pppd and chains setup problem

pppd and chains setup problem

Post by Peter Nun » Sun, 06 Aug 2000 04:00:00



Hi all,
        just a quick one that I hope someone can help me with.

I have a setup in which I am running (or trying to) a headless RH box
as my gateway etc. to the world.

I have an X link into it from my other box's and have finally got pppd
and chains sort of working.

The only problem is that my setup for chains which I configures from
linix-firewall-tools.com needs the IP address of the connection to be
setup.  I don't log on until demanded, so I don't have the address.
If Idon't run the script, I dont get masquerading, so I dont' get a
connection etc etc .

My question is.

Where should the script be put to run at startup?
Where should my function to bring up pppd be put to run at startup?
How do I get around the problem of the ipchains not knowing the
address?

Also, my ISP only allows 2 hours a day.  Is there a way I can stop
pppd from dialing after my 2 hours are used up (other than killall
pppd from a login)?

Ta.

Peter
Peter Nunn
DownUnder

 
 
 

pppd and chains setup problem

Post by Jim Broughto » Sun, 06 Aug 2000 04:00:00



> Hi all,
>         just a quick one that I hope someone can help me with.

> I have a setup in which I am running (or trying to) a headless RH box
> as my gateway etc. to the world.

> I have an X link into it from my other box's and have finally got pppd
> and chains sort of working.

> The only problem is that my setup for chains which I configures from
> linix-firewall-tools.com needs the IP address of the connection to be
> setup.  I don't log on until demanded, so I don't have the address.
> If Idon't run the script, I dont get masquerading, so I dont' get a
> connection etc etc .

> My question is.

> Where should the script be put to run at startup?
> Where should my function to bring up pppd be put to run at startup?
> How do I get around the problem of the ipchains not knowing the
> address?

> Also, my ISP only allows 2 hours a day.  Is there a way I can stop
> pppd from dialing after my 2 hours are used up (other than killall
> pppd from a login)?

> Ta.

> Peter
> Peter Nunn
> DownUnder

This is very easily accomplished I have it set up on my box and I will show you
how its done.
 First of all will need to use the attached file called firewallkill. What this
does
is to disable the firewall and set everything to accept. Place it in the /sbin
directory.
This file is called from 2 other scripts.
Next place the first call to firewallkill in /etc/rc.d/rc.local (redhat 6.1)
your rc.local
may be in another place depending on which distribution you have.

/sbin/firewallkill

Now local accepting of data from anywhere is in place. Note at this point
you are secure from outside invasion because your ppp connection has not yet
been made.
Next insert the above line into the file /etc/ppp/ip-down. Place it near the
begining of
the file.

Now we have to modify the /etc/ppp/options file.
The file should read like this...

noauth
idle 600  #(note this gives 10 minutes uptime no matter what)
connect /etc/ppp/connect #(or your connect script)
ktune
demand
ipcp-accept-local
ipcp-accept-remote
defaultroute
holdoff 15 #(this makes pppd wait 15 seconds after a failed connect attempt)

The holdoff and idle times are in seconds and may be adjusted to your needs.

NOTE: on the connect script. If you placed your ID and PASSWORD to
the remote service DIRECTLY in the connect script is it highly advisable
to make this file readable writeable and executable ONLY by ROOT.

Please see the man page for pppd for a description of the options used.

One more thing to do for pppd.
insert this line into rc.local immediatly AFTER the firewallkill line.

/usr/sbin/pppd ttyS0 115200 192.168.0.1:192.168.0.2

ttyS0 is the modem device on my computer IT MAY BE DIFFERENT ON YOURS. CHECK.

The first ip address on this line should be the one
you have given your local computer NOT the loopback
address.
The second address is mearly a placeholder and can
be just about any legal ip address. It must be present.
Now for the /etc/ppp/ip-up script. Insert the name
of your firewall script as the first executable line after
the #!/sbin/sh and begining comments. Ignore the comments.
You may also want to disable any services in /etc/inetd.conf
that you will not be using.
I have no idea how to impliment a timer to keep you inside
your 2 hour limit. Although maybe CRON might be able to help
you in that reguard. Just a suggestion.
The above should get you going.
--
Jim Broughton
(The Amiga OS! Now there was an OS)
If Sense were common everyone would have it!

[ firewallkill < 1K ]
#!/bin/sh
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
#
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward

 
 
 

1. A Chain here, A Chain There...

I just completed my first attempt at setting up an ipchains based firewall
for my home network (Linux box connected to Internet and 2 private IP
addressed windows machines thru it to the net using MASQ)

Every 15 minutes I get a packet REJECT log message as follows:

Dec 25 21:16:21 pal kernel: Packet log: good-bad REJECT eth0 PROTO=17
192.168.1.3:138 208.249.6.227:138 L=205 S=0x00 I=23054 F=0x0000 T=127 (#14)
Dec 25 21:31:21 pal kernel: Packet log: good-bad REJECT eth0 PROTO=17
192.168.1.3:138 208.249.6.227:138 L=205 S=0x00 I=25614 F=0x0000 T=127 (#14)
Dec 25 21:46:21 pal kernel: Packet log: good-bad REJECT eth0 PROTO=17
192.168.1.3:138 208.249.6.227:138 L=205 S=0x00 I=42513 F=0x0000 T=127 (#14)

port 138 is "netbios-dgm", why would my windows PC (192.168.1.3) be
trying to connect to this remote machine (208.249.6.227 which resolves to
dresden.workgroup.com)????

2. unique host id -- C library calls

3. Matrox Mystique ands X.

4. Packet Storm is back: packetstorm.securify.com

5. Using IP-Chains to setup a group of IPs, HOW?

6. Best Distribution???

7. PPPD setup problem

8. lilo

9. pppd setup LCP problem

10. PPPD server setup problems

11. linux pppd setup problem.

12. pppd setup LCP problem