Connecting a private net to the Internet with dedicated server which handles packet routing from the local network to the Internet along with proxy/caching services and security firewalling is a complex theme that is beyond the scope of this document. There are other «Howto» documents that handle these topics much more comprehensively. At the end of this document you can find a list of links and references to such documents.
Here, we are only configuring Diald supposing that the computer
already uses IP-Masquerading, has a web proxy like Squid or similar
working, an ISP connection correctly configured and that access security
to TCP/UDP ports have been revised (/etc/inetd.conf
file and
others like securetty
, host.allow
, etc).
Basically, the only need is to reconfigure the rules for masquerading/filtering/accessing each time the set of interfaces change, that is, when the interface ppp0 is stablished and when it is deleted. A good location to do that are the ip-up and ip-down scripts from pppd.
With Debian, it is sufficient to install the ipmasq package answering
that you want to change rules sinchronously with pppd when seting it
up. Two scripts will be created inside /etc/ppp/ip-up.d
and
/etc/ppp/ip-down.d
directories to call /sbin/ipmasq
, a
script that analizes existing interfaces and makes a simple configuration
that is valid in many cases, but you can personalize it using rule files
in /etc/ipmasq/rules
.
The only correction after installing this package is to change when the
startup script for ipmasq is run, deleting the symbolic link from
/etc/rcS.d
and creating a new one in /etc/rc2.d
to run
it after S20diald
. Now, when ipmasq
is executed to analyze
interfaces sl0
already exist. S90ipmasq
is a good name for this
symbolic link to /etc/init.d/ipmasq
.
Using Debian there is no need to worry about the kernel version, as the
/sbin/ipmasq
script uses ipfwadm
or ipchains
as
needed.
This example is from Mr Cornish Rex,
[email protected]
.
The following ip-masp and routing control commands are for use with version 2.2 kernels, using ipchains, but they are not valid for version 2.0 kernels.
We are going to supose that the ethernet interface has the 192.168.1.1 ip address with 16 bit netmask, that is, 255.255.0.0.
This is the /etc/ppp/ip-up
file:
#!/bin/sh
# $1 = Interface
# $2 = Tty device
# $3 = speed
# $4 = local ip
# $5 = remote ip
# $6 = ipparam
/sbin/ipchains -F input
/sbin/ipchains -P input DENY
/sbin/ipchains -A input -j ACCEPT -i eth0 -s 192.168.0.0/16 -d 0.0.0.0/0
/sbin/ipchains -A input -j DENY -p udp -i $1 -s 0.0.0.0/0 -d $4/32 0:52 -l
/sbin/ipchains -A input -j DENY -p udp -i $1 -s 0.0.0.0/0 -d $4/32 54:1023 -l
/sbin/ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 0:112 -l
/sbin/ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 114:1023 -l
/sbin/ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 6000:6010 -l
/sbin/ipchains -A input -j DENY -p icmp --icmp-type echo-request \
-i $1 -s 0.0.0.0/0 -l
/sbin/ipchains -A input -j DENY -p icmp -f -i $1 -s 0.0.0.0/0 -l
/sbin/ipchains -A input -j DENY -p udp -i $1 -s 0.0.0.0/0 -d $4/32 5555 -l
/sbin/ipchains -A input -j DENY -p udp -i $1 -s 0.0.0.0/0 -d $4/32 8000 -l
/sbin/ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 8000 -l
/sbin/ipchains -A input -j DENY -p udp -i $1 -s 0.0.0.0/0 -d $4/32 6667 -l
/sbin/ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 6667 -l
/sbin/ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 4557 -l
/sbin/ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 4559 -l
/sbin/ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 4001 -l
/sbin/ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 2005 -l
/sbin/ipchains -A input -j DENY -p tcp -i $1 -s 0.0.0.0/0 -d $4/32 6711 -l
/sbin/ipchains -A input -j DENY -i $1 -s 192.168.0.0/16 -d 0.0.0.0/0 -l
/sbin/ipchains -A input -j ACCEPT -i $1 -s 0.0.0.0/0 -d $4/32
/sbin/ipchains -A input -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
/sbin/ipchains -F output
/sbin/ipchains -P output DENY
/sbin/ipchains -A output -j ACCEPT -i eth0 -s 0.0.0.0/0 -d 192.168.0.0/16
/sbin/ipchains -A output -j DENY -i $1 -s 192.168.0.0/16 -d 0.0.0.0/0 -l
/sbin/ipchains -A output -j ACCEPT -i $1 -s $4/32 -d 0.0.0.0/0
/sbin/ipchains -A output -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/ipchains -F forward
/sbin/ipchains -P forward DENY
/sbin/ipchains -M -S 120 120 120
/sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24
/sbin/ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0
exit 0
This is the /etc/ppp/ip-down
file:
#!/bin/sh
# $1 = Interface
# $2 = Tty device
# $3 = Speed
# $4 = Local ip
# $5 = Remote ip
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
/sbin/ipchains-restore < /etc/ppp/orig.chains
Last file in last script, orig.chains, is the following file (original status of ipchains):
# orig.chains
# created with: ipchains-save > orig.chains
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 192.168.1.1/255.255.255.255
-A output -s 192.168.1.1/255.255.255.255 -d 0.0.0.0/0.0.0.0
This example is from Hoo Kok Mun,
[email protected]
.
This is the most simple example i have seen, but fully functional. From
the beginning, this example configures masquerading, before the sl0
interface exists, and it does not change when the ppp0
interface
appears. If you need advanced security considerations, it may be a little
limited.
#/etc/rc.d/rc.local
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0
As you can see, it is for version 2.0 kernels.