Fox,
Bless you! The info you gave me re: pppd did the trick! YIPPEE!
In the beginning, I was using Roaring Penguin's PPPoE GUI to connect, then figured out how to use the xDSL setup in RH 7.2, but now I R A TRUE LINUX USER, cuz I can do it myself!
I'll start working up the stronger firewall rules posthaste (now that I actually have something to worry about losing!).
Thanks so much for the help!
Nitewing '98
Fuzzy Fox wrote:
Nitewing 98 <[EMAIL PROTECTED]> wrote:
Attached are my iptable rules and listings of my ifconfig and netstatThe most useful output from iptables is with the "-L -n -v" switches. This keeps things to IP numbers, easier to read, and adds the extra
output.
information needed to reconstruct the rules.
Or even better might be to simply supply the script that you are using
to build your rules.
In the netstat listing, the last entry points all 0.0.0.0 requests toYour DSL must be using PPPoE, because your eth0 has no IP address, and
192.168.0.1 and I think it should be pointing to the IP of my external
NIC (gotten via DHCP and DSL). How can I fix this?
you have a ppp0 interface. That means your IP and such are being given
to you via PPP protocol, not DHCP.
The pppd daemon has a "defaultroute" option which you will find handy. When pppd negotiates the connection with the remote, it will add a
default route that points to the correct gateway as told to it by the
PPP server on the other end. Make sure that your network config does
NOT specify a default gateway on its own, because pppd won't overwrite
an existing default.
Once you've got correct routing set up, then you're in a position to set
up correct masquerading.
Oh, when you are using PPPoE, you will run into an unfortunate problem
involving MTU sizes. Your ppp0 interface has an MTU of 1492, which is
slightly less than the ethernet default of 1500. Your masqueraded
machines will try to send and receive full-size 1500 byte frames, and
will fail when they try to connect to certain misconfigured firewalls
out on the net (and there are a lot of them). This will show itself as
being able to browse to some sites without trouble, while others just
hang completely without ever finishing opening the page.
You can fix this by added some mangle rules that modify the TCP MSS size
of outgoing transfers. You will also need to modify incoming TCP MSS's
if you are allowing traffic in, but that is not typical.
Chain INPUT (policy ACCEPT)I notice that your INPUT chain has no limits and defaults to ACCEPT. This is a very open configuration, and will allow hackers to try (and
target prot opt source destination
perhaps succeed) in cracking into your firewall box. You should try to
close this down.
Chain FORWARD (policy DROP)
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere LOG level warning
Since you didn't supply -n and -v, it's hard to tell exactly what these
rules are doing. However, these are POLICY rules, that don't actually
cause any traffic to be masqueraded, so they only allow or deny traffic.
And my guess is that they are okay: Allow any traffic to forward out
from the internal net, and allow related and established connections to
return back in.
Chain POSTROUTING (policy ACCEPT)This looks like an overly-simple rule that masquerades anything going
target prot opt source destination MASQUERADE all -- anywhere anywhere
any direction. That's not a great idea, because it allows outside users
to masquerade IN to your network. Of course, the forwarding policy
above might stop it, but still.
I'll see if I can pare down my configuration to essentials and show you
what you need to do.
First, PPP:
/etc/ppp/options:
asyncmap 0
noipdefault
defaultroute
user (YOUR USERNAME HERE)
lcp-echo-interval 30
lcp-echo-failure 4
persist
pty 'pppoe -I eth0 -T 300'
/etc/ppp/pap-secrets:
"YOUR USERNAME" * "YOUR PASSWORD"
Given this configuration, all you have to do to start up your PPPoE link
is to just run "ifconfig eth0 up" and then run "pppd". The daemon will
do its best to keep the connection up and running 24x7.
Next, input policy:
INTERNAL="eth1"
EXTERNAL="eth0"
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INTERNAL -j ACCEPT
iptables -A INPUT -i $EXTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j LOG --log-prefix INPUT:
And forwarding policy:
iptables -P FORWARD DROP
iptables -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT
iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state \
--state ESTABLISHED,RELATED -j ACCEPT
And NAT policy:
iptables -t nat -A POSTROUTING -o $EXTERNAL -s 192.168.0.0/24 -j MASQUERADE
And TCP/MSS policy:
iptables -t mangle -A FORWARD -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu
And finally some network tweaks:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
Does anyone see anything wrong with the simple setup I've described here?
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
