty days, but in general, Linux runs smooth
>as silk ... :-)
This is why I started running uptimed on my machine.
{morpheus@rpglink:/home/morpheus}uprecords
# Uptime | System Boot up
============================+=================================================
1 48 days, 00:41:30 | Linux 2.2.1 Wed Feb 10 01:03:44 1999
2 13 days, 20:08:14 | Linux 2.2.1 Fri Apr 9 17:15:30 1999
3 10 days, 14:06:54 | Linux 2.2.1 Tue Mar 30 03:07:14 1999
4 6 days, 09:19:53 | Linux 2.2.6 Sun Apr 25 00:17:33 1999
-> 5 4 days, 04:50:32 | Linux 2.2.6 Mon May 3 06:19:35 1999
6 1 day , 12:43:44 | Linux 2.2.6 Sat May 1 09:48:06 1999
7 0 days, 11:51:38 | Linux 2.2.1 Sat Apr 24 00:54:21 1999
8 0 days, 01:24:10 | Linux 2.2.1 Sat Apr 24 22:13:39 1999
9 0 days, 00:40:48 | Linux 2.2.1 Sat Apr 24 20:50:50 1999
10 0 days, 00:13:25 | Linux 2.2.1 Sat Apr 24 21:41:48 1999
============================+=================================================
1up in 2 days, 04:29:21 | Sun May 9 15:39:27 1999
no1 in 43 days, 19:50:58 | Sun Jun 20 07:01:04 1999
I recently moved ~450 miles and setup the machine for IPMasqing through
two ethernet cards instead of over ppp0, which explains all the reboots.
But, as you can see, I have my 48 day uptime recorded. :)
--
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
ICQ: 5107343 | main connection to the switchboard of souls.
===============================+=============================================
------------------------------
From: "Wm. Josiah Erikson" <[EMAIL PROTECTED]>
Subject: ISAPNP card questions]
Date: Fri, 07 May 1999 10:06:34 -0400
This is a multi-part message in MIME format.
==============DD8DE09A527776F47B815C98
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
==============DD8DE09A527776F47B815C98
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-ID: <[EMAIL PROTECTED]>
Date: Thu, 06 May 1999 21:29:13 -0400
From: "Wm. Josiah Erikson" <[EMAIL PROTECTED]>
X-Mailer: Mozilla 4.51 [en] (Win95; I)
X-Accept-Language: en
MIME-Version: 1.0
Newsgroups: comp.os.linux.setup
Subject: ISAPNP card questions
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: 172.20.99.118
Path: news!172.20.99.118
I'm running RH 6.0/kernel 2.2.7 on a 486/33 with 20MB of RAM.
The Intel EtherExpress 16 card referred to below is a 10BT ISA PnP
Ethernet card.
I have an Intel EtherExpress 16 card (as well as a WD8003, eth0, which
works fine and I have no problems with). It used to work just fine with
the generic kernel that got installed on my machine when I installed RH
6.0 (and RH 5.2, for that matter). Whenever I recompile my kernel, it
stops working, even though I built EtherExpress 16 support into the
kernel. I think before it was compiled as a module... is this necessary
to make it work? The card is an ISA PnP card... does this mean that I
have to use isapnp to make it work right? The format of isapnp.conf
looks really cryptic to me and I can't quite make it out. I know that
the card is currently set to IRQ 5 and IO 0x310. This is fine, doesn't
conflict with anything, and I'd rather just leave it there and tell my
machine that's where it is. Is there any way to do this? Right now it
just says, "Delaying eth1 initialization" upon startup.
I think maybe I'll just stop trying to use ISA PnP card with
Linux : ) Nah, I can figure it out... but if somebody could gimme some
pointers that would be great. Please cc:[EMAIL PROTECTED] since I
don't always read every message that comes through this newsgroup.
Thanks much!
-Josiah
http://bork.hampshire.edu (the Linux box I'm referring to here)
==============DD8DE09A527776F47B815C98==
------------------------------
Reply-To: "Curt" <[EMAIL PROTECTED]>
From: "Curt" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.x,alt.os.linux,comp.os.linux.misc,comp.os.linux.setup
Subject: Re: Best Free X Windows Server for Win95/98 Box on Samba/Linux Network?
Date: Fri, 7 May 1999 09:25:19 -0500
I just downloaded VNC. It worked the first time for the server running on
95 and the viewer running on RH5.2. However, I seem to always get a blank
greenish window going the other way, 95 viewer, RH52. server. Same with
viewer on RH5.2 and server on RH5.2. I'm sure I'm missing something dumb.
Ursa_M <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
>
> > Timothy Litwiller wrote:
> >
> > > yes, please send an URL
> > >
> > > Eugene VonNiederhausern wrote:
> > >
> > > > Cyrus Mehta wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > I am creating a dual Windows/Linux environment using Samba for
file serving
> > > > > on a standard Ethernet network. I was wondering what kind of X
server software
> > > > > for the Windows side I could use to run some X windows apps off of
the LInux Box.
> > > > >
> > > > > Reliability is the most important factor, windows will crash often
enough without
> > > > > the help of the X server.
> > > > >
> > > > > Any ideas?
> > > > >
> > > > > CKM
> > > >
> > > > Yesterday, I found the best X server/viewer for windows (and linux)
that I have
> > > > seen yet and it is free (GNU Public License). It is called VNC from
Olivetti and
> > > > Oracle research laboratory. You can connect from linux->windows,
windows->linux,
> > > > linux->linux, windows->windows. It is a lot better than any of the
other products
> > > > I have seen ot this kind. I don't have the URL (it is at work) you
can email me or
> > > > post a reply and I will get it and reply.
> >
> > The URL is http://www.uk.research.att.com/vnc/ . Let me know what you
think...
>
> Ursa_M --> I am also using the VNC server and find it to be very reliable
and generally
> excellent. The install was easy. I tend to launch and kill the server
from a hyperterminal
> window via telnet and then sign onto the VNC X windows. VNC is
persistent. Unless you kill
> the session, the next time you login you will be EXACTLY where you were
when you closed the
> window. Server sessions can be conveniently killed from a command line,
telnet or direct,
> to keep that from being a problem. On the other hand, if you had multiple
devices going and
> wanted to keep an X windows session up while you moved from device to
device then this is a
> "feature" you would like. Personally, I haven't had a use for that yet so
just kill the
> session before I shut down my Win98 machine. VNC has never caused a
hiccup on either the
> Win98 or Linux side and is a very thin client on the Win98 side.
>
> Take care,
>
> Ursa_M
>
------------------------------
From: Michael Holzer <[EMAIL PROTECTED]>
Subject: Re: Q: how to communicate with my modem?
Date: 7 May 1999 14:32:33 GMT
If your modem is connected to COM 1, then the correct device should be /
dev/cua0. From the shell prompt, type:
cu -l cua0
You should get a message saying CONNECTED and then you should be able to
type AT commands. To break the connection, you must type a tilda and then
a dot. After you hit the ~ key, your machine name should appear, then type
a .
> Joern Stein wrote:
> >
> > Hi there,
> >
> > I'm trying to talk to my modem from the command line (bash), i.e.
> > sending AT-commands and sending the output from the modem to the screen.
> > Is there a way of doing this without using a terminal program (like
> > minicom)? Some weird combination of cat and pipes maybe?
> >
> > Any help sent as email to
> > [EMAIL PROTECTED]
> > is greatly appreciated
> >
> > Have a nice day,
> > Joern
================== Posted via SearchLinux ==================
http://www.searchlinux.com
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Routing and router redundancy
Date: 07 May 1999 16:31:14 +0200
Reply-To: [EMAIL PROTECTED]
In <[EMAIL PROTECTED]> hat
[EMAIL PROTECTED] (Mark) geschrieben:
> I thought the internet originally came from a distributed military network
> which would re-route information if one node was down (i.e. hit by a bomb) and
> so remove any weak links in the information chain.
Of it does so: build two routers between your nets, if one fails, the
packets use the other router:
net1 -+-- router1 -+--net2
| |
+-- router2 -+
run 'routed' on both routers and all computers in net1 and net2 -- and if
one router fails, the packtes take the other. don't use static routing and
try to use the same ip-# for two different computers -- that's not the was
'god intended'
dpi
------------------------------
From: mike*no*spam*@yourhelpdesk.com (Michael Balderas)
Subject: Re: Routing NTweb traffic to Apache on Linux w/private IP
Date: Fri, 07 May 1999 14:36:27 GMT
You could also do this with Sygate, just modifying the apprules file
to point all inbound traffic destined to port 80 at the internal i.p.
of the linux box.
Mike
On Fri, 7 May 1999 04:18:04 -0500, "d. martin" <[EMAIL PROTECTED]>
wrote:
>Options:
>Put Proxy server on the NT Box. It will do the address translation and can
>forward web requests to appropriate server. A proxy client does not have to
>exist on the Apache box. NT proxy does this and it's probably offered on
>other shareware or cheap proxies (if they exit?)
>
>Install Apache on the NT Box and use ReverseProxy, ProxyPass options to
>route traffic. This will also mask the internal address and it costs
>nothing.
>
>Dave Brown wrote in message ...
>>I am trying to all requests from my NT box to my Linux Apache web server.
>>
>>Here's the scenario:
>>
>>My NT box is dialed into my ISP so I have a temporary IP address that I
>>can use for web serving from my NT box. This is just for testing a
>>development web site so I don't care that it's not a static IP address. I
>>have all of my web based html, servlets, etc.. on my Linux box running
>>Apache. I would like to route the calls coming to my NT box to the apache
>>server.
>>
>>I tried going into IIS and forwarding all traffic to my linux box for a
>>particular site, but that only works here since it a private network.
>>Since the linux box has a 192.168.xxx.xxx IP address the real world
>>doesn't know how to route to it.
>>
>>Any ideas???
>>
>>Thanks,
>>
>>Dave Brown
>>
>>
>
------------------------------
From: Tomas Halvarsson <[EMAIL PROTECTED]>
Subject: ipchains broken in Debian Potato?
Date: 6 May 1999 20:45:33 GMT
Reply-To: [EMAIL PROTECTED]
Hello.
Yesterday, I upgraded my machine from Debian Slink to Debian
Potato. After that, ipchains doesn't work properly. All the rules
I had set up before (denying, logging, forwarding etc.) just went
straight down the toilet.
The strange thing is, I can still ping machines both by
specifying
their IP and their name. So some traffic is let through, both in
and out. But trying to do a simple 'telnet host 13' doesn't work!
I have DENY as policy on the input chain, and then ACCEPT the
things I need. I have ACCEPT as policy on the output chain, and
DENY the things I don't want.
If I change to ACCEPT as policy for the input chain, and DENY
http, things work as expected (everything except http is
accepted). However, I am more comfortable with DENY as input
chain policy; maybe this is where I should look for a solution?
Has anyone else experienced this, or was my ipchains config
broken _before_ the upgrade to Potato, and should now be changed?
Any help appreciated. Thanks.
/Tomas
=======================================================================
"Only the paranoid survive"
e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED]
www: http://www.pobox.com/~psycho/
http://www.acc.umu.se/~psycho/
=======================================================================
------------------------------
From: Tomas Halvarsson <[EMAIL PROTECTED]>
Subject: Re: ipchains broken in Debian Potato?
Date: 7 May 1999 13:34:47 GMT
Reply-To: [EMAIL PROTECTED]
In <[EMAIL PROTECTED]> Paul Rusty Russell
<[EMAIL PROTECTED]> writes:
>Tomas Halvarsson <[EMAIL PROTECTED]> writes:
>> Hello.
>>
>> Yesterday, I upgraded my machine from Debian Slink to Debian
>> Potato. After that, ipchains doesn't work properly. All the rules
>> I had set up before (denying, logging, forwarding etc.) just went
>> straight down the toilet.
>Really? That seems unlikely... I'm a Debian user myself. ipchains
>hasn't seen any large changes, and IIRC they jumped from 1.3.4 to
>1.3.8.
Yup, it's 1.3.8.
>Do you have any evidence that it's ipchains's fault? Have you tried
>running it manually.
Well... I can't anything else to blame. If I choose ACCEPT as
policy and then flush the rules, everything works OK. And if I
after that DENY e.g. http, http is blocked but nothing else.
It seems like it works to have ACCEPT as policy, and blocking out
stuff, but not having DENY as policy, and accepting selected
stuff.
I'm appending my startup script (sorry). Like I wrote in my
original post, it worked as expected under Slink, and after the
upgrade almost nothing works. (I know, it's not perfect, but it
worked for me).
/Tomas
=======================================================================
"Only the paranoid survive"
e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED]
www: http://www.pobox.com/~psycho/
http://www.acc.umu.se/~psycho/
=======================================================================
=====8<=====8<=====8<=====8<==== Cut here ====8<=====8<=====8<=====8<=====
#!/bin/sh
# This sets up our firewalling/masquerading-options.
INTIF="eth0"
EXTIF="eth1"
EXTIFNET=wouldn't you like to know :)
EXTIFBCAST=wouldn't you like to know :)
INTMACHIP="10.0.0.3"
INTIFNET="10.0.0.0"
EXTMACHIP=wouldn't you like to know :)
test -f /sbin/ipchains || exit 0
case "$1" in
start | reload | restart)
echo "Starting/reloading/restarting firewall system..."
##############################################################
# Forwarding
echo -n "Activating IP forwarding..."
# Activate package forwarding/gatewaying between interfaces...
echo 1 > /proc/sys/net/ipv4/ip_forward
ipchains -P forward DENY
ipchains -F forward
# First, specifically deny some NETBIOS and multicast crap
# I wonder if these rules do what I want... (at least they didn't do
# any harm under Slink...)
ipchains -A forward -i $INTIF -p TCP -s $INTIFNET/24 netbios-ns -j DENY -l
ipchains -A forward -i $INTIF -p TCP -s $INTIFNET/24 netbios-dgm -j DENY -l
ipchains -A forward -i $INTIF -p TCP -s $INTIFNET/24 netbios-ssn -j DENY -l
ipchains -A forward -i $INTIF -p UDP -s $INTIFNET/24 netbios-ns -j DENY -l
ipchains -A forward -i $INTIF -p UDP -s $INTIFNET/24 netbios-dgm -j DENY -l
ipchains -A forward -i $INTIF -p UDP -s $INTIFNET/24 netbios-ssn -j DENY -l
ipchains -A forward -i $INTIF -d $EXTIFBCAST -j DENY -l
# Forward local adresses
ipchains -A forward -i $EXTIF -s $INTMACHIP -j MASQ
# Paranoia setting...
ipchains -A forward -s ! $INTMACHIP -j DENY -l
echo " done"
##############################################################
# Input
echo -n "Setting up input rules..."
# Deny everything
ipchains -P input DENY
ipchains -F input
# Accept all incoming packets from loopback
ipchains -A input -i lo -j ACCEPT
# Accept all incoming packets from inner machine
ipchains -A input -i $INTIF -s $INTMACHIP -j ACCEPT
# Accept (almost) all incoming ICMP packets, on all interfaces.
# Just filter out gateway changing requests etc.
ipchains -A input -p ICMP -s 0.0.0.0/0 redirect -j DENY -l
ipchains -A input -p ICMP -s 0.0.0.0/0 router-advertisement -j DENY -l
ipchains -A input -p ICMP -s 0.0.0.0/0 router-solicitation -j DENY -l
ipchains -A input -p ICMP -j ACCEPT
# Deny packets coming in on $EXTIF claiming strange source ip's
ipchains -A input -i $EXTIF -s $EXTMACHIP -j DENY -l
ipchains -A input -i $EXTIF -s $INTIFNET/24 -j DENY -l
ipchains -A input -i $EXTIF -s 0.0.0.0 -j DENY -l
# Deny all (Win*) broadcast crap, but don't bother to log it
ipchains -A input -d $EXTIFBCAST -j DENY
ipchains -A input -d 255.255.255.255 -j DENY
# I wonder if this one works...
ipchains -A input -d 0.0.0.255 -j DENY
# Accept incoming SYN packets to selected TCP ports
ipchains -A input -i $EXTIF -p TCP -d $EXTMACHIP auth -y -j ACCEPT
ipchains -A input -i $EXTIF -p TCP -d $EXTMACHIP daytime -y -j ACCEPT
ipchains -A input -i $EXTIF -p TCP -d $EXTMACHIP echo -y -j ACCEPT
ipchains -A input -i $EXTIF -p TCP -d $EXTMACHIP finger -y -j ACCEPT
ipchains -A input -i $EXTIF -p TCP -d $EXTMACHIP https -y -j ACCEPT
ipchains -A input -i $EXTIF -p TCP -d $EXTMACHIP ntp -y -j ACCEPT
ipchains -A input -i $EXTIF -p TCP -d $EXTMACHIP ssh -y -j ACCEPT
ipchains -A input -i $EXTIF -p TCP -d $EXTMACHIP time -y -j ACCEPT
ipchains -A input -i $EXTIF -p TCP -d $EXTMACHIP www -y -j ACCEPT
# Deny and log the rest of the connection attempts
ipchains -A input -i $EXTIF -p TCP -j DENY -y -l
# And then we accept packets to already established connections
ipchains -A input -i $EXTIF -p TCP -d $EXTMACHIP ! -y -j ACCEPT
### MEGA-KLUDGE!!!!
### The row below makes things work with Debian Potato, but it's
### really stupid...
### It wasn't used while I was running Slink...
ipchains -A input -i $EXTIF -p TCP -d $EXTMACHIP -j ACCEPT
# Accept incoming packets to selected UDP ports
ipchains -A input -i $EXTIF -p UDP -d $EXTMACHIP daytime -j ACCEPT
ipchains -A input -i $EXTIF -p UDP -d $EXTMACHIP echo -j ACCEPT
ipchains -A input -i $EXTIF -p UDP -d $EXTMACHIP ntp -j ACCEPT
ipchains -A input -i $EXTIF -p UDP -d $EXTMACHIP time -j ACCEPT
# ...and (of course) accept UDP traffic to unprivileged ports
ipchains -A input -i $EXTIF -p UDP -d $EXTMACHIP 1024: -j ACCEPT
# Deny and log the rest
ipchains -A input -i $EXTIF -p UDP -j DENY -l
echo " done"
##############################################################
# Output
echo -n "Setting up output rules..."
# Accept everything
ipchains -P output ACCEPT
ipchains -F output
# Better keep an eye on what my machine is doing... (deny some
# NETBIOS and multicast crap)
ipchains -A output -i $EXTIF -p TCP -s $EXTMACHIP netbios-ns -j DENY -l
ipchains -A output -i $EXTIF -p TCP -s $EXTMACHIP netbios-dgm -j DENY -l
ipchains -A output -i $EXTIF -p TCP -s $EXTMACHIP netbios-ssn -j DENY -l
ipchains -A output -i $EXTIF -p UDP -s $EXTMACHIP netbios-ns -j DENY -l
ipchains -A output -i $EXTIF -p UDP -s $EXTMACHIP netbios-dgm -j DENY -l
ipchains -A output -i $EXTIF -p UDP -s $EXTMACHIP netbios-ssn -j DENY -l
ipchains -A output -i $EXTIF -d $EXTIFBCAST -j DENY -l
echo " done"
##############################################################
# General
# Timeouts:
# 2 hours for TCP session timeouts
# 10 sec for traffic after the TCP/IP "FIN" packet is received
# 2 hours for UDP traffic (Important for MASQ'ed ICQ users etc.)
ipchains -M -S 7200 10 7200
echo "Started/reloaded/restarted firewall system"
;;
stop)
echo "Stopping firewall system..."
# Activate package forwarding/gatewaying between interfaces...
echo "Deactivating IP forwarding..."
echo 0 > /proc/sys/net/ipv4/ip_forward
# Default policy: Accept everything
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward DENY
# Flush all firewall-rules
ipchains -F input
ipchains -F output
ipchains -F forward
echo "Stopped firewall system"
;;
*)
echo "Usage: /etc/init.d/firewall.ipchains {start|stop|reload|restart}"
exit 1
;;
esac
exit 0
=====8<=====8<=====8<=====8<==== Cut here ====8<=====8<=====8<=====8<=====
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
