Re: [masq] It's time for: "Name that Program"
On Fri, Dec 11, 1998 at 09:49:55AM -0500, wrote: > On Fri, 11 Dec 1998, R. Argentini wrote: > > > >WHERE DO THEY COME FROM? > > > >I would like to hear all your opinions. > >If you need more information please ask. > >Furthermore i should tell you that i checked all the hosts on out local > >net, and no-one is misconfigged to use the abovementione IP address. > > > >Thanks. > > Looks like BackOrifice to me. To learn more about BackOrifice go to: It's not Back Orifice. It's Windows doing NetBIOS name lookups, and is very likely completely harmless. On my FreeBSD boxes, I see zillions of these attempted connections to UDP 137. I don't know beans about WINS, but from what I've read on other lists, if you set Windows NT to use WINS for DNS resolution, or DNS for WINS resolution, or some such thing, it'll attempt to do a NetBIOS name lookup any time it does a DNS lookup. Hence the UDP 137 packets. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Port Forwarding
On Sun, Dec 06, 1998 at 02:07:17PM -0800, Dan wrote: > Currently I'm running ip-masq on my my Redhat 5.2 machine which has the > 2.0.36 kernal. All the basics are working great so far. > > I'm looking for a way to forward incoming requests to another linux box > behind the firewall. Specifically, I'd like http, smtp and ftp requests to > be passed to a masqueraded box. > > I found something called Port Fowarding which looks appropriate. See > http://www.ox.compsoc.org.uk/~steve/portforwarding.html for more info. > > Has anyone here used Port Forwarding? The web page above has links for > 2.0.35 patches, but nothing for 2.0.36. Any idea if the .35 patches will > work? I haven't seen any 2.0.36-specific patch. Why don't you try the 2.0.35 patch against the 2.0.36 sources and let us know how it goes? Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Transparency proxying
On Wed, Dec 02, 1998 at 09:26:36AM +0800, Hongsheng Zhu wrote: > I've checked the Squid docs carefully, but I can't find any info about > transparency proxying. Can you be more specific? Take a look at http://squid.nlanr.net/Squid/FAQ/FAQ-17.html. There's a whole FAQ section on transparent proxying, with some Linux-specific stuff. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Transparency proxying
On Sun, Nov 29, 1998 at 10:10:03PM -0600, Fuzzy Fox wrote: > Hongsheng Zhu <[EMAIL PROTECTED]> wrote: > > > > ipfwadm -I -a accept -P tcp -r 3128 192.168.0.31/32 -D any/0 www > > > > I think this will allow all packet from 192.168.0.31 to port 80 of > > destination site being redirected to the port 3128 of my linux. > [snip] > Thus, transparent proxying does not work with a standard proxy server > such as Squid. Now, Squid could possibly be modified so that it does a > getsockname() call to find out where the browser was trying to connect, > and connect and forward the request there, but as far as I know, it has > no such capability. Actually, it can work. I once set up a masquerading box with Squid as a transparent proxy. I set it up in the office of a friend of mine, and he didn't want to have to reconfigure everyone's computer to use the proxy. We set up the transparent proxy, and everyone was using it without knowing it. This was, however, many months ago, and I haven't the faintest idea how we did it. I do recall that it wasn't all that hard to do, and that the Squid docs covered it. One caveat is that Squid only knows the IP address you're trying to connect to, and not the host name. So any name-based virtual hosts you're trying to connect to won't work, just as if you were using an old browser that didn't send the Host header. This is how I recall it working anyway; there's no reason Squid couldn't look at the host header itself. > I'm not even sure why you want to use transparent proxies in this > manner, really. Why not just tell the browser to use an HTTP proxy and > be done with it? ISP's want to do it, and do do it. They can save lots of bandwidth by web caching, and they don't have to tell their users they're doing it or have them reconfigure anything. I won't address whether this is a good thing from a user's perspective. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Almost there !!!
On Sat, Nov 14, 1998 at 10:09:27AM -0800, Bill Schoolcraft wrote: > (I'm a machinist by trade so please excuse my mechanical thinking.) > > > Hello, > I've been stumped here for a week and have been reading how every one > has their other machines all accessing the web through one primary box > via the IP Masq technique. (which is my dream) > > I have a Linux Red Hat 5.1 network here at home, all three boxes ping > in any direction, no packet loss. I can also login onto the web via my > primay box THEN telnet from any other box here at home to the PRIMARY > box then to the the shell account I have at the local community > college and check my email, no problem. > > I also have no security needs per-se' for this is just a home machine > needed for web access. > > I have all the "scripts" components from "Linux Network Toolkit, by > SERY" and when I run his ( hopefully edited correctly for my system) > _firewall.rules_ script I get the current IP assinged to me displayed > to me. I've kept track of these outputs and the address I get is > different each time which is consistent with the nature of a > dynamically assinged address. > > NOW, when I logon to my ISP, all the machinery is in place, running, > and I've run the _firewall.rules_ script and my currently IP address > is displayed I run down the hall to my laptop, (which is the one > running Red Hat 5.1 that I use to "hop" my primary box to check my > shell account at the college) and go to fire up the default Red Hat > browser Netscape 4.05 and get ZILCH. > > From a logical/machinery point of view, how does Netscape know where > to LOOK for it's opening to the Internet? The machines on your internal network must have the address of the masquerading box's internal interface (192.168.7.1) set as the default gateway. This tells them to send any network packets that are not destined for a box on the local network to your masquerading box, which knows how to forward them where they need to go. You didn't mention what operating system you're running on your internal network; if it's some flavor of Windows, you'd set the default gateway via the network control panel. > (question 2) Don't I have to direct Netscape (on mylaptop) via it's > *preferences* to go to my 192.168.7.1 (in house primay box) to access > the web? No--routing happens at a lower level, and Netscape doesn't need (or want) to know anything about it. Once you set the default gateway, all network applications on your internal machines should be able to communicate with the outside world. > I've had people tell my to try SLIRP, Apache as a proxy server etc > but I feel I'm sooo close here. :( If you already have a PPP or other network connection to the outside world then there's no reason to be screwing around with SLIRP, and if you get masquerading working you don't need a web proxy. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] ip masquerading and quake
On Sat, Nov 07, 1998 at 02:05:08PM -0800, pernod wrote: > does anyone know if udp based games such as quake work through > an ip masquerading setup? I haven't played Quake through a masquerading box, but there is a module specifically for Quake to allow it to work. Quake II works without any module help at all, and I've played tons of it through my masq box. I've also played it with two computers on my local LAN connecting to a Quake II server on the Internet, and it works fine that way too. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Max load on a ipmasq?
On Mon, Oct 26, 1998 at 01:19:15PM +0100, Erik Rönnberg wrote: > Hi, I have a small, but not necesery easy question. > > I'm netadmin for a datafestival in Uddevalla/Sweden. Last year we used > ipmasq to get the approx 400 computers out on the net. The problem was > when the use of the gateway was high it reported that it couldn't > allicate more sockets. > > Now the question I have is what the limits for a single ipmasq box is, > and what hardware I have to have to run it good. And most of all, how do > I configurate the kernel to stand the load? The new party is starting > this weekend, soo I'm in kind of a hurry. One thing you can do is to increase the number of ports available to masquerading. You can do this in the file /usr/src/linux/include/net/ip_masq.h, by adjusting PORT_MASQ_BEGIN and PORT_MASQ_END. Just make sure that PORT_MASQ_END fits in a short int. This won't help if the message you got was that it couldn't allocate more sockets--you'd get "no free ports" (or words to that effect) if you didn't have enough ports available to masquerading. But for a heavily used masquerading box it's probably a good thing to do anyway. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Dial-in user doesn't see localnet at all
On Fri, Oct 23, 1998 at 09:53:30AM -0400, Derek T. Murphy wrote: > -BEGIN PGP SIGNED MESSAGE- > > I have this problem: Dial-in users are forwarded/masqueraded properly to > the WAN, but they CANNOT see the local network. I'm _sure_ the > fumble-fingered idiot behind my keyboard ;-) is missing something, but I > can't figure out what. Any ideas? > > > The setup: > - > - --- | Linux-2.0.34 | > | dial-up |<>ppp0 | > |static IP| | eth0<>192.168.36.0 local network > | address | | 192.168.36.50| > - --- | | > | eth1<>204.4.21.240 router to the "world" > | 204.4.21.50 | > - > > On boot-up, this script DOES run: > > #!/bin/sh > # /etc/rc.d/rc.ipfwadm > PATH=/sbin:/usr/sbin:/usr/bin:/usr/sbin > ipfwadm -I -f > ipfwadm -O -f > ipfwadm -F -f > ipfwadm -F -a accept -S 192.168.36.0/24 -D 192.168.36.0/24 -o > ipfwadm -F -a masquerade -S 192.168.36.0/24 -D 204.4.0.0/16 -o > ipfwadm -F -a reject -S 0.0.0.0/0 -D 0.0.0.0/0 -o > # End of rc.inet1 > > When a dial-in happens, /etc/ppp/ip-up IS executed: $1 is the interface > name, and $5 IS the dial-in user's static IP address (they all have one). > > #!/bin/sh > # /etc/ppp/ip-up > /sbin/ipfwadm -F -i accept -W $1 -S 192.168.36.0/24 -D $5 -o > /sbin/ipfwadm -F -i accept -W $1 -S $5 -D 0.0.0.0/0 -o ^ For forwarding rules, -W specifies the interface out through which packets should be forwarded. So by specifying -W $1 in the rule to forward the dialup users to the Internet, you're telling it to forward the packet through the PPP interface, rather than eth1. Try -W eth1 there and see what happens. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] No Masquerade entries?
On Sun, Oct 18, 1998 at 10:52:18AM -0700, John Simmons wrote: > Kernel 2.0.35 > All of the experimental and IP items are selected in the config > > I've got the following entries in my rc.local file: > > /sbin/ifconfig eth1 10.10.0.4 netmask 255.255.255.0 broadcast 10.10.0.0 > /sbin/route add localnet > ipfwadm -F -p deny > ipfwadm -F -f > ipfwadm -F -a m -S 10.10.0.1/32 -D 0.0.0.0/0 > ipfwadm -F -a m -S 10.10.0.2/32 -D 0.0.0.0/0 > ipfwadm -F -a m -S 10.10.0.3/32 -D 0.0.0.0/0 > > After the system has booted up, if I run this command: > > ipfwadm -M -l > > I don't get any masquerade entries listed. Is this normal? Am I missing > something? Make some kind of connection from one your masqueraded boxes, and then take a look. ipfwadm -M -l lists only current connections. ipfwadm -F -l shows the forwarding rules, which may have been what you meant to do. Also, check that broadcast address--it should be 10.10.0.255. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Help on Diald-0.16.5 and Ip-Masq
On Thu, Oct 15, 1998 at 04:23:59PM +0900, Tan Chee Weei wrote: > I've been using IP Masquerading without problems from several clients and am > just starting to get Diald setup to work correctly. I've got Diald to > correctly bring up and down the link when using a web browser on the linux > server. The client machines when seeking a DNS also correctly brings up the > link. However, web page retrievals, mail retrievals etc. can't work from > apps on the client.. Despite the ppp link to the ISP being brought up > correctly, the apps can't contact the DNS. They do work however if the link > is first brought up by an app on the linux server. I've seen posts in the > mail archive indicating the same problem but I've not been able to find a > post with a solution. The Ip-Masq and Diald docs/faqs etc. don't seem to > address this problem directly. At least, I can't seem to find anything that > discusses this. Hope someone here on the mailing list is able to provide > some pointers or indicate a solution to my problem. Thanks in advance. Do you still have a -W ppp0 in your forwarding rule that sets up masquerading? If so, that's the problem (this happened to me). Before the link comes up, diald sets up a fake default route, and when it sees packets trying to go through it it brings up the ppp connection. But if you're forcing your masqueraded packets to go through ppp0, which isn't up yet, diald doesn't see them and doesn't bring up the connection. Take out the -W ppp0 and see what happens. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] IPPORTFW and UDP services?
On Tue, Oct 13, 1998 at 09:12:59AM +0700, Nguyen Dang Phuoc Dong wrote: > > Good morning all, > > I have a server program that work on UDP port 121. I wan to hide it by using > IPPORTFW installed on a machine running RH 5.1 (kernel 2.0.34) . I issued > the following commands: > > bluesky# ipfwadm -F -l > bluesky# ipfwadm -I -l > bluesky# ipfwadm -O -l > bluesky# ipfwadm -F -a m > bluesky# ipportfw -A -t 172.16.1.2/121 -R 192.168.1.1/121 > bluesky# ipportfw -A -t 172.16.1.2/23 -R 192.168.1.2/23 > bluesky# tcpdump > > And then, I use a client program that connect to 172.16.1.2 via UDP port > 121. It's not forwarded to 192.168.1.1. If I telnet to 172.16.1.2, it's > forwarded to 192.168.1.2 and anything's fine. It mean that the IPPORTFW ONLY > work with TCP services, right? Or there are something wrong with my > configure? Is there any program likes IPPORTFW, but work with UDP services? > Thank you inadvanced! You just need to change the -t to a -u in your forwarding line-- -t means forward tcp, and -u means forward udp. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] help with ipportfw
> when I added ipportfw in my /etc/init.d/network I got a message > > vcnet# ipportfw -L > Could not open /proc/net/ip_portfw > Are you sure you have Port Forwarding installed? > > or > > vcnet# ipportfw -C > ipfwadm: setsockopt failed: Protocol not available > > I did compile everything masquerading requires in kernel and > installed helper modules. > > What could be a problem here? Did you patch your kernel sources with the ipportfw patch and recompile it? It sounds like port forwarding isn't compiled into your kernel. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] simple - mail w/ipportfw - but ???
On Sat, Oct 10, 1998 at 11:27:42AM -0400, rich wrote: > > yes to all questions... sticky keys this morning... see below So it's "yes" to the question "Are there error messages when you run the ipportfw command?" What are they? And it's "yes" to the question "Is there already something listening on port 23 on the masquerading box?" Then you can't forward it. And is port 23 really the port you're after? Chris > > wont't work = > > tcpdump shows inbound with the packet forward, but it > never pops out on the inside interface > > > >> #!/bin/sh > >> # > >> ipfwadm -I -f > >> ipfwadm -O -f > >> ipfwadm -F -f > >> ipfwadm -F -p deny > >> ipfwadm -F -a m -S 123.45.0.0/16 -D 0.0.0.0/0 > >> ipportfw -C > > ipportfw -A -t106.142.44.9/25 -R 123.45.1.2/25 > > > > >I assume that last line is really two lines, and that it doesn't really say > >"-Cipportfw." > > > >What does "it won't [work]" mean? Are there error messages when you run the > >ipportfw command? If not, what does ipportfw -L tell you about forwarded > ports? > > > >Is there already something listening on port 23 on the masquerading box? And > is > >port 23 the port you mean to forward? You say you're trying to get a mail > host > >to work--port 23 is the telnet port. Perhaps you meant to say 25, for smtp. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] simple - mail w/ipportfw - but ???
On Sat, Oct 10, 1998 at 10:30:29AM -0400, rich wrote: > > Trying to get a mail host to work behind a linux masq firewall and it won't > -- It should be simple -- everything is compiled in a loaded, including > forwarding, so what is wrong with this... (assume 123.45 is class B private > of course) > #!/bin/sh > # > ipfwadm -I -f > ipfwadm -O -f > ipfwadm -F -f > ipfwadm -F -p deny > ipfwadm -F -a m -S 123.45.0.0/16 -D 0.0.0.0/0 > ipportfw -Cipportfw -A -t106.142.44.9/23 -R 123.45.1.2/23 I assume that last line is really two lines, and that it doesn't really say "-Cipportfw." What does "it won't [work]" mean? Are there error messages when you run the ipportfw command? If not, what does ipportfw -L tell you about forwarded ports? Is there already something listening on port 23 on the masquerading box? And is port 23 the port you mean to forward? You say you're trying to get a mail host to work--port 23 is the telnet port. Perhaps you meant to say 25, for smtp. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Want to divert one port to one machine.
On Tue, Sep 29, 1998 at 10:42:09PM -0400, Kent Quirk wrote: > Background: our server was set up by someone who no longer works here. > We've been using ip masquerading to provide access from several machines > to the net with no trouble. I know enough about Linux to be dangerous, > but I'm most definitely not a guru. > > We've just installed a new server behind our Linux firewall. It's > running one special protocol that uses one port. I'd like to make it > available so that someone from outside can get to that machine. > > I'd like to have all the packets sent to our IP address that use a > specific port, say , get forwarded to 192.168.1.99, still using the > same port. > > I've been through the man pages for ipfwadm and ipfw, and a good chunk > of the archives for this list. One of those messages suggested ipautofw, > but we don't have the man page and the -? help isn't enough to clue me > in. I can't find any trace of ipportfw on our system. > > Can someone please tell me what I need to tell either ipfwadm or > ipautofw to make this happen? ipportfw does precisely what you're looking for, and does it very well. It's also very easy to configure and use. You'll need a kernel patch, available from http://www.monmouth.demon.co.uk/ipsubs/portforwarding.html. There you'll also find instructions on how to put it all together. Let me know if you have any other questions. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Internal address showing up outside
On Thu, Sep 24, 1998 at 12:34:47PM -0400, Jose M. Sanchez wrote: > Eh, this is not "on the internet". Eh, yes, it is. In my original message I said that on a mail server, which is on a whole different network, connected to a whole different ISP, I typed "netstat" and saw something like the following: Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp0 0 mail.pop3 192.168.0.253.64816SYN_RCVD This means that a packet arrived at mail claiming to have an origin of 192.168.0.253. Of course it can't get past the SYN_RCVD state since the ACK will be sent to a bogus address. And the question remains: how was a packet claiming to have an origin of 192.168.0.253 emitted from the masquerading box? > > sl0 is used PRIOR to the connection being brought up. It catches IP packets > bound for the internet. > > Diald "holds" these IP packets, dials up the ISP, then reconfigures your > machine to use the ppp link instead. Finally the held packet(s) are > forwarded up the PPP link. I understand this. But in this case this mechanism isn't working properly. The ppp link is being used, but the packets have the wrong origin address. > > Nothing is wrong. > > The address "appears" because you have effectively announced it to the world > as being the address of YOUR side of the ppp link. The machine you connect > to is the otherside of the ppp link. > > Type "ifconfig", before and after a connection, and you'll see that the > P-to-P value corresponds to this... > > You could have choosen practically any address, IF you allowed diald to > dynamically grab the address the ISP gives you... It's possible that I didn't configure something correctly, but most of the time it does get the ISP's dynamic address and work properly. On occasion, however, the behavior is as described above. > > -JMS > > -Original Message- > From: Chris Johnson <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > Date: Thursday, September 24, 1998 10:18 AM > Subject: Re: [masq] Internal address showing up outside > > > >On Thu, Sep 24, 1998 at 10:21:57AM -0400, Jose M. Sanchez wrote: > >> Does this "fake slip connection" happen to correspond to the > >> address for "sl0" when you run ifconfig? > > > >Yes, that's the "fake SLIP connection" I'm talking about. Why does this > address > >end up on the Internet? > > > >Chris > > > >-Original Message- > > > >> > I set up masquerading and diald on a friend's computer recently. A > little > >> > while ago I did a netstat on a mail server that I administer, and saw a > >> > connection to a foreign address of 192.168.0.253. This connection was > from > >> > my friend's masquerading box, and 192.168.0.253 is what I used for one > of > >> > the addresses that diald employs for the fake SLIP connection that it > >> > maintains when the PPP connection isn't up. > >> > > >> > So the question is: how the hell did a packet with that address get > itself > >> > out of the box? This doesn't always occur with his setup -- in fact it > >> > normally doesn't. > >> > > >> > His setup is pretty generic, with minimal forwarding rules -- just the > >> > default deny policy and the rule to masquerade his 192.168.0.0 network. > >> > diald is set up to use 192.168.0.253 and 254 for its fake SLIP > connection. > >> > > >> > The only explanation I can conceive of is that diald (or pppd) isn't > >> > setting the local IP (which is dynamically supplied by the ISP) > correctly > >> > when the connection comes up, and that this may be a result of some > >> > confusion about the fake SLIP addresses being in the same network as > his > >> > internal class C (this is the first time I set up diald, and this > didn't > >> > occur to me at the time). > >> > > >> > Any ideas? > >- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > >For daily digest info, email [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Internal address showing up outside
On Thu, Sep 24, 1998 at 10:21:57AM -0400, Jose M. Sanchez wrote: > Does this "fake slip connection" happen to correspond to the > address for "sl0" when you run ifconfig? Yes, that's the "fake SLIP connection" I'm talking about. Why does this address end up on the Internet? Chris -Original Message- > > I set up masquerading and diald on a friend's computer recently. A little > > while ago I did a netstat on a mail server that I administer, and saw a > > connection to a foreign address of 192.168.0.253. This connection was from > > my friend's masquerading box, and 192.168.0.253 is what I used for one of > > the addresses that diald employs for the fake SLIP connection that it > > maintains when the PPP connection isn't up. > > > > So the question is: how the hell did a packet with that address get itself > > out of the box? This doesn't always occur with his setup -- in fact it > > normally doesn't. > > > > His setup is pretty generic, with minimal forwarding rules -- just the > > default deny policy and the rule to masquerade his 192.168.0.0 network. > > diald is set up to use 192.168.0.253 and 254 for its fake SLIP connection. > > > > The only explanation I can conceive of is that diald (or pppd) isn't > > setting the local IP (which is dynamically supplied by the ISP) correctly > > when the connection comes up, and that this may be a result of some > > confusion about the fake SLIP addresses being in the same network as his > > internal class C (this is the first time I set up diald, and this didn't > > occur to me at the time). > > > > Any ideas? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Internal address showing up outside
I set up masquerading and diald on a friend's computer recently. A little while ago I did a netstat on a mail server that I administer, and saw a connection to a foreign address of 192.168.0.253. This connection was from my friend's masquerading box, and 192.168.0.253 is what I used for one of the addresses that diald employs for the fake SLIP connection that it maintains when the PPP connection isn't up. So the question is: how the hell did a packet with that address get itself out of the box? This doesn't always occur with his setup -- in fact it normally doesn't. His setup is pretty generic, with minimal forwarding rules -- just the default deny policy and the rule to masquerade his 192.168.0.0 network. diald is set up to use 192.168.0.253 and 254 for its fake SLIP connection. The only explanation I can conceive of is that diald (or pppd) isn't setting the local IP (which is dynamically supplied by the ISP) correctly when the connection comes up, and that this may be a result of some confusion about the fake SLIP addresses being in the same network as his internal class C (this is the first time I set up diald, and this didn't occur to me at the time). Any ideas? Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] How to restrict access !
On Mon, Sep 14, 1998 at 07:05:02PM +1000, [EMAIL PROTECTED] wrote: > Recently, I set up a masq box with RH5.1. Everything worked well. > I have the following lines in my /etc/ppp/ip-up.local: > > --- > # default policy is deny. > ipfwadm -F -p deny > > # these 3 hosts will be allowed onto internet straight > # after ppp-link is up. > ipfwadm -F -a m -S 192.168.0.3/32 -D 0.0.0.0/0 > ipfwadm -F -a m -S 192.168.0.4/32 -D 0.0.0.0/0 > ipfwadm -F -a m -S 192.168.0.5/32 -D 0.0.0.0/0 > --- > > This worked fine, all three hosts can access internet straight after. > > The problem is later on, I want to deny access to 192.168.0.5, how > can I achieve that ? Use ipfwadm -F with -d, which you can use to delete the rule that gives 192.168.0.5 access. Chris Johnson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] general masq setup questions
On Fri, Sep 11, 1998 at 09:06:59PM -0700, Harondel J. Sibble wrote: [snip] > and set the 486 ipmasq box with just a win98 client machine connected > directly to it. The 98 box has the ip address of eth0 (192.168.1.2) as its default > gateway and the 98 box is assigned 192.168.1.6 > > I am able to use the ip addresses to ping eth0 from the 98 box and ping the 98 > box from the linux box. > > Now I enter the rules below > > ipfwadm -F -p deny > ipfwadm -F -a m -S 192.168.1.0/24 - D 0.0.0.0/0 > > all the F, I, and O rules has been cleaned out previously as I was working > through the firewall setup chapter in Linux Network Toolkit by Paul G. Sery > (absolutely excellent book by the way for any new to linux folks) > > this sort of works as I can ping the outside world fine from the masq machine > and ping the 98 box also. I can even ping eth1 from the 98 box by typing its > dhcp assigned address. Now the problem is that I cannot get out to the net > from the 98 box. It sounds like forwarding isn't enabled. See what's in the file /proc/sys/net/ipv4/ip_forward. It should be 1. If it's 0, then do this: echo "1" > /proc/sys/net/ipv4/ip_forward. If that was the problem, then you can enable forwarding at boot time by making sure the line FORWARD_IPV4=true is in the file /etc/sysconfig/network. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] DNS for the local network...
On Fri, Sep 11, 1998 at 09:04:50PM -0400, Justin Slootsky wrote: > I'm doing something bad, and I'm wondering how most people deal with the issue > > in my dns configuration files for slootsky.org, I define names for my local > addresses. I do this so that machines on my local network can find each other > as well as the local address for my linux box. > > specifically, in my zone.slootsky.org file I have the lines... > kenny.slootsky.org. IN A 192.168.1.1 > angel.slootsky.org. IN A 192.168.1.2 > girls.slootsky.org. IN A 192.168.1.3 > > I'm sure (although, I have no way of testing this for sure) that anybody on > in the outside world who tries to ping angel.slootsky.org will attempt to get > to 192.168.1.2, which will NOT end up being my machine. > > How can I provide DNS resolution for my localnetwork locally, > without providing this false DNS information to the rest of the world? What I do is run a name server on my masquerading box that has the "private" view of my domain (it doesn't have to be on your masquerading box, though). It has all the records from my regular zone file, plus the internal private addresses. I have all of my internal boxes use that box as a name server. The name server that's meant for the outside world runs on a different box, and that's the one that's registered with Internic. The box with my internal information should never be queried by anyone on the outside (and I use BIND 8.1.2's listen-on directive so that it only listens to requests from the internal addresses anyway). Chris Johnson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] [masq] Ipportfw (WEB LOG FILES)
> I am using Ipportfw to forward traffic from a masq machine to an > NT web server. However I am looking at the logs that are generated > and I do not see any information regarding (org, com; request host > name). I only see the IP address. Will I be able to see more > information? That's not a function of masquerading or of port forwarding. I don't know anything about NT web servers, but you can set apache to do DNS lookups on the addresses that connect or not to. If you do then you'll see in the logs the name of the computer that connected to you; otherwise you'll see the IP address. I imagine that with NT there's a similar setting. In any case, the IP address that your NT server sees connecting to it is the correct IP address (i.e. not the address of the masquerading/port forwarding box), so you can resolve it to the proper name. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Setting up masq for the first time
On Sat, Sep 05, 1998 at 09:23:36AM +0100, Carl MacDonald wrote: > I'm trying to set up masq for the first time on my RedHat 5.0 machine. I > followed all the instructions in the HOW-TO, I have a good PPP link > established and can telnet from the Linux machine to the outside world. I can > also Telnet to the Linux machine from my other machines, but when I try to > Telnet through the Linux machine from another machine I get no response. > > According to the packet stats in ipfwadm no packets were received. I've tried > this from another Linux machine aswell as a Mac, both with the masq machine > set as the gateway. Is forwarding enabled? See what's in the file /proc/sys/net/ipv4/ip_forward. It should be 1. If it's 0, then do this: echo "1" > /proc/sys/net/ipv4/ip_forward. If that was the problem, then you can enable forwarding at boot time by making sure the line FORWARD_IPV4=true is in the file /etc/sysconfig/network. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Crying no more :)
On Sat, Aug 22, 1998 at 07:09:03PM -0400, Kevin wrote: > It now looks like so > > ipfwadm -F -p deny > ipfwadm -F -a m -S 192.168.1.2/24 -D 0.0.0.0/0 -W > eth1 > ipfwadm -F -a m -S 192.168.1.7/24 -D 0.0.0.0/0 -W > eth1 > > And yes I did have another machine hiding that I > wanted to give access to but didn't mention > because I though it would just add to the > confusion. If you want to masquerade only those two hosts, then the mask should be /32 for each, i.e. 192.168.1.2/32 and 192.168.1.7/32. 192.168.1.2/24 is really the same as 192.168.1.0/24 -- it's the most significant 24 bits of the address. And again, if eth0 is the interface to the outside world, out through which you'd like your masqueraded packets to go (which is how I understood your situation), then you need -W eth0, not -W eth1. -W refers to the outgoing interface in -F rules. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Still feebly crying...
On Sat, Aug 22, 1998 at 05:42:42PM -0400, Kevin wrote: > ipfwadm -F -p deny > ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 -W > eth0 > > > (yes it should fit on only two lines) doesn't > work. :/ > > Anyone else with some ideas they'd like to toss > around? Someone's input who is running redhat 5.1 > with that suspicious button about enabling ipv4 > packet forwarding would be nice. :) You do need packet forwarding enabled. Look at the contents of /proc/sys/net/ipv4/ip_forward -- is it 1? If not type: echo "1" > /proc/sys/net/ipv4/ip_forward to enable it. To make this happen automatically at startup, make sure that FORWARD_IPV4=true is in /etc/sysconfig/network. I don't use the X tools to configure this stuff, so I can't speak specifically about the suspicious ipv4 packet forwarding button, but since you do need ipv4 packet forwarding turned on, I'd suspect that if there is such a button you should push it. It'll just make the changes that I mentioned above. I hope this helps! Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Help...feeble cries of help...
On Sat, Aug 22, 1998 at 03:57:21PM -0400, Kevin wrote: > I've read through the IP masquerading mini-howto > quite a few time and am still lost because well, > it doesn't work. My setup goes like so. (incoming > bad ascii art!) > > > |internet|--(eth0)|linux box|(eth1)--|hub|--|win95 > box| > > > The plan is to have the win95 box use the linux > box's internet connection (cable modem, yes I know > I'm lucky) to do whatever...surf the web and > whatnot. > > Here's what I have going on so far on the linux > box. > -- > in /etc/rc.d/rc.local down at the bottom > > ipfwadm -F -p deny > ipfwadm -F -a m -S 192.168.1.2/24 -D 0.0.0.0/0 -W > eth1 There are a couple of things wrong here. One is that 192.168.1.2 should be 192.168.1.0 - that's your network address. But the big thing is that -W eth1 should be -W eth0 -- the interface you name after -W is the interface to the outside world, out through which packets will be masqueraded. (Also, I assume that the line break between -W and eth1 isn't really there and that it was inserted by your MUA.) Try making those changes and see if things work out. Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] IP Masq Using DHCP
On Thu, Aug 13, 1998 at 05:58:19PM +0800, Ogie Morales wrote: > Hi! I tried to work IP Masquing by configuring a Win95 machine to get its > bogus IP from an WinNT server. It won't work. But when I give it a static > address, it gets through the IP Masq host. > > I still want to implement DHCP but how? Will placing the DHCP server on the > same Masq host help? Or is there another/better way out? It doesn't matter if the Win95 machine's IP is static or given to it by DHCP. The masq box has know way of knowing this, and doesn't care. I'd bet that your DHCP server is giving out the wrong gateway address (or perhaps DNS addresses), and that's why your connections fail. Run winipcfg on the Win95 box and see if the IP address, gateway address, and DNS addresses are what you think they should be. If they are, then there's no reason for masquerading not to work exactly the same as if you had made all those settings static. Chris Johnson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] FTP problems - no route to host
On Sat, Aug 08, 1998 at 07:38:45PM +1000, Ryan wrote: > Hi, I personally love ip masquerade but I have one problem, FTP > > When I ftp to some ftp sites I cannot get a dir listing or transfer files. I > seem to get around this by using a passive host, but there is a BIG problem > in this, its VERY unstable. Anyone got any ideas ? > 220 Exhilirate (glFtpD v1.9.5) ready. > User (ftp.ml.org:(none)): Apollyon > 331 Password required for Apollyon. > Password: > 230 User Apollyon logged in. > ftp> ls > 200 PORT command successful. > 425 Can't build data connection: No route to host. You need to use the ip_masq_ftp module. Try "insomod ip_masq_ftp." And stick the following in whatever startup file you use to set up you masquerading rules: depmod -a modprobe ip_masq_ftp modprobe ip_masq_irc modprobe ip_masq_raudio modprobe ip_masq_cuseeme modprobe ip_masq_vdolive modprobe ip_masq_quake Chris Johnson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] MASQ AND FTP
On Fri, Aug 07, 1998 at 01:23:47PM +, Morten Steinvik wrote: > I am sorry if I've missed info about this, but I, too, am having problems > with masq and ftp, somewhat surprising to me. > > I've installed 2 masqued subnets accessing internet through a linux RH5.0 > kernel 2.0.33. The masquing has seemed to work for a long time, letting the > pc's inside access anything. No strict filtering is installed at this point. > But suddenly ftp doesn't work properly. Runs ok FROM the box,but not through. [snip] > I am not aware of the masq_ftp_module (I must have missed it), does it do > anything helpful in my case? Yes - it solves the very problem you're having! You need masq_ftp_module to do non-passive ftp-ing. Chris Johnson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] IPFWADM setup
On Tue, Jul 28, 1998 at 11:40:00AM -0500, John Jakubowski wrote: > I have a few pc's at home that I want to setup on the net but with some > security. I have 5 ip addresses that my provider has assigned me, the first > in line being the static one I am assigned upon dialin and the 4 after that > for my machines. Will I be able to use ipfwadm to control the services that > can be accessed from the internet to my pc's, or what would be a better way? > I have a bbs that I want to put on the internet, a web server on a seperate > pc than my linux box, and a few other services. I already have my linux box > setup to do ipfwadm using the 192.168.1.0 network for my pc's, but now that I > have gotten more real addresses I want to use those... One thing you could do would be to keep the 192.168.1.0 addresses on your internal network, and then add all four of the real addresses from your ISP as aliases to the gateway box. Patch your kernel for IP port forwarding, and use ipportfw to control what services of your internal machines to expose to the outside world. I have a similar setup, and it works great. Chris Johnson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] masquarading on older linux kernels?
>Can masquarading be used on linux 1.2.8? I have to retrofit an old >kernel, (don't ask why, its a long story.) http://www.tor.shaw.wave.ca/~ambrose/ipmasq-HOWTO-1.2.x.txt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] Maximum Simultaneous Connections
>Is there maximum limit placed on the number of simultaneous masqueraded >connections allowed by the kernel? We have been using masquerade for >several weeks now, and our user base is about to expand from around 50 >to 150, and I wanted to ensure that we don't start losing people. The number is compiled into the kernel, and by default it's 4096. You can change this by editing the file /usr/src/linux/include/net/ip_masq.h. Look for #define PORT_MASQ_BEGIN and #define PORT_MASQ_END, change appropriately, and recompile. I made mine 8192 by changing PORT_MASQ_BEGIN to 57000 and PORT_MASQ_END to PORT_MASQ_BEGIN+8192. I don't know this for certain, but from the looks of the default numbers I suspect that PORT_MASQ_END must be no greater than 65535. Chris Johnson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] [masq] Timeout while telnetting through masquerade-server...
You can change the default timeouts with something like the following: ipfwadm -M -s 3600 120 300 >From the ipfwadm man page: -s tcp tcpfin udp Change the timeout values used for masquerading. This command always takes 3 parameters, represent- ing the timeout values (in seconds) for TCP ses- sions, TCP sessions after receiving a FIN packet, and UDP packets, respectively. A timeout value 0 means that the current timeout value of the corre- sponding entry is preserved. This operation is only allowed in combination with the -M flag. >Hi, > >I have set-up an in-house RedHat Linux 5 server (2.0.33) which does >masquerading (to save IP addresses). While telnetting to other servers >through this server, after not typing anything for a few minutes, the >connection always gets lost. Is there any parameter I can set such that this >does not happen anymore ? > >Thanks in advance for your replies. > >Walter Klomp, >Systems Manager / Administrator (Internet) >Swiftech Automation Pte. Ltd. >25 Kallang Avenue #03-01, Kallang Basin Ind. Est. >Singapore 339416 >Tel. 274 4722 ext. 104 - Fax. 274 4966 >e-mail: [EMAIL PROTECTED] >http://www.swiftech.net.sg >=== >Swiftech Internet, the Value Added Service Provider with a personal touch. >=== > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >For daily digest info, email [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] ipautofw / ipportfw
What do you want to forward, and to where do you want to forward it? You
don't have any port forwarding rules defined. You need to download and
compile the ipportfw tool, and then run it to add port forwarding rules.
Chris Johnson
>hello,
>
> i'm running a 2.0.33 system with the ipportfw patch applied. i've
>recompiled, made my image, lilo'd, all is fine. ip masq works just
dandy.
>2 machines are being route through the linux box. anyway, i compiled
>ipportfw, but it does not work. it loads, excepts my config, but when i
>try to connect, nothing is forwarded. i then tried autofw, and the same
>thing occurred. below is my routing and ipfwadm calls from rc...
>
>/sbin/ifconfig eth0 ${IPADDR} broadcast ${BROADCAST} netmask ${NETMASK}
>/sbin/ifconfig eth1 192.168.1.1 broadcast ${BROADCAST} netmask ${NETMASK}
>/sbin/route add -net ${NETWORK} netmask ${NETMASK} eth0
>/sbin/route add -net 192.168.1.0 netmask 255.255.255.0 eth1
>ipfwadm -F -p deny
>ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
>
> does anyone see any problems with it? any help would be appreciated :)
>
>later,
>bruce
>
>
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>For daily digest info, email [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] ipportfw
>I'm currently ATTEMPTING to use ipportfw. nomatter what I do, however, >it's not working. I enabled IPPORTFW in kernel config, and have ipportfw >rules setup. what am I doing wrong? can anybody help me, thanks :) I hope I'm not insulting you, but you aren't by chance confusing ipportfw with ipautofw, are you? (I only ask because I confused them at first; I compiled in ipautofw support and then tried to use ipportfw to configure it.) ipautofw support is built into recent kernel sources. ipportfw requires a patch, which is available at http://www.monmouth.demon.co.uk/ipsubs/portforwarding.html . With the kernel patched and forwarding configured as per the instructions at that site, port forwading has worked flawlessly for me. Does plain old masquerading work? Can you be more specific about what it is that doesn't work? Chris Johnson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] ipautofw update
>Yes I have recompiled the kernel. I >noted this in the posting. I have now >followed everyone's advice; >experimental, patches, etc... That is >why I'm now asking for a specific >distribution. So far, only one person >with redhat has responded, and they were >having the same problem. It was not >meant as a slight to other versions. I did a clean installation of RedHat 5.0 on a machine today, applied the various updated packages from the RedHat errata pages, and recompiled the kernel as per the advice that's been given on this list, viz. compile with CONFIG_EXPERIMENTAL and CONFIG_IP_MASQUERADE_IPAUTOFW, in addition to all the required stuff for masquerading. /proc/net/ip_autofw was there, and I used the pre-compiled ipautofw to forward some stuff successfully. There doesn't appear to be any problem specific to RedHat 5.0/glibc. You're either not configuring the kernel correctly, or you're not booting from the kernel you compiled. Chris johnson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] ipautofw update
>I've nwo been able to recompile a new >kernel, but ipautofw is still not >available. ip_autofw is also not in >/proc/net. >I've also tried applying the patch >without affect. now out of ideas and >advice to follow. version is RH 5.0 >kernel 3.032. I believe two people answered your question, but rather than following the advice you chose to say: >I would prefer if someone with RH 5.0 >would respond instead Why you need to hear the answer to a question about compiling a kernel from someone with a particular Linux distribution is beyond me. The kernel source is the same either way. I haven't done this myself, but I believe the advice from two people was not to apply the patch, but to choose CONFIG_EXPERIMENTAL during configuration and then choose CONFIG_IP_MASQUERADE_IPAUTOFW and recompile. Have you done that? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
