=masq-ppp-setup v1.4=12/28/97========================================== This file is to get Linux PPP running on a dial-on-demand basis with IP Masquerading (LAN emulation). Make sure you have the following binaries FIRST: PPPD v2.2.0g or better chat v1.8 or better diald v0.16.4 or better ipfwadm v2.3.0 or better Linux kernel with: - Development and/or incomplete code/drivers support - Loadable module support - Networking support - Network firewall support - TCP/IP networking support - IP forwarding support - IP firewall support - IP masquerading support - ipautofw masq support - ICMP masquerading support - Optimize as a router support (recommended) - PPP support - SLIP support Computer hardware including: - A 28.8Kb/s modem or better - A serial port with a 16550A or better UART NOTE: This config assumes that you have a static IP number from your ISP. If not, you must change the setting in the diald.isp file to use the command "dynamic". ==================================================================== *Please Note:* I will place any in-line comments in {} brackets! Delete ALL lines in each section that start with these brackets or thins won't work. Every section is started by the file name that should be created with the section's contents. You will also see a command (chmod) that is used to change the Read/Write/Execute permissions for this file. Once you have create the file, save the changes, execute this given command for EACH section. In each section, make sure to replace both the /dev/ttyS1 with the with your modem's COMM port. If you aren't sure which port it is, from a command line, run the following (for Slackware users): "/etc/rc.d/rc.serial". This should give you an idea of what COMM ports are on your machine. Also, in each section, make sure to verify and/or replace the various file PATHS for the programs with the correct ones. If your not sure where say "pppd" is, at a Unix prompt, type "whereis pppd" and it should tell you. -- -- /etc/ppp/chat.isp [chmod 400 chat.isp] ABORT BUSY ABORT 'NO CARRIER' "" ATZ OK ATM0S11=40 OK ATDT5551212 CONNECT "" -- -- /etc/ppp/pap-secrets [chmod 400 pap-secrets] First-line-is-your-ISP-login-name-so-replace-ALL-of-this-just-with-it Second-line-is-your-ISP-login-password-so-replace-ALL-of-this-just-with-it -- -- /etc/ppp/options [chmod 400 options] +ua /etc/ppp/pap-secrets { MTU settings will greatly effect your performance, please read up } { on calculating MTU settings from my PPP web page. } { } { This setup is optimized for file transfers and NOT for interactive} { traffic like telnet, talk, etc } { 14.k: 296 28.8/33.6k: 470 IP Masq users: 1500 } # Masq users: If you get a lot of "MASQ: failed TCP/UDP checksum for # xxx.xxx.xxx.xxx" errors, turn off VJ header compression # by do the the following: # # -vj # Masq users: If, for some reason, some WWW pages and FTP sites come # up but others don't, you may have a MTU problem. Try # changing your MTU/MRU settings and see if that helps # by doing the following" # # mtu 150 # mru 1500 mtu 1500 mru 1500 asyncmap 0 lcp-restart 1 ipcp-restart 1 -- -- /etc/rc.d/rc.serial { put this as the LAST line in the file for a modem on COM2 } /bin/setserial /dev/cua1 spd_vhi -- -- /etc/rc.d/rc.inet1 {using private addresses on my LAN} echo Enabling IP Masquerading /sbin/ipfwadm -F -p deny /sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0 {Once everything is running well, change this to the following line } {for improved security (don't forget to delete the "#". } #/sbin/ipfwadm -F -a m -S 192.168.0.0/16 -D 0.0.0.0/0 -W ppp0 -- -- /etc/resolv.conf domain replace-this-with-your-ISP's-domain-name-(example: ecst.csuchico.edu) nameserver replace-this-with-one-of-your-ISP's-dns-servers {example: 132.241.66.6} nameserver replace-this-with-another-one-of-your-ISP's-dns-servers nameserver replace-this-with-another-one-of-your-ISP's-dns-servers -- --/etc/rc.d/rc.local /etc/rc.d/rc.modules echo "Starting diald daemon to the ISP..." { Make SURE that the paths for pppd/chat are in /usr/sbin. If not, } { change this command line to use the correct path } cd /usr/lib/ppp /usr/lib/ppp/diald.isp echo "rc.local done." -- --/etc/rc.d/rc.modules { This path will change depending on what Linux kernel version you } { are using so please change it accordingly } echo "Loading Masq Modules." /sbin/modprobe ip_masq_ftp.o /sbin/modprobe ip_masq_raudio.o /sbin/modprobe ip_masq_irc.o -- --/etc/rc.d/rc.local echo "Starting diald daemon to Value.Net ..." cd /usr/lib/ppp /usr/lib/ppp/diald.isp echo "rc.local done." -- --/etc/diald.defs (stock setup) # Define default protocol rules prule tcp tcp 9:12:13:14:15:16:17:18:19:+0:+1:+2:+3:9:9:9 prule udp udp 9:12:13:14:15:16:17:18:19:+0:+1:+2:+3:9:9:9 prule icmp icmp 9:12:13:14:15:16:17:18:19:9:9:9:9:9:9:9 prule any any 9:12:13:14:15:16:17:18:19:9:9:9:9:9:9:9 # Define the internet packet header fields. var ip.ihl 0(24)&0xf var ip.version 0(28)&0xf var ip.tos 1(24)&0xff var ip.tot_len 2(16)&0xffff var ip.id 4(16)&0xffff var ip.frag_off 6(16)&0x3fff var ip.ttl 8(24)&0xff var ip.protocol 9(24)&0xff var ip.check 10(16)&0xffff var ip.saddr 12 var ip.daddr 16 # Define the TCP packet header fields. var tcp.source +0(16)&0xffff var tcp.dest +2(16)&0xffff var tcp.seq +4 var tcp.ack_seq +8 var tcp.doff +12(28)&0xf var tcp.fin +13(24)&0x1 var tcp.syn +13(25)&0x1 var tcp.rst +13(26)&0x1 var tcp.psh +13(27)&0x1 var tcp.ack +13(28)&0x1 var tcp.urg +13(29)&0x1 var tcp.live +127 # Define the UDP packet header fields. var udp.source +0(16)&0xffff var udp.dest +2(16)&0xffff var udp.len +4(16)&0xffff var udp.check +6(16)&0xffff # Define the ICMP packet header fields. var icmp.type +0(24)&0xff var icmp.code +1(24)&0xff var icmp.checksum +2(16)&0xffff var icmp.echo.id +4(16)&0xffff var icmp.echo.sequence +6(16)&0xffff var icmp.gateway +4 -- --/etc/diald.conf (this is the stock setup with a few mods ) # This is a pretty complicated set of filter rules. # (These are the rules I use myself.) # # I've divided the rules up into four sections. # TCP packets, UDP packets, ICMP packets and a general catch all rule # at the end. # #------------------------------------------------------------------------------ # Rules for TCP packets. #------------------------------------------------------------------------------ # General comments on the rule set: # # In general we would like to treat only data on a TCP link as signficant # for timeouts. Therefore, we try to ignore packets with no data. # Since the shortest possible set of headers in a TCP/IP packet is 40 bytes. # Any packet with length 40 must have no data riding in it. # We may miss some empty packets this way (optional routing information # and other extras may be present in the IP header), but we should get # most of them. Note that we don't want to filter out packets with # tcp.live clear, since we use them later to speedup disconnects # on some TCP links. # # We also want to make sure WWW packets live even if the TCP socket # is shut down. We do this because WWW doesn't keep connections open # once the data has been transfered, and it would be annoying to have the link # keep bouncing up and down every time you get a document. # # Outside of WWW the most common use of TCP is for long lived connections, # that once they are gone mean we no longer need the network connection. # We don't neccessarily want to wait 10 minutes for the connection # to go down when we don't have any telnet's or rlogin's running, # so we want to speed up the timeout on TCP connections that have # shutdown. We do this by catching packets that do not have the live flag set. # --- start of rule set proper --- # When initiating a connection we only give the link 15 seconds initially. # The idea here is to deal with possibility that the network on the opposite # end of the connection is unreachable. In this case you don't really # want to give the link 10 minutes up time. With the rule below # we only give the link 15 seconds initially. If the network is reachable # then we will normally get a response that actually contains some # data within 15 seconds. If this causes problems because you have a slow # response time at some site you want to regularly access, you can either # increase the timeout or remove this rule. # Changed to 40 seconds--dranch accept tcp 40 tcp.syn # Keep named xfers from holding the link up ignore tcp tcp.dest=tcp.domain ignore tcp tcp.source=tcp.domain # (Ack! SCO telnet starts by sending empty SYNs and only opens the # connection if it gets a response. Sheesh..) accept tcp 5 ip.tot_len=40,tcp.syn # keep empty packets from holding the link up (other than empty SYN packets) ignore tcp ip.tot_len=40,tcp.live # make sure http transfers hold the link for 2 minutes, even after they end. # NOTE: Your /etc/services may not define the tcp service www, in which # case you should comment out the following two lines or get a more # up to date /etc/services file. See the FAQ for information on obtaining # a new /etc/services file. # Changed to 8 minutes --dranch accept tcp 480 tcp.dest=tcp.www accept tcp 480 tcp.source=tcp.www # Once the link is no longer live, we try to shut down the connection # quickly. Note that if the link is already down, a state change # will not bring it back up. keepup tcp 60 !tcp.live ignore tcp !tcp.live # an ftp-data or ftp connection can be expected to show reasonably frequent # traffic. # Changed to 8 minutes --dranch accept tcp 480 tcp.dest=tcp.ftp accept tcp 480 tcp.source=tcp.ftp #NOTE: ftp-data is not defined in the /etc/services file provided with # the latest versions of NETKIT, so I've got this commented out here. # If you want to define it add the following line to your /etc/services: # ftp-data 20/tcp # and uncomment the following two rules. #accept tcp 120 tcp.dest=tcp.ftp-data #accept tcp 120 tcp.source=tcp.ftp-data # If we don't catch it above, give the link 10 minutes up time. accept tcp 600 any # Rules for UDP packets # # We time out domain requests right away, we just want them to bring # the link up, not keep it around for very long. # This is because the network will usually come up on a call # from the resolver library (unless you have all your commonly # used addresses in /etc/hosts, in which case you will discover # other problems.) # Note that you should not make the timeout shorter than the time you # might expect your DNS server to take to respond. Otherwise # when the initial link gets established there might be a delay # greater than this between the initial series of packets before # any packets that keep the link up longer pass over the link. # Don't bring the link up for rwho. ignore udp udp.dest=udp.who ignore udp udp.source=udp.who # Don't bring the link up for RIP. ignore udp udp.dest=udp.route ignore udp udp.source=udp.route # Don't bring the link up for NTP or timed. accept udp 120 udp.dest=udp.ntp #ignore udp udp.dest=udp.ntp accept udp 120 udp.source=udp.source #ignore udp udp.source=udp.ntp accept udp 120 udp.dest=udp.timed #ignore udp udp.dest=udp.timed accept udp 120 udp.source=udp.timed #ignore udp udp.source=udp.timed # Don't bring up on domain name requests between two running nameds. ignore udp udp.dest=udp.domain,udp.source=udp.domain # Bring up the network whenever we make a domain request from someplace # other than named. accept udp 30 udp.dest=udp.domain accept udp 30 udp.source=udp.domain # Do the same for netbios-ns broadcasts # NOTE: your /etc/services file may not define the netbios-ns service # in which case you should comment out the next three lines. ignore udp udp.source=udp.netbios-ns,udp.dest=udp.netbios-ns accept udp 30 udp.dest=udp.netbios-ns accept udp 30 udp.source=udp.netbios-ns # keep routed and gated transfers from holding the link up ignore udp tcp.dest=udp.route ignore udp tcp.source=udp.route # Anything else gest 2 minutes. # Changed to 8 minutes --dranch accept udp 480 any # Catch any packets that we didn't catch above and give the connection # 30 seconds of live time. #Changed to five minutes --dranch accept any 300 any # # Here are other options that I just put on the command line (as seen in the # next section) but you can put them here if you so wish [probably a # better idea but I haven't tested it this way first hand. If you DO # use the following commands, make sure to delete the #'s first! # #mode ppp #connect "/etc/ppp/chatscript" #device /dev/ttyS1 #speed 115200 #modem #lock #crtscts #local 192.168.0.1 #remote 192.168.0.2 #dynamic #defaultroute #fifo /etc/diald.fifo #include /usr/lib/diald/standard.filter #pppd-options lcp-echo-interval 10 lcp-echo-failure 2 -- -- /usr/lib/ppp/diald.isp echo "Diald starting.." /usr/sbin/diald /dev/ttyS1 /dev/ttyS1 lock mtu 1500 mru 1500 window 8192 debug 4 -m ppp local 205.162.63.211 \ remote 127.0.0.2 defaultroute modem crtscts connect '/usr/lib/ppp/chat -v -t 45 -f /etc/chat.isp' -- --< end >--