Linux-Networking Digest #453, Volume #12 Thu, 2 Sep 99 17:14:22 EDT
Contents:
Re: IPChains and FTP (Chris)
Problem to reach 100Mbps with 3C905B-TX (Bernard Fay)
VPN and IP MASQ ([EMAIL PROTECTED])
Re: Home network and cable modem ("Ted Mead")
Re: sendmail win98 ("Doug Giddens")
Re: Problem to reach 100Mbps with 3C905B-TX (Chris Salin)
Internet-Router Probleme ("Kamil Kube")
Using Samba to join an NT domain. (Brad Smith)
Re: Problems with SMC EtherPower II (ST)
Re: Browsers and Linux (SamIam)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Chris)
Subject: Re: IPChains and FTP
Date: Thu, 02 Sep 1999 19:28:19 GMT
[posted and emailed]
On Thu, 2 Sep 1999 07:24:58 -0500, "Rick Orwig" <[EMAIL PROTECTED]>
wrote in comp.os.linux.networking:
>I thought that should work too. I had tried:
># the below 2 lines had no effect
>ipchains -A forward -p tcp -s 0.0.0.0/0 ftp -d 10.0.0.1 -j REJECT
>ipchains -A forward -p tcp -s 0.0.0.0/0 ftp-data -d 10.0.0.1 -j REJECT
>
># neither did these two lines did nothing
>ipchains -A forward -p tcp -s 10.0.0.1 ftp -d 0.0.0.0/0 -j REJECT
>ipchains -A forward -p tcp -s 10.0.0.1 ftp-data -d 0.0.0.0 -j REJECT
>
>ipchains -A forward -s 10.0.0.1 -d 0.0.0.0/0 -j MASQ
>ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -j REJECT
>
>I also tried just putting in port 20 and 21 in above. No dice.
Make sure your list of rules starts with a purge or else you may be adding
your firewall rules to the end of a chain that already lets everything
through.
When specifying ports, you have to remember that the outgoing port is not
neccessarily the same as the destination port. If you want to block FTP,
you block connections *TO* the FTP port because those connections could
originate from any port.
Remember that masquerading works by changing the port numbers. Trying to
block the inbound replies may or may not work depending on where the rules
are applied relative to the demasq process.
The FTP protocol has a PASV mode (designed for masqueraded connections) in
which the default ftp-data port is not used. Blocking it is generally a
waste of time. If they can't connect to the FTP server's control stream
they can't request a data stream, so you can kill two birds with one stone
by simply blocking the control stream.
You do not need to include source or destination addresses of
0.0.0.0/0.0.0.0 (aka 0/0) unless you are including a port number. If the
-s or -d options are missing, ipchains automatically uses "0/0 *"
If you specify an interface in a forwarding rule, remember that it only
matches the *OUTBOUND* interface regardless of where in the command you
place the option. Filtering based on the inbound interface can only be
done in the input rule chain. Although most programs (such as linuxconf)
substitute the IP address when you specify an interface, the ipchains
themselves can use hardware names in the interface specifier. This is a
much better way to specify interfaces on machines that use DHCP as the
rules don't break when the lease is renewed under a different address.
For example, if your internet connection is on eth1 and your private
network is on eth0 using addresses 10.*.*.*, you can prevent IP spoofing
and failed masquerading by using:
ipchains -A input -s 10/8 -i eth1 -j DENY
ipchains -A output -s 10/8 -i eth1 -j REJECT
(There's no point logging a spoof attempt as the address is invalid
anyway, but you will want to log a masq failure so you can find out where
you went wrong.)
Remember that DENY simply drops the packet on the floor, while REJECT
incurs overhead by sending back a refusal packet and optionally logging
the rejection.
Try the following to block FTP requests from 10.0.0.1 while allowing
everything else:
ipchains --policy forward DENY
ipchains --flush forward
ipchains -A forward -p tcp -s 10.0.0.1 -d 0/0 ftp -j REJECT
ipchains -A forward -s 10.0.0.0/8 -j MASQ
Caveat: Many "warez" ftp and www sites use non-standard ports to prevent
easy discovery. If your user on 10.0.0.1 is connecting to a warez site,
there may be no port-specific way of blocking him. In such cases, the
only policy that works effectively is a scorched earth policy that blocks
everything EXCEPT whatever ports you deem neccessary, such as:
ipchains --policy forward DENY
ipchains --flush forward
# allow standard connections from 10.0.0.1
ipchains -A forward -p tcp -s 10.0.0.1 -d 0/0 smtp -j MASQ
ipchains -A forward -p tcp -s 10.0.0.1 -d 0/0 pop3 -j MASQ
ipchains -A forward -p tcp -s 10.0.0.1 -d 0/0 www -j MASQ
ipchains -A forward -p tcp -s 10.0.0.1 -d 0/0 https -j MASQ
ipchains -A forward -p tcp -s 10.0.0.1 -d 0/0 telnet -j MASQ
# block all other connections from 10.0.0.1
ipchains -A forward -p tcp -s 10.0.0.1 -d 0/0 -j DENY
# allow all other connections from the 10.* subnet
ipchains -A forward -s 10.0.0.0/8 -j MASQ
Have fun.
------------------------------
From: Bernard Fay <[EMAIL PROTECTED]>
Subject: Problem to reach 100Mbps with 3C905B-TX
Date: Thu, 02 Sep 1999 15:11:36 -0400
I have a 100Mbps network card that works at 10Mbps. I compiled the
kernel with the appropriate driver but still only 10Mbps. I checked the
cable and all the hardware around the computer and it is all correct. Do
someone have an answer for this problem? I guest I do something wrong
while I configure the kernel for compilation but I cannot find what.
I use SuSE 6.0 on an IBM 300GL.
Thank you!
Bern
------------------------------
From: [EMAIL PROTECTED]
Subject: VPN and IP MASQ
Date: Thu, 02 Sep 1999 18:50:54 GMT
I am trying to connect to my company's VPN through a RH 6.0 box with IP
masquerade set up. The VPN firewall expects all connection requests,
and possibly subsequent communication to come FROM port 500.
How can I tell ipchains to use a specific port when it connects to a
specific host?
Ross
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Ted Mead" <ted.mead at westgroup.com>
Crossposted-To: comp.os.ms-windows.networking
Subject: Re: Home network and cable modem
Date: Thu, 2 Sep 1999 15:34:17 -0400
Steven,
Maybe I can help. I have a setup that I believe is what you are looking
for, although I am new to the Linux/UNIX world, so I have stumbled through
it and may not be able to give you exact clear directions.
First thing. I have my new Linux box act as a gateway for the home network
of six Winows boxes. The Linux box has two network cards in it. I do not
try to access the cable modem directly from the Windows boxes - they go
through the Linux box using a technique called IP-Masquerading.
One of my network cards in the Linux box attaches to the cable modem. I
have the cable company provide me my IP address automatically via DHCP. I
have software that I had to install and compile to get me to log onto the
cable access.
The second network card is attached to my internal hub. It happens to be a
3-Com 8 port 10 mps hub, but that is irrelivant. This is now a private
network. There is a range of address set aside specifically for private
networks. I don't recall the upper end of the range, but it starts at
192.168.0.x. Personnally I started at the bottom. All of my machines start
with that IP address. As this is considered to be a class C network, the
subnet mask is 255.255.255.0.
First step is getting the Linux box to talk to the internet through the
first ethernet card. I installed Red Hat 6.0 -- installed everything and
still have the default kernel (now I am letting on what a wimp I am...).
Everything that you need is installed and running with that configuration.
Next step is to get your internal network running. Set your IP address for
the server and the other PC to say 192.168.0.1 and 192.168.0.2. If your
second box is a Windows box be sure to have TCP/IP installed. Do not use
NetBeui for your networking protocol, it will cause you problems when you go
to install Samba.
Set your Gateway in the Windows machine to the server IP (192.168.0.1) and
the DNS server to the DNS server of your cable company.
Then on the Linux box put the commands:
ipchains -P forward DENY
ipchains -A forward -i eth0 -j MASQ
assuming that eth0 is the ethernet network card attached to the cable modem.
Unless I have forgotten something, the Windows machine should now be able to
access the internet, through the Linux box at the same time as the Linux
box. As you add additional PCs to the internal network, they will also have
concurrent access. Very cool.
Hope this helps. Having just spent weeks getting it set up I sympathize
with you.
Ted
Dan Garthwaite wrote in message ...
>Depends on the hub, some have a switch or a dedicated port that handle's
the
>pin switching.
>
>hac wrote in message <[EMAIL PROTECTED]>...
>>Steven D. Nakhla wrote:
>>>
>>> I recently signed up for cable modem service. Now, we have 2 computers,
>so
>>> I ordered an extra IP address for the other, and attempted to setup a
>>> network so the other computer could have access. The other computer
uses
>>> only Win98 and my computer uses Win98, Linux, and Solaris.
>>>
>>> I bought the Intel InBusiness 5-Port 10 Mbps hub for our network. I was
>>> told to plug the cable modem into the uplink port on the hub. However,
>the
>>> hub doesn't have an uplink port. It has only 5 standard ethernet ports.
>>> So, using a crossover cable, I plugged the cable modem into one of the
>>> ports, and the other 2 computers into the next 2 ports. I am able to
>access
>>> the internet through either computer. The problem is, I can't use both
>at
>>> the same time. Is this common? Whenever I try and access the internet
>when
>>> the other computer is on, I get network errors. How can I set it up so
>that
>>> both computers can access the internet at the same time?
>>>
>>> Could it be a problem with how I have the hub set up? Has anyone had
>>> experience with this hub? I could REALLY use any help that you all
could
>>> give me in setting this up. Thanks!
>>>
>>There have been many reports of the MSO's failing to configure the
>>modems to use two IP's at the same time. Your trouble sounds at lot
>>like the other reports. Call and have them reconfigure the modem.
>>
>>--
>>Howard Christeller Irvine, CA [EMAIL PROTECTED]
>
>
------------------------------
From: "Doug Giddens" <[EMAIL PROTECTED]>
Subject: Re: sendmail win98
Date: Thu, 2 Sep 1999 14:46:22 -0500
Try this-
Put the name of each win98 machine in the /etc/hosts file with its ip.
ie:
"name of win98 machine" "ip of win98 machine"
Leave off the quotation marks
also see http://www.sendmail.org/tips/relaying.html
--
Witty signature awaitng software upgrade
Holger Bunkradt <[EMAIL PROTECTED]> wrote in message
news:7qm464$2ck$[EMAIL PROTECTED]...
> Hi,
> sendmail on my server works fine, if I try to use outlook on my win98
client
> I get an error and in my
> mail log from linux is write this:
>
> Sep 2 16:56:45 svhb02 sendmail[6788]: QAA06788: ruleset=check_rcpt,
> arg1=<[EMAIL PROTECTED]>, relay=wkshb01.bunkradt.de [192.168.12.8],
> reject=550 <[EMAIL PROTECTED]>... Relaying denied
> Sep 2 16:56:45 svhb02 sendmail[6788]: QAA06788:
> from=<[EMAIL PROTECTED]>, size=0, class=0, pri=0, nrcpts=0,
proto=SMTP,
> relay=wkshb01.bunkradt.de [192.168.12.8]
> Sep 2 16:56:45 svhb02 popper[6790]: Stats: holger 0 0 0 0
>
> who can help me.
>
> regards
> Holger Bunkradt
>
>
------------------------------
From: Chris Salin <[EMAIL PROTECTED]>
Subject: Re: Problem to reach 100Mbps with 3C905B-TX
Date: Thu, 02 Sep 1999 14:51:05 -0500
The card itself is what switches between Tx speeds. The kernel *shouldn't*
be the culprit. Although the module can be set manually to a certain speed
(10/100, Full/Half Duplex), it's usually auto sensing by default.
Here's some basic questions (I don't mean to insult anyone):
Are you sure your hub handles 100Mb?
How about the other cards you're talking to?
How did you determine your actual transfer rate?
Chris Salin
Bernard Fay wrote:
> I have a 100Mbps network card that works at 10Mbps. I compiled the
> kernel with the appropriate driver but still only 10Mbps. I checked the
> cable and all the hardware around the computer and it is all correct. Do
> someone have an answer for this problem? I guest I do something wrong
> while I configure the kernel for compilation but I cannot find what.
>
> I use SuSE 6.0 on an IBM 300GL.
>
> Thank you!
> Bern
------------------------------
From: "Kamil Kube" <[EMAIL PROTECTED]>
Subject: Internet-Router Probleme
Date: Thu, 2 Sep 1999 18:16:37 +0200
Hallo,
ich habe Probleme beim Einrichten unseres Linux-Routers. Wir verwenden die
Suse Linux-Version 6.1. Das funktioniert bereits:
- der Linux-Rechner kann sich bereits mit dem Internet verbinden. Der Auf-
und Abbau klappt sehr gut.
- der Linux-Rechner ist bereits in unser Lan integriert. Ich kann ihn ohne
Probleme anpingen, ebenso erreicht der Linux-Rechner schon die anderen
Clients mit ping.
- Das Suse Kernal-Update f�rs Masquerading ist bereits eingespielt.
Der Linux-Rechner hat die folgenden Interfaces:
eth0 192.168.10.50 255.255.255.0
ippp0 192.168.0.99 255.255.255.255
Hier der Auszug des "route -n" Befehles:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0
ippp0
192.168.10.50 0.0.0.0 255.255.255.255 UH 1 0 0
dummy0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.0.99 0.0.0.0 UG 0 0 0
ippp0
Das Problem welches sich jetzt ergibt ist folgendes: Wenn ich an einem der
Clients versuche in das Internet hineinzukommen, baut der Linux-Recher zwar
eine Verbindung zum Internet auf, jedoch erh�lt der entsprechende Client
keine Daten (wir verwenden Windows 98 Clients).
Vielleicht liegt es daran, da� ich beim starten des Linux-Rechners folgende
Fehlermeldung erhalte:
/sbin/init.d/masquerade: /sbin/ipchains: No such file or directory
F�r Eure Hilfe schon jetzt Danke.
Gru�,
Kamil
------------------------------
From: Brad Smith <[EMAIL PROTECTED]>
Crossposted-To: linux.samba
Subject: Using Samba to join an NT domain.
Date: Thu, 02 Sep 1999 10:00:47 -0700
Reply-To: [EMAIL PROTECTED]
Hello, folks. I hope I can find here the solution to a problem I've been
having for some time.
I've had a good deal of experience with Samba on my home LAN (Linux and
'95) but I've never tried to fully integrate a Linux system into an NT
domain until now.
I have my machine set up such that I am visible and can export shares to
the NT machines in the domain, but when I try to browse their shares,
the following happens:
[root@localhost /root]# smbclient -L nt-machine -U bradsmi
Added interface ip=171.71.xx.xx bcast=171.71.255.255 nmask=255.255.0.0
Got a positive name query response from 171.71.xx.xx ( 171.71.xx.xx )
Password:
session setup failed: ERRDOS - ERRnoaccess (Access denied.)
If I try with no password or with the -N option, I see the machine
listed with no shares available and an accurate list of all the other
machine in the domain. This happens on any machine I try and they all
have shares that are accesable to the other NT machines.
My conclusion is that my machine has to be joined to the domain for this
to work.
I gave myself a computer account on the PDC and did smbclient -j
MY_DOMAIN_NAME, which gave me back a positive response but the online
status of my machine in the server manager never changed and smbclient
still fails to browse any shares.
My smb.conf has WORKGROUP set to my domain, security=domain and there is
no hosts_allow entry so everyone should be able to connect.
Is there something I am missing? Any help (pref. via email) would be
greatly appreciated.
--Brad
------------------------------
From: [EMAIL PROTECTED] (ST)
Subject: Re: Problems with SMC EtherPower II
Date: Thu, 02 Sep 1999 20:35:06 GMT
Not sure if this is related to your problem or not, but I had a hell of a
time with my EtherPower II card. It took me forever to figure out that I
had to shut the machine off (and unplug it from the wall) if I switched
between windoze and linux.
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> I recently upgraded my kernel to 2.2.10 (from 2.0.36), and since doing
> so, I have been unable to get my Etherpower II working. If anybody
> has any suggestions where I go from here, I would be most grateful!
>
> I'm using version 1.06 of the driver, and am trying to connect it to a
> 10baseT link; to this end I am using the options
> debug=6 options=4 full_duplex=0
> to the module.
>
>
>
>
> The card appears to be correctly detected at startup:
>
> $ dmesg
> ...
> epic100.c:v1.06 2/10/98 Donald Becker http://cesdis.gsfc.nasa.gov/linux/drivers/
> epic100.html
> eth0: SMSC EPIC/100 83c170 at 0xe800, IRQ 11, 00:e0:29:33:f3:b6.
> eth0: EEPROM contents
> e000 3329 b6f3 1b00 001d 1c08 10b8 a015 0000 0000 0000 0000 0000 0000 0000 0000
> 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
> 0010 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 4d53 3943 3334 4232
> 5854 2020 0000 0000 0200 0200 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
> eth0: MII transceiver #3 control 3000 status 7809.
> eth0: Autonegotiation advertising 01e1 link partner 0001.
> eth0: Setting half-duplex based on MII xcvr 3 register read of 0001.
> eth0: epic_open() ioaddr e800 IRQ 11 status 0512 half-duplex.
> ...
>
> eth0: Media monitor tick, Tx status 00000000.
> eth0: Other registers are IntMask 13bf IntStatus 248000 RxStatus ffff007f.
> eth0: Media monitor tick, Tx status 00000000.
> eth0: Other registers are IntMask 13bf IntStatus 248000 RxStatus ffff007f.
> ...
>
>
>
>
> However I find that no packets are received transmitted without
> error. The following error occurs on packet transmission:
> eth0: Transmit error, Tx status 00007000.
>
> epic-diag reports the following:
>
> richards:epic# ./epic-diag -a
> Found SMC83C170 EPIC/100 card #1 at 0xe800.
> The EPIC/100 chip appears to be active, so some registers will not be read.
> To see all register values use the '-f' flag.
> EPIC chip registers at 0xe800
------------------------------
From: SamIam <[EMAIL PROTECTED]>
Crossposted-To: alt.os.linux,comp.os.linux.setup
Subject: Re: Browsers and Linux
Date: Thu, 02 Sep 1999 15:49:48 -0500
Try downloading 4.61. I have Mandrake and it also ships with 4.6.
Netscape crashed on me like 5 times in the first half hour I was using
it so I downloaded and installed 4.61. After a couple of days use, it
hasn't crashed on me yet and it seems much more efficient (a little
faster).
Sam
Ian Clarke wrote:
>
> > Which browser can I use with Linux?
>
> I use Netscape 4.6 on RedHat 6.0, however it is *very* buggy, much more
> so than the Windows versions. Most of the Linux community is eagerly
> awaiting Mozilla (www.mozilla.org) which you can already download, but
> which is still a little rough around the edges. Some months ago I did
> get sick of Netscape and started using Lynx (http://www.lynx.org/) but I
> couldn't bear the text interface - that is not what the web is about!
> Also, I found the usage of arrow keys in Lynx to be really irritating
> (one minute you are using <- and -> to move around a text field, but if
> you go too far you suddenly move to a different page).
>
> KFM (http://www.kde.org/) also includes a web browser, but it is not as
> full-featured as Netscape.
>
> Ian.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
