Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo User (http://www.linux-archive.org/gentoo-user/)
-   -   adsl, pptp, iptables (http://www.linux-archive.org/gentoo-user/147711-adsl-pptp-iptables.html)

Andrew Gaydenko 08-23-2008 08:09 PM

adsl, pptp, iptables
 
Hi!

I have:

1. eth0 IP address,
2. adsl modem IP address eth0 is connected with,
3. dedicated IP address for ppp0 interface after connecting to...
4. ... provider's pptp server with another, fourth, IP address.

All these addresses are assigned by my provider. The aim is to close all
incoming traffic except for, say, httpd port.

Does anybody know good tutorial how to orginize all these IPs and interfaces
wrt iptables rules? It would be great to do this job in Oskar's tutorial
style/approach which I'm reading now:

http://iptables-tutorial.frozentux.net/


Andrew

Stroller 08-25-2008 05:46 AM

adsl, pptp, iptables
 
On 23 Aug 2008, at 21:09, Andrew Gaydenko wrote:

...
1. eth0 IP address,
2. adsl modem IP address eth0 is connected with,
3. dedicated IP address for ppp0 interface after connecting to...
4. ... provider's pptp server with another, fourth, IP address.


Could you try explaining this again, please?

The adsl modem will not be "connected with" eth0, because the ADSL
modem will (surely?) be ppp0.



The aim is to close all incoming traffic except for, say, httpd port.



As I'm reading it you can simply firewall all unsolicited incoming on
ppp0 - ignoring all other interfaces - then open port 80. But since
your explanation doesn't make sense I can't be sure I'm not missing
something.


Stroller.

Andrew Gaydenko 08-25-2008 10:53 AM

adsl, pptp, iptables
 
======= On Monday 25 August 2008, Stroller wrote: =======
> On 23 Aug 2008, at 21:09, Andrew Gaydenko wrote:
> > ...
> > 1. eth0 IP address,
> > 2. adsl modem IP address eth0 is connected with,
> > 3. dedicated IP address for ppp0 interface after connecting to...
> > 4. ... provider's pptp server with another, fourth, IP address.
>
> Could you try explaining this again, please?
>
> The adsl modem will not be "connected with" eth0, because the ADSL
> modem will (surely?) be ppp0.

I mean physical connection: a cable is connected from eth0 to the modem.
Last one is connected to phone line. pptp client starting creates ppp0
interface. An incoming speed is about 4Mbit/sec.

>
> > The aim is to close all incoming traffic except for, say, httpd port.
>
> As I'm reading it you can simply firewall all unsolicited incoming on
> ppp0 - ignoring all other interfaces - then open port 80. But since
> your explanation doesn't make sense I can't be sure I'm not missing
> something.

Yes, I also think ppp0 may be treated as INET_IFACE in Oscar's tutorial
terms. The main question is what to do with eth0 wrt filtering.


Andrew

>
> Stroller.

Stroller 08-25-2008 08:40 PM

adsl, pptp, iptables
 
On 25 Aug 2008, at 11:53, Andrew Gaydenko wrote:

======= On Monday 25 August 2008, Stroller wrote: =======

On 23 Aug 2008, at 21:09, Andrew Gaydenko wrote:

...
1. eth0 IP address,
2. adsl modem IP address eth0 is connected with,
3. dedicated IP address for ppp0 interface after connecting to...
4. ... provider's pptp server with another, fourth, IP address.


Could you try explaining this again, please?

The adsl modem will not be "connected with" eth0, because the ADSL
modem will (surely?) be ppp0.


I mean physical connection: a cable is connected from eth0 to the
modem.

Last one is connected to phone line. pptp client starting creates ppp0
interface. An incoming speed is about 4Mbit/sec.


I can't really help with this. Here (in the UK) we use PPPoA and a
"modem" would usually be connected by USB - the connection to the
internet would be made by a single cable represented by a single
interface. I find this "logical" and "correct", and PPPoE doesn't
make much sense to me (but perhaps because I've never come into
contact with it).


Here in the UK a "modem" connecting to a computer by Ethernet would
be uncommon, but these do exist - they're really a router with a
fixed 1:1 NAT. Authentication is done by the "modem" itself and
configured via a web-page hosted on it.


The aim is to close all incoming traffic except for, say, httpd
port.


As I'm reading it you can simply firewall all unsolicited incoming on
ppp0 - ignoring all other interfaces - then open port 80. But since
your explanation doesn't make sense I can't be sure I'm not missing
something.


Yes, I also think ppp0 may be treated as INET_IFACE in Oscar's
tutorial

terms. The main question is what to do with eth0 wrt filtering.


Best guess: ignore it. Presumably the point of having both is that
only ppp0 can be seen by the outside world. Presumably eth0 has a
private address and is inaccessible from the internets.


Stroller.

Andrew Gaydenko 08-25-2008 08:54 PM

adsl, pptp, iptables
 
======= On Tuesday 26 August 2008, Stroller wrote: =======
...
> > The main question is what to do with eth0 wrt filtering.
>
> Best guess: ignore it. Presumably the point of having both is that
> only ppp0 can be seen by the outside world. Presumably eth0 has a
> private address and is inaccessible from the internets.
>
> Stroller.

Thanks!

Mick 08-27-2008 06:49 PM

adsl, pptp, iptables
 
On Monday 25 August 2008, Stroller wrote:
> On 25 Aug 2008, at 11:53, Andrew Gaydenko wrote:
> > ======= On Monday 25 August 2008, Stroller wrote: =======

> > I mean physical connection: a cable is connected from eth0 to the
> > modem.

In network topology terms that's your LAN. It will have a private address
which depending on your modem software it would be 192.168.X.XXX, or
10.10.10.XXX sort of thing. In your modem's GUI control panel you should be
able to change the modem's LAN IP address to one of your choice. Your modem
could be a true modem (full bridge) performing no NATing, only encapsulating
PPPoE packets from your PC into ATM packets and sending them down the line to
the ISP's DSLAM/authentication server. In this case, authentication (ISP
username & passwd) will take place from your PC by means of PPPoE. The modem
is for all intends and purposes transparent when pinged from the Internet -
only your PC is seen - so make sure you have configured your firewall
properly. You modem can be seen from within your LAN if you ping or
telnet/browse to its LAN IP address mentioned above, but would not show up if
e.g. you traceroute an Internet address from your PC. To connect to your
modem you will need to manually set a private IP address for your PC on your
LAN interface (e.g. ifconfig eth0 192.168.0.100) within the *same* subnet as
your modem (in this example your modem could be 192.168.0.1/255.255.255.255
and the subnet would be 192.168.0.0/255.255.255.0).

On the other hand, your modem could be a 'half-bridge' modem undertaking the
authentication with the ISP itself and then forwarding the packets to your
PC. NATing takes place on this implementation and your modem most likely uses
PPPoA directly when communicating with the DSLAM/ISP (could also use PPPoE).
If your modem has only one ethernet port is not necessarily called a 'router'
in the manufacturer's brochures (although in NAT terms it behaves as such)
and this may confuse prospective buyers. If it has more than one ethernet
ports it essentially incorporates a switch and behaves as what most hardware
manufacturers market as a multiport router. Using a single ethernet port
(half-bridged) modem or a conventional multiport router means that your PC
now has a private IP address which is not visible from the Internet.
In this configuration your modem is no longer transparent. Pinging your
network from the Internet will show up your router/modem, not your PC. A
firewall on your PC is no longer absolutely essential, just common sense.

> > Last one is connected to phone line. pptp client starting creates ppp0
> > interface. An incoming speed is about 4Mbit/sec.

That's your WAN, which usually obtains an Internet IP address from your ISP's
dhcp server.

> I can't really help with this. Here (in the UK) we use PPPoA and a
> "modem" would usually be connected by USB - the connection to the
> internet would be made by a single cable represented by a single
> interface. I find this "logical" and "correct", and PPPoE doesn't
> make much sense to me (but perhaps because I've never come into
> contact with it).

Most UK ISPs use PPPoA, although there are some who use PPPoE (e.g. AOL).
Most BT telephone exchanges will happily authenticate you using either
protocol.

> Here in the UK a "modem" connecting to a computer by Ethernet would
> be uncommon, but these do exist - they're really a router with a
> fixed 1:1 NAT. Authentication is done by the "modem" itself and
> configured via a web-page hosted on it.

Not always (see above). If authentication onto the ISP's network is done by
the modem then that is not a true modem operating in full-bridged mode, but a
half-bridge modem which performs NATing. Almost all modems have a choice to
set them up in a fully bridged mode. In that operating mode no NATing, no
dhcp and no DNS services are offered by the modem. The GUI page to set up a
fully bridged mode may well be hidden from view and if you contact the
ISP/manufacturer they will tell you that this mode is not supported and you
have to revert to a NAT router mode if you want their help. To see the page
in question on a Netgear DG834 router run this in your browser:

http://192.168.0.1/setup.cgi?next_file=mode.html

In fully bridged mode you can connect simultaneously to two different ISPs,
having two different Internet addresses. You will need two PPPoE clients to
do this (e.g. two different PCs).

If you are running an additional router between the (fully bridged) modem and
the PC(s) then the ISP authentication has to be dealt with by the router
using PPPoE, rather than your PC.

> >>> The aim is to close all incoming traffic except for, say, httpd
> >>> port.
> >>
> >> As I'm reading it you can simply firewall all unsolicited incoming on
> >> ppp0 - ignoring all other interfaces - then open port 80. But since
> >> your explanation doesn't make sense I can't be sure I'm not missing
> >> something.

That's right - if we are talking about a fully-bridged modem. Otherwise it's
perhaps better to configure a set of rules for this purpose on your eth0
interface since that's what you'll use to connect to the LAN/Internet.

> > Yes, I also think ppp0 may be treated as INET_IFACE in Oscar's
> > tutorial
> > terms. The main question is what to do with eth0 wrt filtering.
>
> Best guess: ignore it. Presumably the point of having both is that
> only ppp0 can be seen by the outside world. Presumably eth0 has a
> private address and is inaccessible from the internets.

Stroller's right, ignore it if the PPPoE authentication is performed by the
PC. eth0 may *not* have an IP address at all in the LAN - because a full
bridge modem will not serve private IP addresses to clients in the LAN. Only
ppp0 will get an IP address from your ISP. Running ifconfig will show you
what's what.

HTH.
--
Regards,
Mick


All times are GMT. The time now is 06:31 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.