Eulogika Software House - Software Developers for Eulogika Software House

	Company
	Products
	Services
	Customers
	Free	\| Google Ranger\| Fun Docs =)\| Unix Tips\| Diald\| Diald Examples\| Zeos

Italiano

English

email@dominio

Search :

Registered TradeMark

Welcome to EulogiKa!

A Working Example

When you're done with installation (or compiling) of your diald daemon, you will need to configure some stuff on your Linux machine. Here are my configs, I've taken them from Diald Mailing List and they work great for, too bad I can't remember who wrote the ipchains script used here... PS: There files where used on a RedHat 6.1 system, but should work on any Linux distribution... Also remember to set a TAP interface, or you could get trouble on reconnect after a disconnection...

/etc/diald.conf for an analog or ISDN(external) modem connection This one is the main diald configuration file...

# Location of file needed for pumping data (in & out)

fifo /etc/diald/diald.ctl

# Location of file needed for logging

accounting-log /var/log/diald.log

# Location of file needed for filtering data

include /etc/diald/lorenz.filter

# Location of file needed for setting re-routing rules (at connect and disconnect of pppd)

ip-up /etc/diald/pppfw_up

ip-down /etc/diald/pppfw_down

# Connect options (remember to customize colored flags!)

connect "chat -v '' 'ATX3M0L0DT012301230123' CONNECT"

device /dev/ttyS0

pppd-options user 'login-user' noauth

# Lan options, LOCAL can be any IP, REMOTE could be your ISP gateway IP...

local 192.168.0.4

remote 193.207.146.254

netmask 255.255.255.0

# Standard PPP Options, just leave them as they are...

dynamic

defaultroute

mode ppp

modem 115200

lock

crtscts

# Redialing Options, self-explanatory, so customize as you like...

redial-timeout 6

retry-count 3

connect-timeout 180

dial-fail-limit 3

died-retry-count 0

buffer-timeout 180

#debug 77

# If needed, Diald can also be restricted to work only in the specified period...

#restrict 06:00:00 22:00:00 1-5 * *

# Here are some other options, some of them do not work anymore on new versions...

#two-way

#strict-forwarding

#route-wait

#escape FF

#proxyarp

#noipdefault ipcp-accept-remote ipcp-accept-local

#reroute

#asyncmap 0xa0000

#passive

#noipx

/etc/diald/lorenz.filter

This file is used by diald to decide how much life could have any TCP packet before diald disconnects himself... customize the numbers you find, they are expressed in seconds, and remember that order is really important, as you could exclude (or include) a segment of packets but leave some other of the same family still work (or not).

ignore tcp tcp.fin

keepup tcp 180 tcp.ack,tcp.source=tcp.www

accept tcp 180 tcp.dest=tcp.www

keepup tcp 120 tcp.ack,tcp.source=tcp.ftp-data

keepup tcp 120 tcp.ack,tcp.dest=tcp.ftp-data

keepup tcp 120 tcp.ack,tcp.dest=tcp.ftp

keepup tcp 120 tcp.ack,tcp.source=tcp.ftp

keepup tcp 120 tcp.ack

ignore tcp tcp.ack

accept tcp 120 tcp.syn

ignore tcp tcp.dest=tcp.domain

ignore tcp tcp.source=tcp.domain

accept tcp 100 ip.tot_len=40,tcp.syn

ignore tcp ip.tot_len=40,tcp.live

accept tcp 180 tcp.dest=tcp.www

accept tcp 180 tcp.source=tcp.www

keepup tcp 100 !tcp.live

ignore tcp !tcp.live

accept tcp 120 tcp.dest=tcp.ftp

accept tcp 120 tcp.source=tcp.ftp

accept tcp 120 tcp.dest=tcp.ftp-data

accept tcp 120 tcp.source=tcp.ftp-data

keepup tcp 140 any

ignore udp udp.dest=udp.who

ignore udp udp.source=udp.who

ignore udp udp.dest=udp.route

ignore udp udp.source=udp.route

ignore udp udp.dest=udp.ntp

ignore udp udp.source=udp.ntp

ignore udp udp.dest=udp.timed

ignore udp udp.source=udp.timed

ignore udp udp.dest=udp.domain,udp.source=udp.domain

#ignore udp udp.dest=udp.domain,ip.tot_len=45

accept udp 90 udp.dest=udp.domain

accept udp 90 udp.source=udp.domain

ignore udp udp.source=udp.netbios-ns,udp.dest=udp.netbios-ns

ignore udp udp.dest=udp.netbios-ns

ignore udp udp.source=udp.netbios-ns

ignore udp tcp.dest=udp.route

ignore udp tcp.source=udp.route

accept udp 120 any

ignore any ip.tot_len=60,ip.daddr=224.0.0.10

accept any 140 any

impulse 140,0,0

/etc/diald/firewall

This file could be considered optional, but it's really useful to get a better control over your connection and get a better protection-masquerading from external hackers...you just need to include it in your startup scripts, compile the need modules, and modify the MY_LAN variable (it's not an ip, it's you lan range address).

#!/bin/sh

#ppp_isp_ip=$(/sbin/ifconfig ppp0 | grep inet | awk '{ print $3 }' | sed -es/P-t-P://)"/32"

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

/sbin/modprobe slip.o

/sbin/modprobe ip_masq_autofw.o

/sbin/modprobe ip_masq_cuseeme.o

/sbin/modprobe ip_masq_ftp.o

/sbin/modprobe ip_masq_irc.o

/sbin/modprobe ip_masq_quake.o

/sbin/modprobe ip_masq_raudio.o

/sbin/modprobe ip_masq_user.o

# my LAN's address

my_lan="192.168.0.0/24"

ipchains -M -S 7200 60 7200

# turn on antispoofing for all interfaces

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

# flush, then set all policies

ipchains -F

ipchains -P input ACCEPT

ipchains -P output ACCEPT

ipchains -P forward ACCEPT

# create user chains

ipchains -N icmp-err

ipchains -N ppp-out

ipchains -N ppp-in

# set icmp-err chain

ipchains -A icmp-err -p icmp --icmp-type destination-unreachable -j ACCEPT

ipchains -A icmp-err -p icmp --icmp-type source-quench -j ACCEPT

ipchains -A icmp-err -p icmp --icmp-type time-exceeded -j ACCEPT

ipchains -A icmp-err -p icmp --icmp-type parameter-problem -j ACCEPT

# set ppp-out chain

ipchains -A ppp-out -j DENY -l

ipchains -A ppp-out -p tcp --dport http -t 0x01 0x10

ipchains -A ppp-out -p tcp --dport telnet -t 0x01 0x10

ipchains -A ppp-out -p tcp --dport ftp-data -t 0x01 0x02

ipchains -A ppp-out -p tcp --dport nntp -t 0x01 0x02

ipchains -A ppp-out -p tcp --dport pop -t 0x01 0x02

ipchains -A ppp-out -p tcp --dport mail -t 0x01 0x02

# set ppp-in chain, colored IP is your ISP DNS

ipchains -A ppp-in -s $my_lan -j DENY -l

ipchains -A ppp-in -p tcp --dport 6000:6010 -j DENY

ipchains -A ppp-in -p udp --dport 61000:65096 -j ACCEPT

ipchains -A ppp-in -p tcp --dport 1024:65096 -j ACCEPT

ipchains -A ppp-in -p udp --dport 1024:65096 -j ACCEPT

ipchains -A ppp-in -p udp -s 193.43.2.1 53 -j ACCEPT

ipchains -A ppp-in -p tcp -s 193.43.2.1 53 -j ACCEPT

ipchains -A ppp-in -p tcp -d 0.0.0.0/0 auth -j ACCEPT

ipchains -A ppp-in -p icmp --icmp-type pong -j ACCEPT

ipchains -A ppp-in -p icmp -j icmp-err

#ipchains -A ppp-in -s 224.0.0.10:65596 -j DENY

ipchains -A ppp-in -j DENY -l

# set input-output chains

ipchains -A input -i ppp0 -j DENY

ipchains -A output -i ppp0 -j DENY

/etc/diald/pppfw_up

Forwarding rules which are set as pppd connects...

#!/bin/sh

#ppp_isp_ip=$(/sbin/ifconfig ppp0 | grep inet | awk '{ print $3 }' | sed -es/P-t-P://)

#ppp_dyn_ip=$(/sbin/ifconfig ppp0 | grep inet | awk '{ print $2 }' | sed -es/addr://)

# set forwarding rules

/sbin/ipchains -A forward -i ppp0 -j MASQ

/sbin/ipchains -A forward -j DENY -l

# replace first rule in ppp-out chain

/sbin/ipchains -R ppp-out 1 -s ! $3 -j DENY

# reset input rules

/sbin/ipchains -F input

/sbin/ipchains -A input -i ppp0 -j ppp-in

# reset output rules

/sbin/ipchains -F output

/sbin/ipchains -A output -i ppp0 -j ppp-out

# add newly brought up route

/bin/sleep 3

/sbin/route add default gw $4 ppp0

#echo "$1 $2 $3 $4 $5" >> /tmp/addroute.args

/etc/diald/pppfw_down

Forwarding rules which are unset as pppd disconnects...

#!/bin/sh

# default route to tap0

/sbin/route add default gw 192.168.0.4 tap0

# unload ftp masquerading module

#/sbin/rmmod ip_masq_ftp

# reset forward chain to plain ACCEPT policy

/sbin/ipchains -F forward

# reset input chain

/sbin/ipchains -F input

/sbin/ipchains -A input -i ppp0 -j DENY

# reset output chain

/sbin/ipchains -F output

/sbin/ipchains -A output -i ppp0 -j DENY