Eulogika Software House - Sviluppiamo software per aziende tra Padova e Vicenza

	Azienda
	Prodotti
	Servizi
	Clienti
	Free	\| Windows Tips\| Google Ranger\| Fun Docs =)\| Unix Tips\| WebLinks\| Python\| Diald\| Diald Esempi\| ADSL Tips

Italiano

English

email@dominio

Search :

Registered TradeMark

Welcome to EulogiKa!

Un Esempio Funzionante

Una volta completata l'installazione o la compilazione del vostro daemon Diald, avrete bisogno di configurare alcune cose sulla vostra macchina Linux. Ecco qui le nostre configurazioni, prese dalla Mailing List del Diald (non ne abbia a male il vero autore degli script ipchains, di cui non ricordo il nome...). Questi file funzionano sia per sistemi RedHat che Debian. Ricordatevi inoltre di settare una interfaccia TAP nel vostro kernel, o potreste avere problemi a riconnettervi dopo una disconnessione. Se il tempo stringe, potete scaricare direttamente dai link predecenti il file tar.gz contenenti il seguente esempio.

/etc/diald.conf per una connessione su modem analogico o ISDN su seriale

# Location of file needed for pumping data (in & out)

fifo /etc/diald/diald.ctl

# Location of file needed for logging

accounting-log /var/log/diald.log

# Location of file needed for filtering data

include /etc/diald/lorenz.filter

# Location of file needed for setting re-routing rules (at connect and disconnect of pppd)

ip-up /etc/diald/pppfw_up

ip-down /etc/diald/pppfw_down

# Connect options (remember to customize colored flags!)

connect "chat -v '' 'ATX3M0L0DT012301230123' CONNECT"

device /dev/ttyS0

pppd-options user 'login-user' noauth

# Lan options, LOCAL can be any IP, REMOTE could be your ISP gateway IP...

local 192.168.0.4

remote 193.207.146.254

netmask 255.255.255.0

# Standard PPP Options, just leave them as they are...

dynamic

defaultroute

mode ppp

modem 115200

lock

crtscts

# Redialing Options, self-explanatory, so customize as you like...

redial-timeout 6

retry-count 3

connect-timeout 180

dial-fail-limit 3

died-retry-count 0

buffer-timeout 180

#debug 77

# If needed, Diald can also be restricted to work only in the specified period...

#restrict 06:00:00 22:00:00 1-5 * *

# Here are some other options, some of them do not work anymore on new versions...

#two-way

#strict-forwarding

#route-wait

#escape FF

#proxyarp

#noipdefault ipcp-accept-remote ipcp-accept-local

#reroute

#asyncmap 0xa0000

#passive

#noipx

/etc/diald/lorenz.filter

Questo file é utilizzato da Diald per decidere quanto tempo devono durare i pacchetti TCP prima che diald si disconnetta...modificate i parametri che trovate, espressi in secondi, ricordando che l'ordine é importante, poiché potete escludere o includere un segmento di pacchetti ma lasciarne funzionare alcuni altri della stessa famiglia.

ignore tcp tcp.fin

keepup tcp 180 tcp.ack,tcp.source=tcp.www

accept tcp 180 tcp.dest=tcp.www

keepup tcp 120 tcp.ack,tcp.source=tcp.ftp-data

keepup tcp 120 tcp.ack,tcp.dest=tcp.ftp-data

keepup tcp 120 tcp.ack,tcp.dest=tcp.ftp

keepup tcp 120 tcp.ack,tcp.source=tcp.ftp

keepup tcp 120 tcp.ack

ignore tcp tcp.ack

accept tcp 120 tcp.syn

ignore tcp tcp.dest=tcp.domain

ignore tcp tcp.source=tcp.domain

accept tcp 100 ip.tot_len=40,tcp.syn

ignore tcp ip.tot_len=40,tcp.live

accept tcp 180 tcp.dest=tcp.www

accept tcp 180 tcp.source=tcp.www

keepup tcp 100 !tcp.live

ignore tcp !tcp.live

accept tcp 120 tcp.dest=tcp.ftp

accept tcp 120 tcp.source=tcp.ftp

accept tcp 120 tcp.dest=tcp.ftp-data

accept tcp 120 tcp.source=tcp.ftp-data

keepup tcp 140 any

ignore udp udp.dest=udp.who

ignore udp udp.source=udp.who

ignore udp udp.dest=udp.route

ignore udp udp.source=udp.route

ignore udp udp.dest=udp.ntp

ignore udp udp.source=udp.ntp

ignore udp udp.dest=udp.timed

ignore udp udp.source=udp.timed

ignore udp udp.dest=udp.domain,udp.source=udp.domain

#ignore udp udp.dest=udp.domain,ip.tot_len=45

accept udp 90 udp.dest=udp.domain

accept udp 90 udp.source=udp.domain

ignore udp udp.source=udp.netbios-ns,udp.dest=udp.netbios-ns

ignore udp udp.dest=udp.netbios-ns

ignore udp udp.source=udp.netbios-ns

ignore udp tcp.dest=udp.route

ignore udp tcp.source=udp.route

accept udp 120 any

ignore any ip.tot_len=60,ip.daddr=224.0.0.10

accept any 140 any

impulse 140,0,0

/etc/diald/firewall

Questo file può essere considerato opzionale, ma é molto utile per ottenere un controllo migliore sulla connessione e una protezione masquerade contro hacker esterni...é sufficiente includerlo nel file script di startup, compilare i moduli necessari e modificare la variabile My_Lan (range di indirizzi locali)

#!/bin/sh

#ppp_isp_ip=$(/sbin/ifconfig ppp0 | grep inet | awk '{ print $3 }' | sed -es/P-t-P://)"/32"

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

/sbin/modprobe slip.o

/sbin/modprobe ip_masq_autofw.o

/sbin/modprobe ip_masq_cuseeme.o

/sbin/modprobe ip_masq_ftp.o

/sbin/modprobe ip_masq_irc.o

/sbin/modprobe ip_masq_quake.o

/sbin/modprobe ip_masq_raudio.o

/sbin/modprobe ip_masq_user.o

# my LAN's address

my_lan="192.168.0.0/24"

ipchains -M -S 7200 60 7200

# turn on antispoofing for all interfaces

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

# flush, then set all policies

ipchains -F

ipchains -P input ACCEPT

ipchains -P output ACCEPT

ipchains -P forward ACCEPT

# create user chains

ipchains -N icmp-err

ipchains -N ppp-out

ipchains -N ppp-in

# set icmp-err chain

ipchains -A icmp-err -p icmp --icmp-type destination-unreachable -j ACCEPT

ipchains -A icmp-err -p icmp --icmp-type source-quench -j ACCEPT

ipchains -A icmp-err -p icmp --icmp-type time-exceeded -j ACCEPT

ipchains -A icmp-err -p icmp --icmp-type parameter-problem -j ACCEPT

# set ppp-out chain

ipchains -A ppp-out -j DENY -l

ipchains -A ppp-out -p tcp --dport http -t 0x01 0x10

ipchains -A ppp-out -p tcp --dport telnet -t 0x01 0x10

ipchains -A ppp-out -p tcp --dport ftp-data -t 0x01 0x02

ipchains -A ppp-out -p tcp --dport nntp -t 0x01 0x02

ipchains -A ppp-out -p tcp --dport pop -t 0x01 0x02

ipchains -A ppp-out -p tcp --dport mail -t 0x01 0x02

# set ppp-in chain, colored IP is your ISP DNS

ipchains -A ppp-in -s $my_lan -j DENY -l

ipchains -A ppp-in -p tcp --dport 6000:6010 -j DENY

ipchains -A ppp-in -p udp --dport 61000:65096 -j ACCEPT

ipchains -A ppp-in -p tcp --dport 1024:65096 -j ACCEPT

ipchains -A ppp-in -p udp --dport 1024:65096 -j ACCEPT

ipchains -A ppp-in -p udp -s 193.43.2.1 53 -j ACCEPT

ipchains -A ppp-in -p tcp -s 193.43.2.1 53 -j ACCEPT

ipchains -A ppp-in -p tcp -d 0.0.0.0/0 auth -j ACCEPT

ipchains -A ppp-in -p icmp --icmp-type pong -j ACCEPT

ipchains -A ppp-in -p icmp -j icmp-err

#ipchains -A ppp-in -s 224.0.0.10:65596 -j DENY

ipchains -A ppp-in -j DENY -l

# set input-output chains

ipchains -A input -i ppp0 -j DENY

ipchains -A output -i ppp0 -j DENY

/etc/diald/pppfw_up

Regole di inoltro pacchetti al momento della connessione con PPPd

#!/bin/sh

#ppp_isp_ip=$(/sbin/ifconfig ppp0 | grep inet | awk '{ print $3 }' | sed -es/P-t-P://)

#ppp_dyn_ip=$(/sbin/ifconfig ppp0 | grep inet | awk '{ print $2 }' | sed -es/addr://)

# set forwarding rules

/sbin/ipchains -A forward -i ppp0 -j MASQ

/sbin/ipchains -A forward -j DENY -l

# replace first rule in ppp-out chain

/sbin/ipchains -R ppp-out 1 -s ! $3 -j DENY

# reset input rules

/sbin/ipchains -F input

/sbin/ipchains -A input -i ppp0 -j ppp-in

# reset output rules

/sbin/ipchains -F output

/sbin/ipchains -A output -i ppp0 -j ppp-out

# add newly brought up route

/bin/sleep 3

/sbin/route add default gw $4 ppp0

#echo "$1 $2 $3 $4 $5" >> /tmp/addroute.args

/etc/diald/pppfw_down

Modifica delle regole di gestione dei pacchetti al momento della disconnessione da PPPd

#!/bin/sh

# default route to tap0

/sbin/route add default gw 192.168.0.4 tap0

# unload ftp masquerading module

#/sbin/rmmod ip_masq_ftp

# reset forward chain to plain ACCEPT policy

/sbin/ipchains -F forward

# reset input chain

/sbin/ipchains -F input

/sbin/ipchains -A input -i ppp0 -j DENY

# reset output chain

/sbin/ipchains -F output

/sbin/ipchains -A output -i ppp0 -j DENY