Chake
04.06.04, 17:09
Hi!
nachdem ich versuch habe BIND einzurichten, und es auch für ca. 15h geklappt hat bin ich jetzt am verzweifeln, warum nix mehr geht *g*
Am laufen ist Debian Woody
eth0 -> DSL
eth1 -> Lan (192.168.7.XXX; domain lan.scholle)
Ich kann mich mit dem Server weiterhin problemlos einwählen (pppstatus sagt on). Allerdings kann ich weder nach nacmen noch nach ip adressen ins inet pingen (heise.de und 141.1.1.1 probiert). Genausowenig können auch die clients demzufolge machen. hab irgendwie keine ahnung wo ich ansetzen soll, deshalb poste ich einfach mal n paar configs. wenn weitere erwünscht werden sagt ruhig bescheid ;)
Danke auf jedenfall schonmal für eure hilfe!
ifconfig
eth0 Link encap:Ethernet HWaddr 00:08:XX:C1:EB:XX
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:4856 errors:0 dropped:0 overruns:0 frame:0
TX packets:1220 errors:0 dropped:0 overruns:36 carrier:0
collisions:0 txqueuelen:100
RX bytes:334170 (326.3 KiB) TX bytes:36706 (35.8 KiB)
Interrupt:11 Base address:0xe000
eth1 Link encap:Ethernet HWaddr 00:C0:XX:57:35:XX
inet addr:192.168.7.1 Bcast:192.168.7.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:44390 errors:0 dropped:0 overruns:0 frame:0
TX packets:48139 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4449362 (4.2 MiB) TX bytes:6527740 (6.2 MiB)
Interrupt:11
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:77729 errors:0 dropped:0 overruns:0 frame:0
TX packets:77729 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4450931 (4.2 MiB) TX bytes:4450931 (4.2 MiB)
wundert euch net warum da kein ppp0 steht, irgendwie muss ich ja ins internet ;)
resolv.conf
domain lan.scholle
nameserver 141.1.1.1
nameserver 195.129.111.49
nameserver 195.129.111.50
named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
options {
directory "/var/cache/bind";
pid-file "/var/run/bind/named.pid";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
forward first;
forwarders {
212.7.148.65;
212.7.148.97;
195.129.111.50;
};
};
// prime the server with knowledge of the root servers
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// add entries for other zones below here
zone "lan.scholle" {
type master;
file "/var/cache/bind/lan.scholle.hosts";
};
dsl-provider
# Configuration file for PPP, using PPP over Ethernet
# to connect to a DSL provider.
#
# See the manual page pppd(8) for information on all the options.
##
# Section 1
#
# Stuff to configure...
# MUST CHANGE: Uncomment the following line, replacing the user@provider.net
# by the DSL user name given to your by your DSL provider.
# (There should be a matching entry in /etc/ppp/pap-secrets with the password.)
#user myusername@myprovider.net
# Use the pppoe program to send the ppp packets over the Ethernet link
# This line should work fine if this computer is the only one accessing
# the Internet through this DSL connection. This is the right line to use
# for most people.
pty "/usr/sbin/pppoe -I eth0 -T 80 -m 1452"
# If the computer connected to the Internet using pppoe is not being used
# by other computers as a gateway to the Internet, you can try the following
# line instead, for a small gain in speed:
#pty "/usr/sbin/pppoe -I eth0 -T 80"
# An even more conservative version of the previous line, if things
# don't work using -m 1452...
#pty "/usr/sbin/pppoe -I eth0 -T 80 -m 1412"
# The following two options should work fine for most DSL users.
# Assumes that your IP address is allocated dynamically
# by your DSL provider...
noipdefault
# Comment out if you already have the correct default route installed
defaultroute
##
# Section 2
#
# Uncomment if your DSL provider charges by minute connected
# and you want to use demand-dialing.
#
# Disconnect after 300 seconds (5 minutes) of idle time.
#demand
#idle 300
##
# Section 3
#
# You shouldn't need to change these options...
hide-password
lcp-echo-interval 60
lcp-echo-failure 3
# Override any connect script that may have been set in /etc/ppp/options.
connect /bin/true
noauth
persist
mtu 1452
#usepeerdns
user "xxx@xxx"
script für bei ip-up
#!/bin/sh
################################################## ################
# Route beim Verbindungsaufbau setzen #
################################################## ################
################################################## ################
# Übernommen aus #
# http://www.netfilter.org/documentation/HOWTO/de/NAT-HOWTO.html #
# Vielen Dank an den Autor des HowTo's: Rusty Russell #
# Und an die Übersetzerin: Melanie Berg #
################################################## ################
# Das NAT-Modul laden
modprobe iptable_nat
# In der NAT-Tabelle (-t nat) eine Regel fuer alle an ppp0 (-o ppp0)
# ausgehenden Pakete hinter dem Routing (POSTROUTING), die maskiert
# werden sollen, anhaengen (-A).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# IP-Forwarding aktivieren
echo 1 > /proc/sys/net/ipv4/ip_forward
# Jay's Firewall aktivieren
/etc/init.d/fw-jay restart
firewall.config (Jay's)
#!/bin/sh
################################################## ####################
# #
# This file was generated by 'firewall-config.pl' tool. #
# You can edit it by hands or use the script configuration. #
# Lines begining with '#' are regarded as comments. #
# #
################################################## ####################
################################################## ####################
# #
# firewall.config 1.0.3 by Jay #
# #
# Copyright 2002 Jerome Nokin #
# #
#This program is free software; you can redistribute it and/or modify#
#it under the terms of the GNU General Public License as published by#
#the Free Software Foundation; either version 2 of the License, or #
#(at your option) any later version. #
# #
#This program is distributed in the hope that it will be useful, #
#but WITHOUT ANY WARRANTY; without even the implied warranty of #
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
#GNU General Public License for more details. #
# #
#You should have received a copy of the GNU General Public License #
#along with this program; if not, write to the Free Software #
#Foundation, Inc., 59 Temple Place, Suite 330, Boston, #
#MA 02111-1307 USA #
# #
################################################## ####################
################################################## ###################
# INTERFACES #
################################################## ###################
### LAN Interfaces
# May be more than one (ex: (eth0 eth1))
# Please leave interfaces between () and no ""
# Interfaces must be up for ip dection
INT_IFACE=(eth1)
### External Interface
# May be more than one (ex: "eth2 eth3")
# Interfaces must be up for ip dection
EXT_IFACE="ppp0"
################################################## ###################
# TRAFFIC #
################################################## ###################
### Your Friends
# DHCP_SERVER is the DHCP of your IPS, leave blank if don't know it
# or if you don't use DHCP.
# (you can find it in your "pump" log)
# DNS is the DNS of your ISP (separated with spaces)
DNS="212.7.148.97 212.7.148.65"
DHCP_SERVER=""
### Allow connections from the World ..
# Give the list of TCP/UDP ports that you want to allow
# on your box (and for which interface).
# Syntax: "<iface1>;port1,port2,port3 <iface2>;<port1>,<port2>"
#
# Example: "ppp0;22,80 ppp1;25,110"
TCP_EXT_IN="ppp0;22"
UDP_EXT_IN=""
### Allow connections from the LAN ..
# Leave TCP_INT_IN="*" for allow all TCP connections from
# youur LAN (idem for UDP), if not :
#
# Give the list of TCP/UDP ports that you want to allow on your
# box (and for which interface). '*' mean all ports
#
# Syntax: "<iface1>;<port1>,<port2>,<port3> <iface2>;<port1>,<port2>"
#
# Example: "eth0;22,80,8080 eth1;*"
#
# Remeber that allowing ssh connections is always a good idea
# when you're testing this feature ... ;)
TCP_INT_IN="*"
UDP_INT_IN="*"
### TCP & UDP Forward
# ( separated with spaces,
# ex: "eth0>20100:21100>192.168.0.4 eth1>21>192.168.0.6" )
# syntax:
# iface[,iface]>dport[:dport]>dest-ip[:dport]
#
#
# example:
# - redirect port 21 from eth0 and eth1 to 192.168.0.3
# "eth0,eth1>21>192.168.0.3"
#
# - redirect port 2121 from ppp0 to 192.168.0.3 on port 21
# "ppp0>2121>192.168.0.3:21"
TCP_FORWARD=""
UDP_FORWARD=""
################################################## ###################
# POST / PRE Scripts #
################################################## ###################
### POST START script (run after the 'start')
# Add a list of scripts separated by a ;
# ps: 'restart' = 'stop' + 'start'
POST_START=""
### PRE START script (run before the 'start')
PRE_START=""
### POST STOP script (run after the 'stop')
POST_STOP=""
### PRE STOP script (run before the 'stop')
PRE_STOP=""
################################################## ###################
# OPTIONS #
################################################## ###################
### Do you have ADSL/Cable/IDSN/... ?
# Enable this option if you have a dynamic ip.
# Your established connections will not be lost
# during a reconnection .
DYN_IP="1"
### Share Internet over your LAN ?
NAT="1"
### This option is necessary if you want to use IRC on your LAN
IRC="0"
### Your Linux box is a DHCP server for the LAN ?
USE_DHCP_SERVER="1"
### Transparents Proxy
# Write the proxies ports of your LAN
PROXY_HTTP=""
PROXY_FTP=""
### Can we be pinged by the world ?
# remember that the LAN can Always ping the server
PING_FOR_ALL="1"
### Hosts allowed to ping the linux box (only if PING_FOR_ALL = "0")
ALLOWED_PING=""
### Enable TCP control
TCP_CONTROL="1"
### Enable ICMP Control
ICMP_CONTROL="1"
### Give wich ICMP you want to drop (separate with spaces)
# Please enter the real name of the icmp type
# ex: network-unreachable, host-unreachable, ...
# (see 'iptables -p icmp --help' for the list)
ICMP_TO_DENY="network-redirect host-redirect TOS-network-redirect TOS-host-redirect timestamp-request timestamp-reply address-mask-request"
### Enable Spoofing control (bad ips)
SPOOFING_CONTROL="1"
### Set firewall in verbose mode ?
alias ECHO="#echo"
### Logging Options
LOGLEVEL="info"
LOG_DROPPED="0"
LOG_MARTIANS="0"
LOG_SYNFLOOD="0"
LOG_PINGFLOOD="0"
LOG_SPOOFED="1"
LOG_ECHO_REPLY_TO_OUTSIDE="1"
LOG_INVALID="0"
### ULOG
# If you don't want to write all dropped packets to your syslog files,
# you can use ULOGD. Give only the 'nlgroup' value of your ulogd.conf.
# Leave blank if you don't want to use ULOGD.
LOG_ULOG_NLGROUP=""
################################################## ###################
# Hosts Blocking List #
################################################## ###################
# IP and MAC control #
# Reject spyware, doubleclick and co. #
# Give the target of a (or more) ip file #
# #
# (SEE README & SPYWARES!) #
################################################## ###################
####### Directory where input and output files are located
# default /var/lib/firewall-jay/
DENY_DIR="/var/lib/firewall-jay"
####### ULOG
# If you don't want to write all dropped packets to your syslog files,
# you can use ULOGD. Give only the 'nlgroup' value of your ulogd.conf.
# Leave blank if you don't want to use ULOGD.
DENY_ULOG_NLGROUP=""
####### Incoming traffic 'from' IPs
# Enable (1) / Disable (0)
DENY_IP_IN="1"
# Filename of ip files (in DENY_DIR directory)
# You can enter more than one file, leave a space between them.
DENY_IP_IN_FILES="block-ip-out.spywares"
# Log activity
DENY_IP_IN_LOG="0"
####### Outgoing traffic 'to' IPs
DENY_IP_OUT="0"
# Filename of ip files (in DENY_DIR directory)
# You can enter more than one file, leave a space between them.
DENY_IP_OUT_FILES=""
# Log activity
DENY_IP_OUT_LOG="0"
####### Incoming traffic 'from' MACs
# Enable (1) / Disable (0)
DENY_MAC_IN="0"
# Filename of mac files (in DENY_DIR directory)
# You can enter more than one file, leave a space between them.
DENY_MAC_IN_FILES=""
# Log activity
DENY_MAC_IN_LOG="0"
################################################## ###################
# Type Of Service (TOS) #
# Set better performance to your bandwidth #
################################################## ###################
# Enable (1) / Disable (0)
TOS="0"
# Give services which require minimum delay like
# interactives services (ssh , telnet, ...)
TCP_MIN_DELAY=""
UDP_MIN_DELAY=""
# Give services which require maximum throughput (ftp-data, ...)
TCP_MAX_THROUGHPUT=""
UDP_MAX_THROUGHPUT=""
################################################## ###################
# VPN - VTUND #
################################################## ###################
### Give the devices used for tunneling
# (separated with spaces, ex: "tun0 tun1")
TUN_IFACE=""
### Give the subnet allowed in your LAN
# (separated with spaces, ex:"192.168.2.0/24 192.168.4.0/24")
TUN_SUBNET=""
### Give the ports allowed for TUN_SUBNET
# (separated with spaces)
# "*" give access to all ports
TUN_TCP=""
TUN_UDP=""
################################################## ###################
# VPN - PPTP #
# #
# --- Only PPTP server on localhost work for this time ---- #
# #
# Your are able to set up a pptp server on this #
# localhost, or on a LAN behind this firewall #
################################################## ###################
# PPTP server on LOCALHOST
##########################
# Enable (1) / Disable (0)
PPTP_LOCALHOST="0"
### Port of Pptp server (default 1723)
PPTP_LOCALHOST_PORT="1723"
### Incoming connections from clients are on which interface(s) ?
PPTP_LOCALHOST_IFACES=""
### Give the subnet of your VPN (ex: 192.168.10.0/24)
PPTP_LOCALHOST_SUBNET_VPN=""
### Which subnets except your new Virtual Network can use
# the VPN connection (ex: the local subnet of your client)
PPTP_LOCALHOST_SUBNET_ALLOWED=""
### Do you want to allow the access to your LAN from the VPN ?
PPTP_LOCALHOST_ACCESS_LAN="0"
### Do you want to allow the access to your Internet connection from the VPN ?
PPTP_LOCALHOST_ACCESS_INET="0"
# PPTP server on LAN
# NOT IMPLEMENTED YET
#####################
# Enable (1) / Disable (0)
PPTP_LAN="0"
### Ip of Ipsec server (ex: 192.168.2.2)
PPTP_LAN_IP=""
### Port of Pptp server (default 1723)
PPTP_LAN_PORT="1723"
################################################## ###################
# VPN - IPSEC #
# #
# Your are able to set up a ipsec server on this localhost, #
# or on a LAN behind this firewall #
################################################## ###################
# IPSEC server on LOCALHOST
# NOT IMPLEMENTED YET
###########################
# Enable (1) / Disable (0)
IPSEC_LOCALHOST="0"
IPSEC_LOCALHOST_IFACES=""
### Port of Ipsec server (default 500)
IPSEC_LOCALHOST_PORT="500"
IPSEC_LOCALHOST_SUBNET_VPN=""
# IPSEC server on LAN
# NOT IMPLEMENTED YET
######################
# Enable (1) / Disable (0)
IPSEC_LAN="0"
### Ip of Ipsec server (ex: 192.168.2.2)
IPSEC_LAN_IP=""
### Port of Ipsec server (default 500)
IPSEC_LAN_PORT="500"
################################################## ###################
# ZORBIPTRAFFIC #
# #
# ZorbIPtraffic shows the IP traffic on a network interface #
# in real time. It can display (by the web) traffic statistics #
# for each IP on your internal network. #
# #
# See exemple & download on http://www.atout.be #
# #
# You can insert multiple Subnets & IPs like #
# #
# ZORBIPTRAFFIC_NET="192.168.3.0/24 192.168.5.0/24" #
# ZORBIPTRAFFIC_IPS="192.168.3.1 192.168.5.4" #
# #
################################################## ###################
# Enable (1) / Disable (0)
ZORBIPTRAFFIC="0"
# ZorbIPTraffic subnets
ZORBIPTRAFFIC_NET=""
# ZorbIPTraffic specifics ips
ZORBIPTRAFFIC_IPS=""
################################################## ###################
# NETFILTER & IPROUTE #
################################################## ###################
# If you want to mark packets for playing #
# with iproute2, give port/ip to be marked #
# #
# MARK_TCP="port1>mark1 port2>mark2 ..." #
# ex. MARK_TCP="110>1 30000:30100>2" #
# #
# MARK_IP -> mark packets comming "from" IP #
# MARK_TCP -> mark packets destined "to" tcp port #
# MARK_UDP -> mark packets destined "to" udp port #
################################################## ###################
# Enable (1) / Disable (0)
MARK="0"
MARK_IP=""
MARK_TCP=""
MARK_UDP=""
################################################## ###################
# CUSTOM RULES FILE #
################################################## ###################
# Give the path to the custom rules file #
# The file will be started like a script in #
# the beginning of the firewall #
# #
# Default : /var/lib/firewall-jay/firewall-custom.rules #
################################################## ###################
# 1 (enable) / 0 (disable)
CUSTOM_RULES="0"
# Path to custom file
CUSTOM_RULES_FILE="/var/lib/firewall-jay/firewall-custom.rules"
################################################## ###################
##---------------------- DON'T EDIT BELOW -------------------------##
################################################## ###################
PRIV_PORTS="0:1023"
UPRIV_PORTS="1024:65535"
IPTABLES="`which iptables`"
IFCONFIG="`which ifconfig`"
GREP="`which grep`"
SED="`which sed`"
FIREWALL_RULES_DIR="/var/lib/firewall-jay"
RESERVED_IP="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 192.168.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 255.255.255.255/32"
PING_LIMIT="1/s"
LOG_LIMIT="1/s"
SYN_LIMIT="4/s"
UNDETECTED_IFACES=""
FIREWALL_VERSION="1.0.3"
Ich hoffe das langt bzw. ist net zuviel ;)
nachdem ich versuch habe BIND einzurichten, und es auch für ca. 15h geklappt hat bin ich jetzt am verzweifeln, warum nix mehr geht *g*
Am laufen ist Debian Woody
eth0 -> DSL
eth1 -> Lan (192.168.7.XXX; domain lan.scholle)
Ich kann mich mit dem Server weiterhin problemlos einwählen (pppstatus sagt on). Allerdings kann ich weder nach nacmen noch nach ip adressen ins inet pingen (heise.de und 141.1.1.1 probiert). Genausowenig können auch die clients demzufolge machen. hab irgendwie keine ahnung wo ich ansetzen soll, deshalb poste ich einfach mal n paar configs. wenn weitere erwünscht werden sagt ruhig bescheid ;)
Danke auf jedenfall schonmal für eure hilfe!
ifconfig
eth0 Link encap:Ethernet HWaddr 00:08:XX:C1:EB:XX
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:4856 errors:0 dropped:0 overruns:0 frame:0
TX packets:1220 errors:0 dropped:0 overruns:36 carrier:0
collisions:0 txqueuelen:100
RX bytes:334170 (326.3 KiB) TX bytes:36706 (35.8 KiB)
Interrupt:11 Base address:0xe000
eth1 Link encap:Ethernet HWaddr 00:C0:XX:57:35:XX
inet addr:192.168.7.1 Bcast:192.168.7.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:44390 errors:0 dropped:0 overruns:0 frame:0
TX packets:48139 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4449362 (4.2 MiB) TX bytes:6527740 (6.2 MiB)
Interrupt:11
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:77729 errors:0 dropped:0 overruns:0 frame:0
TX packets:77729 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4450931 (4.2 MiB) TX bytes:4450931 (4.2 MiB)
wundert euch net warum da kein ppp0 steht, irgendwie muss ich ja ins internet ;)
resolv.conf
domain lan.scholle
nameserver 141.1.1.1
nameserver 195.129.111.49
nameserver 195.129.111.50
named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
options {
directory "/var/cache/bind";
pid-file "/var/run/bind/named.pid";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
forward first;
forwarders {
212.7.148.65;
212.7.148.97;
195.129.111.50;
};
};
// prime the server with knowledge of the root servers
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// add entries for other zones below here
zone "lan.scholle" {
type master;
file "/var/cache/bind/lan.scholle.hosts";
};
dsl-provider
# Configuration file for PPP, using PPP over Ethernet
# to connect to a DSL provider.
#
# See the manual page pppd(8) for information on all the options.
##
# Section 1
#
# Stuff to configure...
# MUST CHANGE: Uncomment the following line, replacing the user@provider.net
# by the DSL user name given to your by your DSL provider.
# (There should be a matching entry in /etc/ppp/pap-secrets with the password.)
#user myusername@myprovider.net
# Use the pppoe program to send the ppp packets over the Ethernet link
# This line should work fine if this computer is the only one accessing
# the Internet through this DSL connection. This is the right line to use
# for most people.
pty "/usr/sbin/pppoe -I eth0 -T 80 -m 1452"
# If the computer connected to the Internet using pppoe is not being used
# by other computers as a gateway to the Internet, you can try the following
# line instead, for a small gain in speed:
#pty "/usr/sbin/pppoe -I eth0 -T 80"
# An even more conservative version of the previous line, if things
# don't work using -m 1452...
#pty "/usr/sbin/pppoe -I eth0 -T 80 -m 1412"
# The following two options should work fine for most DSL users.
# Assumes that your IP address is allocated dynamically
# by your DSL provider...
noipdefault
# Comment out if you already have the correct default route installed
defaultroute
##
# Section 2
#
# Uncomment if your DSL provider charges by minute connected
# and you want to use demand-dialing.
#
# Disconnect after 300 seconds (5 minutes) of idle time.
#demand
#idle 300
##
# Section 3
#
# You shouldn't need to change these options...
hide-password
lcp-echo-interval 60
lcp-echo-failure 3
# Override any connect script that may have been set in /etc/ppp/options.
connect /bin/true
noauth
persist
mtu 1452
#usepeerdns
user "xxx@xxx"
script für bei ip-up
#!/bin/sh
################################################## ################
# Route beim Verbindungsaufbau setzen #
################################################## ################
################################################## ################
# Übernommen aus #
# http://www.netfilter.org/documentation/HOWTO/de/NAT-HOWTO.html #
# Vielen Dank an den Autor des HowTo's: Rusty Russell #
# Und an die Übersetzerin: Melanie Berg #
################################################## ################
# Das NAT-Modul laden
modprobe iptable_nat
# In der NAT-Tabelle (-t nat) eine Regel fuer alle an ppp0 (-o ppp0)
# ausgehenden Pakete hinter dem Routing (POSTROUTING), die maskiert
# werden sollen, anhaengen (-A).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# IP-Forwarding aktivieren
echo 1 > /proc/sys/net/ipv4/ip_forward
# Jay's Firewall aktivieren
/etc/init.d/fw-jay restart
firewall.config (Jay's)
#!/bin/sh
################################################## ####################
# #
# This file was generated by 'firewall-config.pl' tool. #
# You can edit it by hands or use the script configuration. #
# Lines begining with '#' are regarded as comments. #
# #
################################################## ####################
################################################## ####################
# #
# firewall.config 1.0.3 by Jay #
# #
# Copyright 2002 Jerome Nokin #
# #
#This program is free software; you can redistribute it and/or modify#
#it under the terms of the GNU General Public License as published by#
#the Free Software Foundation; either version 2 of the License, or #
#(at your option) any later version. #
# #
#This program is distributed in the hope that it will be useful, #
#but WITHOUT ANY WARRANTY; without even the implied warranty of #
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
#GNU General Public License for more details. #
# #
#You should have received a copy of the GNU General Public License #
#along with this program; if not, write to the Free Software #
#Foundation, Inc., 59 Temple Place, Suite 330, Boston, #
#MA 02111-1307 USA #
# #
################################################## ####################
################################################## ###################
# INTERFACES #
################################################## ###################
### LAN Interfaces
# May be more than one (ex: (eth0 eth1))
# Please leave interfaces between () and no ""
# Interfaces must be up for ip dection
INT_IFACE=(eth1)
### External Interface
# May be more than one (ex: "eth2 eth3")
# Interfaces must be up for ip dection
EXT_IFACE="ppp0"
################################################## ###################
# TRAFFIC #
################################################## ###################
### Your Friends
# DHCP_SERVER is the DHCP of your IPS, leave blank if don't know it
# or if you don't use DHCP.
# (you can find it in your "pump" log)
# DNS is the DNS of your ISP (separated with spaces)
DNS="212.7.148.97 212.7.148.65"
DHCP_SERVER=""
### Allow connections from the World ..
# Give the list of TCP/UDP ports that you want to allow
# on your box (and for which interface).
# Syntax: "<iface1>;port1,port2,port3 <iface2>;<port1>,<port2>"
#
# Example: "ppp0;22,80 ppp1;25,110"
TCP_EXT_IN="ppp0;22"
UDP_EXT_IN=""
### Allow connections from the LAN ..
# Leave TCP_INT_IN="*" for allow all TCP connections from
# youur LAN (idem for UDP), if not :
#
# Give the list of TCP/UDP ports that you want to allow on your
# box (and for which interface). '*' mean all ports
#
# Syntax: "<iface1>;<port1>,<port2>,<port3> <iface2>;<port1>,<port2>"
#
# Example: "eth0;22,80,8080 eth1;*"
#
# Remeber that allowing ssh connections is always a good idea
# when you're testing this feature ... ;)
TCP_INT_IN="*"
UDP_INT_IN="*"
### TCP & UDP Forward
# ( separated with spaces,
# ex: "eth0>20100:21100>192.168.0.4 eth1>21>192.168.0.6" )
# syntax:
# iface[,iface]>dport[:dport]>dest-ip[:dport]
#
#
# example:
# - redirect port 21 from eth0 and eth1 to 192.168.0.3
# "eth0,eth1>21>192.168.0.3"
#
# - redirect port 2121 from ppp0 to 192.168.0.3 on port 21
# "ppp0>2121>192.168.0.3:21"
TCP_FORWARD=""
UDP_FORWARD=""
################################################## ###################
# POST / PRE Scripts #
################################################## ###################
### POST START script (run after the 'start')
# Add a list of scripts separated by a ;
# ps: 'restart' = 'stop' + 'start'
POST_START=""
### PRE START script (run before the 'start')
PRE_START=""
### POST STOP script (run after the 'stop')
POST_STOP=""
### PRE STOP script (run before the 'stop')
PRE_STOP=""
################################################## ###################
# OPTIONS #
################################################## ###################
### Do you have ADSL/Cable/IDSN/... ?
# Enable this option if you have a dynamic ip.
# Your established connections will not be lost
# during a reconnection .
DYN_IP="1"
### Share Internet over your LAN ?
NAT="1"
### This option is necessary if you want to use IRC on your LAN
IRC="0"
### Your Linux box is a DHCP server for the LAN ?
USE_DHCP_SERVER="1"
### Transparents Proxy
# Write the proxies ports of your LAN
PROXY_HTTP=""
PROXY_FTP=""
### Can we be pinged by the world ?
# remember that the LAN can Always ping the server
PING_FOR_ALL="1"
### Hosts allowed to ping the linux box (only if PING_FOR_ALL = "0")
ALLOWED_PING=""
### Enable TCP control
TCP_CONTROL="1"
### Enable ICMP Control
ICMP_CONTROL="1"
### Give wich ICMP you want to drop (separate with spaces)
# Please enter the real name of the icmp type
# ex: network-unreachable, host-unreachable, ...
# (see 'iptables -p icmp --help' for the list)
ICMP_TO_DENY="network-redirect host-redirect TOS-network-redirect TOS-host-redirect timestamp-request timestamp-reply address-mask-request"
### Enable Spoofing control (bad ips)
SPOOFING_CONTROL="1"
### Set firewall in verbose mode ?
alias ECHO="#echo"
### Logging Options
LOGLEVEL="info"
LOG_DROPPED="0"
LOG_MARTIANS="0"
LOG_SYNFLOOD="0"
LOG_PINGFLOOD="0"
LOG_SPOOFED="1"
LOG_ECHO_REPLY_TO_OUTSIDE="1"
LOG_INVALID="0"
### ULOG
# If you don't want to write all dropped packets to your syslog files,
# you can use ULOGD. Give only the 'nlgroup' value of your ulogd.conf.
# Leave blank if you don't want to use ULOGD.
LOG_ULOG_NLGROUP=""
################################################## ###################
# Hosts Blocking List #
################################################## ###################
# IP and MAC control #
# Reject spyware, doubleclick and co. #
# Give the target of a (or more) ip file #
# #
# (SEE README & SPYWARES!) #
################################################## ###################
####### Directory where input and output files are located
# default /var/lib/firewall-jay/
DENY_DIR="/var/lib/firewall-jay"
####### ULOG
# If you don't want to write all dropped packets to your syslog files,
# you can use ULOGD. Give only the 'nlgroup' value of your ulogd.conf.
# Leave blank if you don't want to use ULOGD.
DENY_ULOG_NLGROUP=""
####### Incoming traffic 'from' IPs
# Enable (1) / Disable (0)
DENY_IP_IN="1"
# Filename of ip files (in DENY_DIR directory)
# You can enter more than one file, leave a space between them.
DENY_IP_IN_FILES="block-ip-out.spywares"
# Log activity
DENY_IP_IN_LOG="0"
####### Outgoing traffic 'to' IPs
DENY_IP_OUT="0"
# Filename of ip files (in DENY_DIR directory)
# You can enter more than one file, leave a space between them.
DENY_IP_OUT_FILES=""
# Log activity
DENY_IP_OUT_LOG="0"
####### Incoming traffic 'from' MACs
# Enable (1) / Disable (0)
DENY_MAC_IN="0"
# Filename of mac files (in DENY_DIR directory)
# You can enter more than one file, leave a space between them.
DENY_MAC_IN_FILES=""
# Log activity
DENY_MAC_IN_LOG="0"
################################################## ###################
# Type Of Service (TOS) #
# Set better performance to your bandwidth #
################################################## ###################
# Enable (1) / Disable (0)
TOS="0"
# Give services which require minimum delay like
# interactives services (ssh , telnet, ...)
TCP_MIN_DELAY=""
UDP_MIN_DELAY=""
# Give services which require maximum throughput (ftp-data, ...)
TCP_MAX_THROUGHPUT=""
UDP_MAX_THROUGHPUT=""
################################################## ###################
# VPN - VTUND #
################################################## ###################
### Give the devices used for tunneling
# (separated with spaces, ex: "tun0 tun1")
TUN_IFACE=""
### Give the subnet allowed in your LAN
# (separated with spaces, ex:"192.168.2.0/24 192.168.4.0/24")
TUN_SUBNET=""
### Give the ports allowed for TUN_SUBNET
# (separated with spaces)
# "*" give access to all ports
TUN_TCP=""
TUN_UDP=""
################################################## ###################
# VPN - PPTP #
# #
# --- Only PPTP server on localhost work for this time ---- #
# #
# Your are able to set up a pptp server on this #
# localhost, or on a LAN behind this firewall #
################################################## ###################
# PPTP server on LOCALHOST
##########################
# Enable (1) / Disable (0)
PPTP_LOCALHOST="0"
### Port of Pptp server (default 1723)
PPTP_LOCALHOST_PORT="1723"
### Incoming connections from clients are on which interface(s) ?
PPTP_LOCALHOST_IFACES=""
### Give the subnet of your VPN (ex: 192.168.10.0/24)
PPTP_LOCALHOST_SUBNET_VPN=""
### Which subnets except your new Virtual Network can use
# the VPN connection (ex: the local subnet of your client)
PPTP_LOCALHOST_SUBNET_ALLOWED=""
### Do you want to allow the access to your LAN from the VPN ?
PPTP_LOCALHOST_ACCESS_LAN="0"
### Do you want to allow the access to your Internet connection from the VPN ?
PPTP_LOCALHOST_ACCESS_INET="0"
# PPTP server on LAN
# NOT IMPLEMENTED YET
#####################
# Enable (1) / Disable (0)
PPTP_LAN="0"
### Ip of Ipsec server (ex: 192.168.2.2)
PPTP_LAN_IP=""
### Port of Pptp server (default 1723)
PPTP_LAN_PORT="1723"
################################################## ###################
# VPN - IPSEC #
# #
# Your are able to set up a ipsec server on this localhost, #
# or on a LAN behind this firewall #
################################################## ###################
# IPSEC server on LOCALHOST
# NOT IMPLEMENTED YET
###########################
# Enable (1) / Disable (0)
IPSEC_LOCALHOST="0"
IPSEC_LOCALHOST_IFACES=""
### Port of Ipsec server (default 500)
IPSEC_LOCALHOST_PORT="500"
IPSEC_LOCALHOST_SUBNET_VPN=""
# IPSEC server on LAN
# NOT IMPLEMENTED YET
######################
# Enable (1) / Disable (0)
IPSEC_LAN="0"
### Ip of Ipsec server (ex: 192.168.2.2)
IPSEC_LAN_IP=""
### Port of Ipsec server (default 500)
IPSEC_LAN_PORT="500"
################################################## ###################
# ZORBIPTRAFFIC #
# #
# ZorbIPtraffic shows the IP traffic on a network interface #
# in real time. It can display (by the web) traffic statistics #
# for each IP on your internal network. #
# #
# See exemple & download on http://www.atout.be #
# #
# You can insert multiple Subnets & IPs like #
# #
# ZORBIPTRAFFIC_NET="192.168.3.0/24 192.168.5.0/24" #
# ZORBIPTRAFFIC_IPS="192.168.3.1 192.168.5.4" #
# #
################################################## ###################
# Enable (1) / Disable (0)
ZORBIPTRAFFIC="0"
# ZorbIPTraffic subnets
ZORBIPTRAFFIC_NET=""
# ZorbIPTraffic specifics ips
ZORBIPTRAFFIC_IPS=""
################################################## ###################
# NETFILTER & IPROUTE #
################################################## ###################
# If you want to mark packets for playing #
# with iproute2, give port/ip to be marked #
# #
# MARK_TCP="port1>mark1 port2>mark2 ..." #
# ex. MARK_TCP="110>1 30000:30100>2" #
# #
# MARK_IP -> mark packets comming "from" IP #
# MARK_TCP -> mark packets destined "to" tcp port #
# MARK_UDP -> mark packets destined "to" udp port #
################################################## ###################
# Enable (1) / Disable (0)
MARK="0"
MARK_IP=""
MARK_TCP=""
MARK_UDP=""
################################################## ###################
# CUSTOM RULES FILE #
################################################## ###################
# Give the path to the custom rules file #
# The file will be started like a script in #
# the beginning of the firewall #
# #
# Default : /var/lib/firewall-jay/firewall-custom.rules #
################################################## ###################
# 1 (enable) / 0 (disable)
CUSTOM_RULES="0"
# Path to custom file
CUSTOM_RULES_FILE="/var/lib/firewall-jay/firewall-custom.rules"
################################################## ###################
##---------------------- DON'T EDIT BELOW -------------------------##
################################################## ###################
PRIV_PORTS="0:1023"
UPRIV_PORTS="1024:65535"
IPTABLES="`which iptables`"
IFCONFIG="`which ifconfig`"
GREP="`which grep`"
SED="`which sed`"
FIREWALL_RULES_DIR="/var/lib/firewall-jay"
RESERVED_IP="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 192.168.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 255.255.255.255/32"
PING_LIMIT="1/s"
LOG_LIMIT="1/s"
SYN_LIMIT="4/s"
UNDETECTED_IFACES=""
FIREWALL_VERSION="1.0.3"
Ich hoffe das langt bzw. ist net zuviel ;)