/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
Chi Lok Leung <[EMAIL PROTECTED]> wrote:
>
> But now, I'm at another place and I need to setup a masq server using
> a 33.6k modem (instead of a cable modem).
That's almost exactly what I'm doing here. It's pretty simple, once you
get all the pieces together.
> The ip will be radomly assigned, and I want the masq server to dial
> out whenever a user behind the masq server needed a connection to the
> internet, and then hangup after 5 mins of inactivity.
Okay, setting up dynamic dial-up with a dynamic IP requires some
trickery. But I'll show you how I do it.
First, pppd setup:
/etc/ppp/options:
/dev/ttyS0
115200
crtscts
asyncmap 0
deflate 15
bsdcomp 15
mtu 1500
mru 1500
modem
lock
defaultroute
demand
idle 300
holdoff 30
user your-user-name
remotename name-of-your-isp
192.168.127.1:192.168.128.1
ipcp-accept-local
ipcp-accept-remote
connect "chat -v '' ATD999-8888 CONNECT"
/dev/ttyS0 - is the serial port that the modem is on.
115200 - is the baud rate. You want it to be a lot larger than the
baud rate the modem will use, so that compression will work.
defaultroute - means to make the default route point to the ppp0
interface that gets created. DO NOT make your own default
route; let pppd create it for you.
demand - the magic keyword that causes the ppp0 interface to be
created, and traffic routed through it, but does *not* cause the
phone line to be picked up. When traffic attempts to pass over
the ppp0 interface, only *then* will the line be brought up.
It's cool.
idle 300 - if the ppp0 interface sees no packets for this many
seconds (5 minutes), the line will be brought down (hangup).
holdoff 30 - the line will be forced to stay hung-up for 30 seconds,
then the line will be brought back up, next time there is
traffic trying to go out.
your-user-name - insert the name that you login as, at your ISP.
name-of-your-isp - this can be any short name you desire; it doesn't
need to match anything, except the entry in the following file.
192.168.127.1:192.168.128.1
ipcp-accept-local
ipcp-accept-remote - these are the really magical lines that make
pppd do demand-dialing with a dynamic IP address. Basically,
the ppp0 interface has to be configured initially in order for
it to be brought up and listen for outgoing traffic. But, it
needs an IP address in order to do that. So, we make up some IP
addresses; make sure they do not match any real IP's on your
LAN. Then, the "ipcp-accept" options tell the daemon that it
should accept whatever IP address the ISP gives you, whenever
you connect. It works.
connect "chat -v '' ATD999-8888 CONNECT" - this is my incredibly
simple chat script, that just dials the phone and waits for
connect. It is almost certain to work with any ISP out there,
because it's what Microsoft does when they dial up. :)
/etc/ppp/pap-secrets:
your-user-name name-of-your-isp your-password
This file contains your password information. WARNING: ppd
will IGNORE this file, and WILL NOT TELL YOU, if the file has
permissions other than 600! You must do this:
chmod 600 /etc/ppp/pap-secrets
or the file won't work, and you won't know why!
The user-name and isp-name need to match what was given in the
"options" file.
With this setup, you should have dynamic-IP, dynamic-dialup PPP.
Try it!
Now the next step is configuring your firewall and MASQ. I have
concocted my own set of rules that seem to work well for me. What I
like most about them is that they do not require knowledge of the IP
address chosen for the ppp0 interface, so they continue to work no
matter whether the link is up or down.
/etc/rc.d/rc.firewall:
#!/bin/sh
PATH=/bin:/usr/bin:/sbin:/usr/sbin
# Set my drop method, either DENY or REJECT.
DROP=REJECT
# Set up masquerading
ipchains -F forward
ipchains -P forward $DROP
ipchains -A forward -j MASQ -i ppp+
ipchains -A forward -j ACCEPT -i eth+
ipchains -A forward -j $DROP -l
The above rules will masquerade any traffic leaving through the "ppp"
interface, and forward any traffic between ethernet cards. My firewall
happens to be my network router; if yours isn't, remove the ACCEPT line
above; you don't need or want it.
# Set masquerade timeouts for idle connections (tcp, tcp-fin, udp)
# Active TCP = 4 hours (14400 sec)
# Finished TCP = 30 sec
# UDP (any) = 5 min (300 sec)
ipchains -M -S 14400 30 300
# Use output rules to modify Type-Of-Service fields in some packets.
# -t 0x01 0x10 = Minimum Delay
# -t 0x01 0x08 = Maximum Throughput
# -t 0x01 0x04 = Maximum Reliability
# -t 0x01 0x02 = Minimum Cost
ipchains -F output
ipchains -P output ACCEPT
ipchains -A output -p tcp -b -s 0/0 21:23 -t 0x01 0x10
ipchains -A output -p tcp -b -s 0/0 20 -t 0x01 0x08
ipchains -A output -p tcp -b -s 0/0 80 -t 0x01 0x08
ipchains -A output -p tcp -b -s 0/0 119 -t 0x01 0x08
ipchains -A output -p udp -t 0x01 0x04
# Set up input filters (firewall).
ipchains -F input
ipchains -P input $DROP
# Allow any traffic at all to occur on the local interfaces.
for interface in lo eth+
do
ipchains -A input -j ACCEPT -i $interface
done
# Set up rules to keep people from spoofing my local IP addresses.
for net in 127.0.0.0/8 192.0.2.0/24
do
ipchains -A input -l -j $DROP -s $net
ipchains -A input -l -j $DROP -d $net
done
# Allow some "friendly" networks to connect.
ipchains -N Friendly
ipchains -F Friendly
for ip in 1.2.3.0/24 4.5.6.0/24
do
ipchains -A input -j Friendly -s $ip
done
for port in 21:23
do
ipchains -A Friendly -j ACCEPT -p tcp -d 0/0 $port -y -l
done
ipchains -A Friendly -j ACCEPT -p icmp -s 0/0 8 -l # Ping!
These rules allow certain traffic from "trusted" networks. This lets
me, for instance, telnet in from my workplace. Be sure to put the
correct IP information in, above.
This configuration allows only telnet, ftp, ssh, and ping traffic.
# Okay, no more mister nice guy. Close off everything except a few
# known services.
# TCP services allowed:
ipchains -A input -j ACCEPT -p tcp -d 0/0 25
ipchains -A input -j ACCEPT -p tcp -d 0/0 80
ipchains -A input -j ACCEPT -p tcp -d 0/0 113
I allow mail delivery because my machine is an MX host for my domain.
My box will run a web server, someday, so I allow web traffic in, too.
A dynamic IP won't find these useful, so remove port 25 and 80 above.
I also allow "ident" traffic because it lets IRC and sendmail do their
job better.
# TCP services not allowed:
ipchains -A input -j $DROP -p tcp -d 0/0 1080 -l
I realized that my rules were allowing outside networks to contact my
SOCKS server, so this rule rejects it.
# Allow some TCP traffic in "safe" port ranges, so that
# protocols like FTP and ICQ will work:
ipchains -A input -j ACCEPT -p tcp -d 0/0 1024:5999 -y -l
ipchains -A input -j ACCEPT -p tcp -d 0/0 8000: -y -l
# Allow returning TCP connections to proceed.
ipchains -A input -j ACCEPT -p tcp ! -y
# UDP services allowed:
ipchains -A input -j ACCEPT -p udp -d 0/0 53
My machine is a public name server, so I have to allow queries to reach
it. Your machine probably isn't, so you don't want this.
# UDP replies that I want to hear:
ipchains -A input -j ACCEPT -p udp -s 0/0 53 # DNS
ipchains -A input -j ACCEPT -p udp -s 0/0 123 # NTP
ipchains -A input -j ACCEPT -p udp -s 0/0 4000 # ICQ
ipchains -A input -j ACCEPT -p udp -d 0/0 61000: # Masq
You almost certainly want DNS traffic to be received, but NTP you might
not care about. The last entry allows any UDP replies from masq'd
clients, which helps games out.
# ICMP messages allowed:
for msg in 0 3 4 11
do
ipchains -A input -j ACCEPT -p icmp -s 0/0 $msg
done
Unscrupulous people out there might be able to throw ICMP messages at
your server to screw up the route table. So I only allow specific ICMP
messages to be received, such as echo-reply, dest-unreach, and
time-exceeded. This lets ping and traceroute work properly.
# Log anything else, and drop it.
ipchains -A input -j $DROP -l
This rule is quite substantial, because the above rules are rather
specific about what they allow, so anything else, including ping
requests, IGMP, and other weird protocols just get dropped. That's what
you probably want. It's a firewall, right? :)
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Masq won't work unless you allow forwarding, of course.
# Enable dyn-ip
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
Dynamic IP's work better when you enable this setting, which lets
sockets re-bind to the new address whenever it changes. Trust me, it's
better this way. :)
That's all I can think of for setting up with a dynamic IP and PPP and
MASQ. If there are any questions or problems with the above, let me
know.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Just about every computer on the market
sometimes known as David DeSimone || today runs Unix, except the Mac (and
http://www.dallas.net/~fox/ || nobody cares about it). -- Bill Joy '85
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
