>>you'll need to go and get PPPoE and install it, then setup iptables to
>> do some NAT translation so you can use a private (192.168.x.x) address
>> block and filter the net at the same time.
>
>Go and get PPPoE? you mean that PPPoE is a program or something separate
>that isn't already included in the OS, or that it's already there, and I
>just need to set it up? How about iptables?
Well, it may have been installed, but more than likely its still on the
installation cd's. PPPoE stands for Point to Point Protocol over
Ethernet. Your connection to the modem is via an ethernet cable, but the
protocol itself is PPP. To do this, an 8 byte identifying header is
prepended to the normal PPP packet of data of size MTU, or Maximum
Transfer Unit. For this reason, when setting the MTU of the ethernet
link, one usually uses a setting of 1492 so the usual 1500 is all
accounted for.
Then PPPoE will need to be told the username and password it takes to
access the login servers at your ISP. This is required to actually make
a connection to the internet.
Then most ISP's will make you login to the mail server machines, probably
using the same username/password. This is required because the mail
servers themselves are generally sitting right on the backbone or very
close to it and they have to be sure that you are in fact a customer
before they will allow access. This is very handy in that you can take
your machine with you when going on a business/working trip and you plug
into the motels wifi with their little box that plugs into an ethernet
port, with their little box taking care of all the details, fire up your
email agent and get your email, from your ISP's servers, from anyplace on
the planet with an available net connection.
>>Its a bit more complex than that and not really coverable in one
>> message, but ask as you proceed for better answers...
>
>Unfortunately I can't try to hook up my Fedora box again until the
> weekend because I have to bring my computer over to a friends place.
> And, this will be my last message for the day since I won't have
> internet access again until tomorrow. If you don't mind, please include
> any details that you can in your next message, and I'll read it first
> thing tomorrow morning.
In which case my reply probably isn't going to be timely, I'm down with a
cold, and have a house full of outofstate company due to a death in the
family & I'm running in hibernate as much of the time as I can mode. I
certainly don't want to send anybody home with a cold.
Back to your problems in setup. Please see to it that iptables is
started, and read up on a help program called firestarter. It can ask
you questions and write iptables rules that will to a very large degree
protect your machine from attacks. Let me describe what I ran for about
3.5 years here, running it on an old 500mhz k6 box with 2 NIC's in it.
One NIC (Network Interface Card), an old 10base-T, was hooked to one of
the LAN ports of a consumer grade Linksys router, a BEFSR41, about $70
USD, and this was set with an address inside the 192.168.x.x network.
I can recommend the router as a GP solution that will give you a much
improved sense of security, and you won't be forced to put up with
PPPoE's tendency to go all a-gaga from time to time.
This address block (192.168.x.x) is NOT relayed to the outside world when
that router is set to run in the 'gateway' mode. By accessing the
routers builtin web pages at 192.168.1.1, using the (IIRC)
username/password of admin/admin, then the ISP issued username and
password are committed to the router, and its WAN port set to use the
PPPoE protocol, and the MTU set to custom and 1492. At this point you
should be able to goto the routers status page and tell it to connect.
If you've got everything right, it should connect to the ISP and the
builtin DHCP protocol should then obtain the router an internet address.
You won't need this data, and it could change if for some reason you
disconnect and reconnect.
The idea now is to take that 192.168.1.1 address your using to access the
router, and using iptables configured to place itself between that
particular NIC and the rest of the machine which is addressed at some
other 192.168.x.n where the rest of your home network lives, and in my
case to the second NIC, which was a faster 100base-T NIC, which in turn
fed an 8 port netgear switch that all the rest of the machines here are
connected to. The additional layer of address translation iptables does
is a one way circuit, if your machine asks for it, it works, but to
someone from the outside trying to break in, it doesn't.
There are at least 3 machines online, sometimes more here.
I also ran tcpwrappers on that firewall box, which gave me the ability to
make my machines disappear to any other outside address I entered in
the /etc/hosts.deny file.
But, to make that automatic, so I simply disappeared from an attackers
radar, I also ran portsentry set so it watched the traffic coming into
that ethernet port. In an online 24/7/365 situation, 3 attacks in 4
years have made it to the logs, and that's as far as they got.
Portsentry tripped, wrote the offending address into /etc/hosts.deny in
real time, and tcpwrappers then disallowed any tcp or udp traffic to that
address. It also wrote an entry to the log with all the data it could
get, and wrote and applied a new iptables rule dropping any further
connection attempts from that address on the floor. Overkill, maybe, but
it worked 100%.
Now in the last 60 days I've been playing with the x86 build of dd-wrt
(google for it) running on an old small 400mhz k6 box with 2 NICS in it,
all running from a small CF card plugged into an IDE cable adaptor ($3 a
copy if you shop around) so the CF card looks like a hard drive. No
other drives in the box at all, its doing the same job rather nicely so
far and 250 of the 300 watts or so the other machine used has now been
cut from my power bill. And I believe its faster by about 20%.
The older box that's now shut down, also had an automatic dialup on demand
script running on it so that back in the distant mists of time when I was
on dialup, it would dial up the isp, login, and collect and send any
email on an on-demand schedule, all I had to do was tell kmail how often
to do it. I can get you a copy of that script too if you need it.
Finally, I don't think this is much of a tutorial because there's so much
of the dirty fingernails details glossed over, but those parts are all
available by the usual reading of the man-pages. Once its working you'll
think its slick, but its a bit like the 20 step quitting smoking
campaign, one step at a time. The difficult part for a relative newbie
is in detecting when that step is a success, and that you can then go on
to the next.
And I can't recommend too strongly the purchase of a router and letting it
worry about the connection details once its configured, its quite a peace
of mind feeling knowing there is another layer of security between you
and the black hats.
>Thanks again~
>Ryan
--
Cheers Ryan, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2007 by Maurice Eugene Heskett, all rights reserved.
