IP Masquerade with PPP dialup set up HOW TO
PPP dial on demand version
by Jerry Winegarden
The key pieces of the set up:
1) create /etc/sysconfig/network-scripts/ifcfg-ppp0
DEVICE="ppp0"
ONBOOT="yes"
USERCTL="no"
MODEMPORT="/dev/ttyS0" (for external, use /dev/ttyS3 for internal set to COM4)
LINESPEED="115200"
PERSIST="yes"
DEFABORT="yes"
DEBUG="no"
INITSTRING="ATZ"
DEFROUTE="yes"
HARDFLOWCTL="yes"
ESCAPECHARS="no"
PPPOPTIONS="ipcp-accept-local ipcp-accept-remote demand idle 3000"
OAPNAME="yourispaccountusername"
REMIP="10.0.0.2" (this is temporary number!)
NETMASK=""
IPADDR="10.0.0.1" (this is a temporary number!)
MRU=""
MTU=""
DISCONNECTTIMEOUT="60"
RETRYTIMEOUT="5"
BOOTPROTO="dhcp"
PEERDNS="yes"
Note: the above assumes that your IP Masq LAN is
set to 192.168.1.x (something besides 10.0.0.x anyway)
since the temporary assignment of 10.0.0.1 and 10.0.0.2
is necessary to get connected and then the real numbers
dynamically assigned by the ISP's dhcp service to your
IP Masq box.
Note 2: the idle time is in seconds; it is the time
that your box will wait before dropping the
connection if there is no activity on the line.
Your ISP may have a shorter drop time (e.g. 10 Minutes)
In testing your set up, set the idle time to 200 or 300
In operations you will want to set it longer
(e.g. 3000 seconds = 50 minutes)
Note 3: the demand option also needs the persist option
2) create file /etc/sysconfig/network-scripts/chat-ppp0
'ABORT' 'BUSY'
'ABORT' 'ERROR'
'ABORT' 'NO CARRIER'
'ABORT' 'NO DIALTONE'
'ABORT' 'Invalid Login'
'ABORT' 'Login incorrect'
'' 'ATZ'
'OK' 'ATDTyour_isp_phone_number'
'CONNECT' ''
'ogin:' 'yourispusername'
'sword:' 'yourispaccountpassword'
Note: the login prompt for your ISP may be "Username" instead
of "Login". You should use something like minicom to dial in and look
at the login process. Then you'll see the login dialog. If is is
"Username:" instead of "Login:", then change "ogin:" to "ername:" or
"Username:" or whatever instead.
Obviously, you need to put in your ISP's local phone number
(spaces and dashes don't matter), your User name and your password.
If you require a more complicated modem init setting instead of "ATZ"
then replace 'ATZ' with that string (inside single quotes 'xxx')
3) create the bash shell script /etc/ppp/ip-up.local
#!/bin/bash
/etc/rc.d/rc.firewall
If it exists, this file is automatically called by ip-up, which is
invoked whenever your ppp interface is started up. This is how your
firewall script gets run. This is required to get the ip numbers properly
defined in the ipchains commands, since the ppp0 inteface number changes
each time you dial in to your ISP.
4) create your IP Masquerade/firewall script /etc/rc.d/rc.firewall:
#!/bin/sh
# /etc/rc.d/rc.firewall - STRONG IP Masquerade via IPCHAINS for 2.2.x kernels
# from the IP-Masquerade-HOWTO, modified by Jerry Winegarden, 11/22/99
# - ppp dial out version
PATH=/sbin:/bin:/usr/sbin:/usr/bin
depmod -a
# modprobe ip_masq_ftp
# modprobe ip_masq_raudio
# for RH 6.1 or earlier, uncomment the next line, for 6.2 or later leave it
#echo "1" > /proc/sys/net/ipv4/ip_forward
# Note: for RH 6.2 put an entry in /etc/sysctl.conf to turn ip_forward on
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# define variables intint, intnet, extint, extip
# intint = "Internal Interface name", intnet="Internal network number"
# extint = "External Interace name" (e.g. ppp0), extip = "External ip #"
# Values for internal interface (eth0, your LAN interface) you predetermine
# Values for external (ppp0) interface, you figure out from picking apart
# the output of the ifconfig command. After successful ppp connection
# the value of the ppp0 ip number will be set for that session.
# Then it's time to figure out what that ip # is and then run this
# firewall script using that number ppp0 device ip number, which you've
# just figured out
# Note: ` is different from '
# Note: the next line needs to be a "one-liner".
export extip="`sbin/ifconfig | grep -A ppp0 | awk '/inet/{print $2}' |
sed -e s/addr://'`"
export extint="ppp0"
export intint="eth0"
export intnet="192.168.1.0/24"
# if have DSL or cable modem external interface instead of ppp, then use
# extip for eth1 for dsl/cable modem (uncomment next line, comment ppp0 lines)
#export extip="`/sbin/ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
#
ipchains -M -S 7200 10 160
#
ipchains -F input
ipchains -P input REJECT
# incoming
ipchains -A input -i $intint -s $intnet -d 0.0.0.0/0 -j ACCEPT
ipchains -A input -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
ipchains -A input -i $extint -s 0.0.0.0/0 -d $extip/32 -j ACCEPT
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
# outgoing
ipchains -F output
ipchains -P output REJECT
ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT
ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet -l -j REJECT
ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 -l -j REJECT
ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
# forwarding
ipchains -F forward
ipchains -P forward DENY
ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
# port forwarding commands would go here (use ipmasqadm portfw)
5) Using linuxconf, Control==>Control panel==>Control service activity
You want the following services to be automatic:
ppp
dhcpd
named (for caching-nameserver, if you run one)
inet
network
You want firewall to be "Enabled"
6) Using linuxconf, configure the dhcpd daemon to start on eth0:
Control==>Control files and systems==>Configure all commands and daemons
dhcpd
Managed: * Linuxconf may operate
path of command: /usr/sbin/dhcpd
arguments: eth0
This will result in dhcpd starting up as: dhcpd eth0
(ps aux will show this, unless dhcpd doesn't start up successfully)
7) create file (or edit file) /etc/sysconfig/network-scripts/ifcfg-eth0:
DEVICE="eth0"
BOOTPROTO=""
IPADDR="192.168.1.1" (assumes LAN uses 192.168.1.x)
NETMASK="255.255.255.0"
ONBOOT="yes"
NOTE: if you have an ISA ethernet card, and plug and play doesn't seem
to want to work, then create a DOS (or Win95) boot floppy, copy the
ethernet card's diagnostics or setup .exe to this floppy, boot from the
floppy, disable Plug and Play on the ISA ethernet card, manually set the
IO Address (300 suggested), and IRQ (suggest 10). If you disable plug n pray,
then the card will most likely default to being an "ne2000" clone (check
your card's documentation if it doesn't). Here, we assume that it does.
Then add entry to /etc/conf.modules:
alias eth0 ne
options eth0 io=0x300 irq=10
You should have some entry in conf.modules for eth0, even if plug n pray works
It should say: alias eth0 3c509 or via-rhine or ne
or whatever the name of the driver module that it thinks is correct for that
card.
8) create /etc/dhcpd.conf:
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.200;
option routers 192.168.1.;
default-lease-time 2592000;
max-lease-time 25920000;
option broadcast-address 192.168.1.255;
# domain nameservers line - if provide caching namesever, point to it first
# then put in your ISP's DNS servers. Example uses mindspring's DNS.
#
option domain-name-servers 192.168.1.1, 207.69.188.185, 207.68.188.186;
}
# don't forget the } above!!
9) create the initial dhcpd leases file: touch /var/state/dhcp/dhcpd.leases
10) Red Hat 6.2 or later: edit (or create) file /etc/sysctl.conf:
# 0 disables ip packet forwarding
# 1 enables ip packet forwarding
net.ipv4.ip_forward = 1
# 1 Enables source route verification
net.ipv4.conf.all.rp_filter=1
# 0 Disables automatic defragmentation
# 1 Enables automatic defragmentation (needed for masquerading)
net.ipv4.ip_always_defrag = 1
10) Plug in your modem to phone line. Reboot your machine.
11) If it is successful, then be sure to edit
/etc/sysconfig/network-scripts/ifcfg-ppp0 to change the idle time
in the ppp options line to be something like: idle 3000
Note about behavior of ppp connection.
On system startup, it will appear to FAIL. This is expected behavior.
However, it will then "background" the attempts to connect and then it will
actually dial. If your phone number, username, password, etc are correct
(see chat-ppp0 script), then it should connect. If it doesn't, then when
you try to ping some number out on the Internet (e.g. ping www.redhat.com)
it will try to dial out and connect, thus the term, "on demand" connection,
which the demand option in the ppp options line of ifcfg-ppp0 provides.
If you have trouble be sure to check out the /var/log/messages file:
tail -n 50 /var/log/messages | more
Also, be sure phone number, account name, phone line, modem, are all working
if you are having trouble:
minicom
(Ignore error messages about "no configuration file" or whatever)
atdt4259833 (or whatever your local ISP phone number)
If semi-successful, you will get your ISP's login prompt:
login: yourusername (note the PROMPT string: Login: or Username: ?)
password: yourpassword (note the PROMPT string: Password: or password:)
If minicom gets hung, then kill it by opening another console window:
CTRL-ALT-F2, log in as root, list processes: ps aux | grep minic
Note the Process ID number for minicom, and kill it:
kill -9 xxx (where xxx is the process ID number of the instance of minicom
that's running and you want to kill)
Enjoy!