PDA

View Full Version : Suggestion: sharing connection



guarnier
05-27-2003, 07:45 PM
Hi to all,

I am new of Knoppix, but I am astonished!!!

I tried it and I found it incredible,,,

Now, my 1 cent tip:

why not the possibility to share a connection with other machines ? I mean enabling Knoppix to act as a gateway/proxy/router. It should be possible also to add a dhcp/nat server to integrate with the existing Samba tools.
I know some mini-distributions doing all this on a single 'enhanced' floppy. So, the total weight it should be not so terrible...

In any case, my sincere congratulations!

regards,
vanni

adamm
05-27-2003, 08:06 PM
I currently have knoppix setup at my house as a router. I'm also using squid as a caching server on it too which seems to speed up my slow dialup somewhat.
I have a laptop using wireless, a desktop, and my knoppix router connected together through an SMC wireless router (router part not being used since i no longer have broadband).
I have dialup.

When knoppix detects an outgoing connection from either my desktop or my laptop (wireless) it uses the external modem and dials out to the internet.
I am using iptables to nat the connection and my wirless router to do dhcp.

You must first turn on ipforwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

Then there is one line you will need to masqurade packets (the -o is the interface your are exiting on, since i dial up it's ppp0)

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

So it is doable, but I do think it would be cool to have a graphical frontend for people who arent used to doing stuff like this. That way they could pop in knoppix, click a few boxes and share a connection.

rickenbacherus
05-27-2003, 11:31 PM
While it might be nice to have an "all in one" toolbox on a Knoppix disc making it into a router distro is IMO overkill. There are already a multitude of distros that do this both on floppy and cd. Generally speaking a dedicated router isn't going to have the necessary RAM to boot and run a GUI. Most router distros don't have X windows but certainly do have menus that are easy to use. My router has a whopping 16M RAM and is incapable of booting from cd. Additionally every line of code you add creates another opportunity for a hole in your firewall.

Certainly it is possible and has been suggested before and I believe there are some people actively working on just such a version of Knoppix.

adamm- Using a DNS cache is a great way to speed things up because of course you no longer need to rely on your ISP's DNS for resolution. Now for the true test of your router- have you scanned all 65535 ports? Not just the most common ones but all of them. What were the results? My little floppy distro is completely invisible except for port 22 as I like to ssh in from work from time to time and that requires a signature key AND a MAC address.

Fabianx
05-28-2003, 01:03 AM
Hi to all,

I am new of Knoppix, but I am astonished!!!

I tried it and I found it incredible,,,

Now, my 1 cent tip:

why not the possibility to share a connection with other machines ? I mean enabling Knoppix to act as a gateway/proxy/router. It should be possible also to add a dhcp/nat server to integrate with the existing Samba tools.
I know some mini-distributions doing all this on a single 'enhanced' floppy. So, the total weight it should be not so terrible...

In any case, my sincere congratulations!

regards,
vanni

Let's laugh its already possible!

K, Knoppix, Services, Knoppix-Terminalserver

Fire it up, and select the appropriate things and voila you have a router :-)

cu

Fabian

adamm
05-28-2003, 01:41 AM
adamm- Using a DNS cache is a great way to speed things up because of course you no longer need to rely on your ISP's DNS for resolution. Now for the true test of your router- have you scanned all 65535 ports? Not just the most common ones but all of them. What were the results? My little floppy distro is completely invisible except for port 22 as I like to ssh in from work from time to time and that requires a signature key AND a MAC address.

I'm not using a DNS cache I'm using a web cache, so I don't have to download images all the time over my 33.1 connection (living in the country is nice, but no broadband sucks). I visit a site once and it's cached, for all computers. I'm doing a transparent squid caching server.
http://www.squid-cache.org/

The ports I have open are
22 ssh
25 smtp
3128 squid

All ports are locked down using tcpwrappers and these services are configured to only be used from eth0 and not the ppp0, except ssh, and that is locked down to only be accessed from my computer at work. (I couldn't get in anyway since it's not dialed up while i'm at work, although I do have a cron job running that emails me my IP address every time it connects to the internet, that way when my wife dials up and i'm at work, i can ssh if i need)

I've been messing with linux since Red Hat 5.2 and Knoppix is probably the most fun distro I have messed with. I have learned so much from tinkering with it. I'm used to Cisco routers, but i've been having a lot of fun with iptables lately.
Now that you mention it, I might setup a caching DNS server too :wink:

BTW, which floppy distro are you using...LRP?

rickenbacherus
05-28-2003, 02:21 AM
[quote=rickenbacherus]
I'm not using a DNS cache I'm using a web cache, so I don't have to download images all the time over my 33.1 connection (living in the country is nice, but no broadband sucks). I visit a site once and it's cached, for all computers. I'm doing a transparent squid caching server.
http://www.squid-cache.org/
Heard of it- obviously I've never used it. :P


All ports are locked down using tcpwrappers and these services are configured to only be used from eth0 and not the ppp0, except ssh, and that is locked down to only be accessed from my computer at work. Same here except that I just forward all ports but 22 to a non-existant machine on my network.


I'm used to Cisco routers, but i've been having a lot of fun with iptables lately.

Uh oh- you shouldn't have told me that- I must have at least a million questions about Cisco routers and iptables. I really only know ipchains and not that well.


BTW, which floppy distro are you using...LRP?

Actually..........these Linux routers are a hobby in and of themselves. I have built several. I've used Clark Connect, IPCop, Gibralter and, Devil.

Currently working on Digital DEC 486 laptop w/ 8M and a dual pcmcia card. No luck there yet w/ a few different distros. Linux router through pcmcia is killing me. :(

Main router is a K5 w 16M & Coyote Linux. Just started building a Bering floppy (LEAF) yesterday for same box. Considering buying a Toshiba laptop 233Mhz 160M which would boot a cd distro quite nicely. These different cd distros (floppies too) all have their little intricacies (sp?) so they're each a new challenge. Bering is quite awesomely configurable AND it uses iptables- Shorewall in fact. AAMOF- I'm off to work on it now.

aay
05-28-2003, 03:51 AM
Same here except that I just forward all ports but 22 to a non-existant machine on my network.

Perhaps this will expose my ignorance, but what is the advantage of doing this as opposed to closing the port? Is this simply what it takes to stealth your ports?

rickenbacherus
05-28-2003, 04:08 AM
Same here except that I just forward all ports but 22 to a non-existant machine on my network.

Perhaps this will expose my ignorance, but what is the advantage of doing this as opposed to closing the port? Is this simply what it takes to stealth your ports?

It does stealth your ports. There are other ways of doing it but I'm not really clear on how.

Suppose I'm a hacker- I do a port scan on your ip address. Port 23 comes back as closed- no you're not running telnet on that port but I know for a fact that you're there. If you forward to a non-existant machine the packets don't get sent back- there is no response. It's alot like spammers- if you 'Reply' then they just know that they have an active email account.

aay
05-28-2003, 04:47 AM
Is it possible then to have all ports forwarded to a non existant address (even ones you want to access) unless your incomming request meets certain requirements: for example, having a specific mac address? That would be really nice.

adamm
05-28-2003, 04:59 AM
Is it possible then to have all ports forwarded to a non existant address (even ones you want to access) unless your incomming request meets certain requirements: for example, having a specific mac address? That would be really nice.

You should be able to do something like that using

--mac-source [!] address
Match source MAC address. It must be of the form
XX:XX:XX:XX:XX:XX. Note that this only makes sense for packetscoming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains.

found this in
man iptables

rickenbacherus
05-28-2003, 06:49 AM
Is it possible then to have all ports forwarded to a non existant address (even ones you want to access) unless your incomming request meets certain requirements: for example, having a specific mac address? That would be really nice.

Well yes and no. You can configure ssh to require a MAC address and the key that you place in /home/you/.ssh/known_hosts BUT if you want to access port 22 from the outside then it cannot be stealthed but it can be closed. Obviously there is the need for ssh and a MAC address unlike telnet that broadcasts your password to the world.

Coyote is configured like this on my system:
1)DHCP server that assigns same ip to local clients via MAC address. Obviously this makes port forwarding alot easier.

2)DHCP server assigns addresses in the 192.168.0.100- 192.168.0.200 range.

Then you just write an ipchain rule that sends all but ports a,b,c to 192.168.0.99 for example. voila!- stealth. Of course you must cover tcp, udp,icmp. As I say though- it's really time I started learning iptables. HopefullyI can get my latest endeavor Bering working soon.

edit
Let me add that you can forward any port to any ip or MAC address you want as well. Example- everything coming in via ftp only goes to ip 12.34.56.78 or to machines a & d but not b,c, or e. It's amazingly configurable. There's quite alot to it and I have no experience with routers and dial up modems (so far so good anyway).

rickenbacherus
05-28-2003, 07:10 AM
Check out DaLANTech (http://www.dalantech.com/ubbthreads/postlist.php?Cat=&Board=networking&page=0&view=collapsed&sb=5&o=) Great stuff on networking there.

Also LEAF (http://leaf-project.org/)

Bering (a bootable router distro) is capable of booting from 1 or 2 floppy drives, cd, zip or hdd, or ven combinations of drives, does packet shaping (bandwidth limiting) and load balancing. It also uses Shorewall which I have seen mentioned here frequently but as I was unaware that it could be utilized without hard drive installation I was a bit hesitant. Bering uses Shorewall to configure iptables- "iptables made easy" is the quote I beleive. You build your own bootable disc with no more and no less than you need- very customizeable. It even has the lcd driver LCDproc as a module!! w00t! It can redial your modem if the connection is lost and serve a bridge too.

Surely somebody could figure out how to make Knoppix do all of that but for me personally there is no need. There are menus for everything already without taxing your hardware with a GUI.