|
PPP Hints and Tricks
The ppp manual is very good and detailed but for the average joe that just wants to get on the net its a little too big, So I thought I would write some text on some of the useful things I have done with ppp over time now I am using a faster connection before I forget :)
Setting up dial on Demand for certain traffic
Basically this involves adding a single line per rule to the /etc/ppp/ppp.conf file. EG
set filter dial 10 permit 192.168.0.0/24 203.63.152.0/24 udp dst eq 53
This will cause user ppp to dial up when a nat user tries to access the DNS servers (being on 203.63.152.0/24) when ppp -nat -auto is invoked.
One problem that can exist with demand dialing was that Microsoft hosts sometimes do a broadcast then a DNS lookup for servers which don't exist by themselves about every 30mins this will always causes a modem to dial up, these DNS requests MS hosts send go to the DNS server port 53 UDP just like a normal DNS request would but one difference about them is that they come from source port 137-139, normal DNS traffic would have a source port roughly of 1080+ so it makes it easy to block those by putting this in /etc/ppp/ppp.conf
set filter dial 2 deny udp src eq 137 # NetBIOS name service
set filter dial 3 deny udp src eq 138 # NetBIOS datagram service
set filter dial 4 deny udp src eq 139 # NetBIOS session service
set filter dial 5 deny udp dst eq 137 # NetBIOS name service
set filter dial 6 deny udp dst eq 138 # NetBIOS datagram service
set filter dial 7 deny udp dst eq 139 # NetBIOS session service
If you have IPFW compiled in your kernel as well you may as well block it there as well cause its evil
ipfw add 800 deny udp from any 137-139 to any
Disconnecting from the net after a certain time.
Easy, add one of these to ppp.conf. With the number being in seconds, 0 disables timeout, 600 would cause you to get disconnected after 10 mins of idle.
set timeout 0 set timeout 600
You will have to decide on what is interesting traffic to keep the connection alive. This should ignore ICQ connections as interesting traffic but allow any TCP activity to keep it alive
set filter alive 0 deny udp dst eq 4000
set filter alive 1 permit tcp
Port Forwarding with user PPP
If you need to forward ports its easier to do with user ppp then using IPFW or IPFilter.
An example would be if you only have 1 IRC user on your internal NAT network you can just port forward TCP 113 (ident) to your internal IRC using machine, add this to your ppp.conf file EG
alias port tcp 192.168.1.5:113 113 or nat port tcp 192.168.1.5:113 113
with 192.168.1.5:113 being the irc user with internal IP and destination port and the last 113 being the modems tcp port (note no ip is needed to be listed for modem)
For this to work you might have to disable the your ident line in /etc/inetd.conf with a # EG and give it a killall -HUP inetd after adding the #
#auth stream tcp wait root /usr/local/sbin/identd identd -w -t120
Changing PPP settings without restarting user PPP
If you edit the ppp.conf file you have to kill and restart the ppp daemon for the changes to take effect.
If you have a pricey service provider and it costs a bit of money to dial up but nothing once your connected its possible to make changes to your ppp setup while its running using pppctl.
The first thing to do is make a local domain socket (dont ask why :) put this in your /etc/ppp/ppp.conf file
set server /var/run/internet "" 0177
You might have to create a 0 byte file first
cat "" > /var/run/internet
Now you can port forward 113 to your internal machine and disable timeout
#! /bin/sh
exec pppctl /var/run/internet set timeout 0\; alias port tcp 10.1.1.2:113 113
If you wanted to check if you are dialed up put this in a file
#! /bin/sh
pppctl -p 'YOURDIALUPPASSWORD' -v /var/run/internet quit | grep ^PPP >/dev/null if [ $? -eq 0 ]; then
echo Link is up
else
echo Link is down
fi
Running scripts after a connection is established
If your IP changes every time you dialup and you want to re-run your IPFW firewall etc to match your new IP you need to create a /etc/ppp/ppp.linkup and give it the right permissions chmod 744 /etc/ppp.linkup you can also do one for when your link goes down called ppp.linkdown, now add this to ppp.linkup
MYADDR:
!bg /etc/rc.myfirewall
This should now execute /etc/rc.myfirewall every time your link comes up. Since I got your this far I will give a very small firewall example making use of the startup script
fwcmd="/sbin/ipfw"
$fwcmd -f flush
$fwcmd add 60 pass all from any to any via lo0
$fwcmd add 50 deny all from any to 127.0.0.0/8
oip=`/sbin/ifconfig -a | grep -B 1 ppp0 | awk '/inet/ { print $2 }' | sed -e s/inet,//`
# This line extracts your IP from the the ifconfig command so it can be sent into firewall code using $oip
# Might need to be modified
$fwcmd add 10 reset log tcp from any to $oip 21,22,110,80,1080 via tun0
$fwcmd add 60 allow tcp from any to any
$fwcmd add 62 allow udp from any to any
$fwcmd add 63 allow icmp from any to any
$fwcmd add 70 deny log all from any to any
Okies this should really get you going :)
purp
|
