Re: PPPoE Help me please!
From: jack (not_at_all.org)
Date: 04/11/04
- Next message: jack: "Re: Weird connection problem [ a bit long be patient; plz help ]"
- Previous message: Clifford Kite: "Re: modem hang up after connection.."
- In reply to: Ohmster: "Re: PPPoE Help me please!"
- Next in thread: Ohmster: "Re: PPPoE Help me please!"
- Reply: Ohmster: "Re: PPPoE Help me please!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 11 Apr 2004 18:07:47 +0200
Ohmster wrote:
> Jack, I have no idea of how to write iptables rules. All of that was done by
> firestarter, you install the rpm and then open the GUI front end in xwindows.
> You do a simple wizard and answer some questions about if you run any
> servers, want to use NAT, what is your external device, etc. You can also go
> to a "rules" area and forward, open, close, or stealth specific ports. I
> forwarded a few ports for Emule and for online games.
>
> Wish I knew all about iptables but is is very, very complicated, just look at
> how many rules there are just from running a simple firewall and answering a
> few questions! For me to have a firewall and iptables, I need some sort of
> fairly simple program that will write them for me so that I can get up and
> running. Take this for example:
Well, it is absolutely ok to make use of one of the GUIs of iptables,
here it shows how important it is to check what rules the frontend
created. - I didn't know that firestarter creates such a complete mess;
this looks even worse than HTML produced by FrontPage...
> 0.0.0.0/0 tcp spt:22 dpts:513:65535 flags:!0x16/0x02 state RELATED
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
>
> I have no freaking idea of what this means or where it comes from, do you?
> (If so, I am impressed, mate!)
Ups, You cut the halves of two different rules and put them together as
a new one. - But I'll take that example, firstly by correctng the out-
put:
" 0 0 ACCEPT tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 tcp spt:22 dpts:513:65535 flags:!0x16/0x02 state\
RELATED "
OK, this says that You have a rule that shall allow tcp packets that
come from anywhere, and regardless of what interface they arrive on,
going to anywhere, again no matter what interface they will leave from,
as long as the connection comes from port 22 and points at one port in
the range from 513 through 65536, and as long as of the TCP flags SYN,
RST and ACK the SYN flag is either not set or, if it is set, at least
one of RST or ACK is set as well. All this shall apply only to packets
that belong to a connection that has been initiated by another, already
established connection. Additional information in the output above: 0
packets with a total of 0 bytes have ever matched this rule yet (the two
"0"s at the beginning of the line indicate that, it also shows that You
don't need it at all).
I don't know where You found this one, but I'd expect such rule in the
OUTPUT chain of the filter table to allow for SSH replies. - This rule
is pretty useless. But in this case, it was made up of the halves of two
different rules, see above, so it's just an example.
> I was going to try shorewall because webmin has a module for that but it was
> way to freaking hard to figure out, I just stuck with firestarter because it
> worked.
Unfortunally, I don't know about any of these firewall scripts and tools
and GUIs. But the functonality You need - and that is a very common si-
tuation - should be in some way be built into all those.
> I guess I have to wait for my ip to change again so that my linux box
> internet craps out and then see if I can run the firewall startup again to
> see if that restores it. I might also want to try this new noip2 binary, I
> guess there is an updated version of the no-ip updater and I must not have
> it. Maybe that will help.
You can change Your IP with "kill -HUP $(pidof pppd)". pppd will hang up
and, since You have demand dialling enabled, it will reconnect soon.
To have things happen upon connection or disconnection to or from Your
ISP, "/etc/ppp/ip-up" and "/etc/ppp/ip-down" are the places of interest.
That is where I have my noip2 command.
> Thanks for all of your help, Jack. If you have more tips or suggestions,
> please keep them coming.
Again, see whether with firestarter or any other tool You can tell it
to update the firewall with a newly assigned dynamic IP. - I mean virtu-
ally everybody needs this, so it cannot be too hard.
Cheers, Jack.
-- ---------------------------------------------------------------------- My personal reading of the string "MicroSoft" expands to "NanoWeak"...
- Next message: jack: "Re: Weird connection problem [ a bit long be patient; plz help ]"
- Previous message: Clifford Kite: "Re: modem hang up after connection.."
- In reply to: Ohmster: "Re: PPPoE Help me please!"
- Next in thread: Ohmster: "Re: PPPoE Help me please!"
- Reply: Ohmster: "Re: PPPoE Help me please!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
