At 12:31 PM 04/02/2000 +0000, Samy Elashmawy
Hi folks,
Hi Samy. :-) Looks like I get a chance to repay the favor and help you with some system configurations.
I got wvdial.dod working with the german version from suse.de. Thanks for the link.
Now whats next ?
Dhcp ?? ip masq ??? Firewall ??
Well, I'll tell you what I did, provide some examples, and maybe this will give you a quicker start. It sounds like you're preparing a firewall/dialout box that connects you to the internet whenever one of your machines on your internal nettwork needs IP services/a connection to the internet. (and from your next message):
opps forgot to add , using suse usa 6 cd distro , dial up modem with wvdial.dod external modem on com 1 , 10 megabit ne200 compatable ethernet as eth0 , firewall/ipmasq/dhcp set ip as 10.20.30.9 , while the other machines have there ips set as 10.20.30.1....4 , and dial up gets its ip address from the isp on each new dial in, with a new ip on each new dial in .
Ok, the examples I'm going to provide use the standard for a class c internal network on 192.168.1.*, with a mask of 255.255.255.0. I'll leave it to you to change that to 10.20.30.*, with the appropriate mask.
Which order do I start with .
Ok, let's start with DHCP. I'm going to assume you mean DHCPD (the DHCP daemon) that you want to control what addresses the machines on your internal network receive. Your dialout connection will provide you with an address for your ppp0 link when you connect, so that angle is already taken care of.
From now on, I'll refer to your dialout/firewall machine simply as the firewall.
My internal network has the following setup: My firewall has eth0 configured as 192.168.1.1. It runs DHCPD to feed addresses to my other machines on my internal trusted network. I have four machines on the internal network: "fileserv", "agtiger", "bronze", and "twilight". DHCPD is configured to recognize the NIC card's hardware addresses and provide static IP's based on that. I also have a dynamic range of addresses available for unrecognized machines that hook to my network (ie, a friend brings their box over and wants to hook to my network quickly and easily). "fileserv" is my fileserver and gets address 192.168.1.10 "agtiger" is a linux/win98 dual boot workstation and gets address "192.168.1.101" "bronze" is a win95 workstation and gets address "192.168.1.102" "twilight" is a win98 workstation and gets address "192.168.1.103" Lastly, new machines I don't recognize get addresses between "192.168.1.200" and "192.168.1.220" inclusive. Let's start with DHCP. Using Yast, install "dhcp" out of series n (Network-Support (TCP/IP, UUCP, Mail, News) You'll then need to edit your /etc/dhcpd.conf Here's my /etc/dhcpd.conf = = = cut here, /etc/dhcpd.conf begins, cut here = = = subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.200 192.168.1.220; option domain-name "coolnet.net"; option domain-name-servers 192.168.1.1; option routers 192.168.1.1; option ip-forwarding on; option netbios-name-servers 192.168.1.10; host dialout { hardware ethernet 00:A0:CC:34:D1:1B; fixed-address 192.168.1.1; option host-name "dialout"; } host fileserver { hardware ethernet 00:50:04:AC:2A:B0; fixed-address 192.168.1.10; option host-name "fileserver"; } host agtiger { hardware ethernet 00:A0:CC:34:8A:B8; fixed-address 192.168.1.101; option host-name "agtiger"; } host bronze { hardware ethernet 00:A0:CC:34:8A:BA; fixed-address 192.168.1.102; option host-name "bronze"; } host twilight { hardware ethernet 00:A0:CC:34:D1:2A; fixed-address 192.168.1.103; option host-name "twilight"; } } = = = cut here, /etc/dhcpd.conf ends, cut here = = = Let's look at the top part in more detail: ubnet 192.168.1.0 netmask 255.255.255.0 - This indicates I'm running a class c network using an address guaranteed not to cause problems if the packets were to leak to the internet since routers should know not to pass packets with these addresses. range 192.168.1.200 192.168.1.220; - This is for any machine that connects to my internal network for which I have not defined a static address based on the network card's unique hardware address. option domain-name "coolnet.net"; - I needed something for an internal domain, so I used my ISP's domain name. I don't have a static IP or dedicated connection to the internet. option domain-name-servers 192.168.1.1; - I run bind8 on my firewall machine so that reverse ARP lookups from one internal network machine to another don't trigger a dialup connection. (Thanks to Marc Heuse at suse.de for pointing out how to fix that problem!) option routers 192.168.1.1; - This tells my internal machines that the firewall is their router. option ip-forwarding on; - This tells my internal machines to use ip forwarding. option netbios-name-servers 192.168.1.10; - This tells my internal MSWindows based workstations that an NBNS/WINS server runs on the network, and it lives at 192.168.1.10 (my file server). My windows workstations think they're logging into an NT server. And now, let's look at one of the host sections: host fileserver - A unique name for this host section/machine hardware ethernet 00:50:04:AC:2A:B0; - The hardware/MAC address for the specific card in this machine. fixed-address 192.168.1.10; - The address I want to assign to this machine when it asks for one. option host-name "fileserver"; - A host name to assign to this machine. On to the SuSEfirewall 2.1 configuration: SuSEfirewall can be downloaded from: http://www.suse.de/~marc/SuSEfirewall-2.1.tar.gz Extract it into a directory, change to that directory, and run the INSTALL script. ./INSTALL Edit you /etc/rc.config file, and either add, or ensure the following line is present: START_FW="yes" Here are the changes I made to /etc/rc.firewall, based on the SuSEfireall 2.1 package installation: FW_DEV_WORLD="ppp0" - This is the device that the internet is connected at. FW_DEV_INT="eth0" - This is the device that connects to the internal trusted network FW_ROUTE="yes" - Activates routing between the internal and internet (and the dmz, which I don't have activated) FW_MASQUERADE="yes" - Masquerade the internal network addresses. FW_MASQ_NETS="192.168.1.0/24" - The internal network masqueraded addresses, complete with netmask (/24). FW_SERVICES_EXTERNAL_TCP="domain" FW_SERVICES_EXTERNAL_UDP="domain" - Allow domain name service on the external side FW_SERVICES_INTERNAL_TCP="telnet ftp ssh domain icq netbios-ns netbios-dgm netbios-ssn FW_SERVICES_INTERNAL_UDP="domain netbios-ns netbios-dgm" - I'm pretty lenient with the internal workstations. For TCP/IP, I allow workstations access through the firewall for: = telnet (self explanatory) = ftp (self explanatory) = ssh (secure shell) = domain (dns) = icq (Mirabilis' ICQ chat program. This requres a special addition to /etc/services that I'll cover later) = netbios-ns, netbios-dgm, and netbios-ssn - these are for samba services I'm running on the internal side of the firewall. (A printer lives on my firewall and other machines print to it). For UDP, I allow workstations access through the firewall for: = domain (dns) = netbios-ns and netbios-dgm (samba) FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" - Used to say just "dns", but the firewall script complained that it wanted it to be "yes" if I was running a bind8/dns server. (The next three settings go together, so even though I'm not changing one, I'll still mention it) FW_SERVICE_DNS="yes" - Needs to be yes for running a local bind8/dns server. FW_SERVICE_DHCLIENT="no" - I never changed this. You might think you need "yes" here, but that's not what you want if you're using wvdial to connect to an ISP. wvdial will make the appropriate changes. You'd set this to yes if you were connecting your local sub-net into a larger address, and the firewall machine got its primary address from another dhcp server. FW_SERVICE_DHCPD="yes" - You need this set to yes since you're running DHCPD to provide addresses to the machines on your internal trusted network. Now, I mentioned a small change to /etc/services to allow for ICQ: At the very end, add this: # # Entry for ICQ # icq 4000/tcp icq 4000/udp That allows you to reference "icq" as a TCP or UDP service in /etc/rc.firewall. :-)
I do know the suse dhcp is buggy , where do I get the one that works ? Any one have a url ?
I've found it to work, try my configuration above.
which needs to be set up first , dhcp , or does ip masq need to be running first ?
Well, I'd get the firewall running first, then put in DHCPD. Yesterday I helped Jon Pennington install both simultaneously so he'd have a dedicated firewall.
on ip masq is this done via yast or the kernal ?
IP Masquerading is done via IPChains rules, set up by the SuSEfirewall package.
I assume that firewalling is last ? via ip chians yes ? Via yast ot kernal ? any one have that web addrss that sets ipchians up ? does it work with yast/suse ?
The nice thing about SuSEfirewall 2.1 is that it handles the IPChains rules for you. This was a problem I had understanding this phase of it until I'd set it up a few times. Marc Heuse (marc@suse.de) has made the SuSEfirewall package a joy to set up and very easy to use. You _might_ have to make changes to the kernel configuration to get your firewall working correctly. Under /usr/src/linux, when I do a "make menuconfig", I have the following options you might find useful. Networking Options ---> < > CIPE: encrypted IP-in-UDP tunneling <*> Packet socket [*] Kernel/User netlink socket [*] Routing messages <*> Netlink device emulation [*] Network firewalls [ ] Network security (ENskip support) [ ] Socket Filtering <*> Unix domain sockets [*] TCP/IP networking [ ] IP: multicasting [*] IP: advanced router [*] IP: policy routing [ ] IP: equal cost multipath [*] IP: use TOS value as routing key [*] IP: verbose route monitoring [ ] IP: large routing tables [ ] IP: fast network address translation [ ] IP: kernel level autoconfiguration [*] IP: firewalling [*] IP: firewall packet netlink device [*] IP: use FWMARK value as routing key [*] IP: transparent proxy support [*] IP: masquerading --- Protocol-specific masquerading support will be built as modules. [*] IP: ICMP masquerading --- Protocol-specific masquerading support will be built as modules. [*] IP: masquerading special modules support <M> IP: ipautofw masq support (EXPERIMENTAL) <M> IP: ipportfw masq support (EXPERIMENTAL) <M> IP: ip fwmark mas-forwarding support (EXPERIMENTAL) [*] IP: optimize as router not host [ ] IP: tunnelling [ ] IP: GRE tunnels over IP [*] IP: aliasing support [ ] IP: ARP daemon support (EXPERIMENTAL) [*] IP: TCP syncookie support (not enabled per default) --- (it si safe to leave these untouched) [*] IP: Reverse ARP [*] IP: IP: Allow large windows (not recommended if <16Mb of memory) < > The IPv6 protocol (EXPERIMENTAL) --- < > The IPX protocol < > Appletalk DDP < > CCITT X.25 Packet Layer (EXPERIMENTAL) < > LAPB Data Link Driver (EXPERIMENTAL) [ ] Bridging (EXPERIMENTAL) [ ] 802.2 LLC (EXPERIMENTAL) < > Acorn Econet/AUN protocols (EXPERIMENTAL) < > WAN router [ ] Fast switching (read help!) [ ] Forwarding between high speed interfaces [ ] CPU is too slow to handle full bandwidth QoS and/or fair queueing ---> [*] QoS and/or fair queueing <M> CBQ packet scheduler < > CSZ packet scheduler <M> The simplest PRIO pseudoscheduler <M> RED queue <M> SFD queue <M> TEQL queue <M> TBF queue [*] QoS support [*] Rate estimator [*] Packet classifier API <M> Routing table based classifier <M> Firewall based classifier <M> U32 classifier <M> Special RSVP classifier < > Special RSVP classifier for IPv6 [*] Ingres traffic policing *phew*, this was a lot of typing. I hope it helps you and others out. :-) -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/