Suggestion: sharing connection

[guarnier]

Hi to all,

I am new of Knoppix, but I am astonished!!!

I tried it and I found it incredible,,,

Now, my 1 cent tip:

why not the possibility to share a connection with other machines ? I mean enabling Knoppix to act as a gateway/proxy/router. It should be possible also to add a dhcp/nat server to integrate with the existing Samba tools.
I know some mini-distributions doing all this on a single 'enhanced' floppy. So, the total weight it should be not so terrible...

In any case, my sincere congratulations!

regards,
vanni

[adamm]

I currently have knoppix setup at my house as a router. I'm also using squid as a caching server on it too which seems to speed up my slow dialup somewhat.
I have a laptop using wireless, a desktop, and my knoppix router connected together through an SMC wireless router (router part not being used since i no longer have broadband).
I have dialup.

When knoppix detects an outgoing connection from either my desktop or my laptop (wireless) it uses the external modem and dials out to the internet.
I am using iptables to nat the connection and my wirless router to do dhcp.

You must first turn on ipforwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

Then there is one line you will need to masqurade packets (the -o is the interface your are exiting on, since i dial up it's ppp0)

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

So it is doable, but I do think it would be cool to have a graphical frontend for people who arent used to doing stuff like this. That way they could pop in knoppix, click a few boxes and share a connection.

[rickenbacherus]

While it might be nice to have an "all in one" toolbox on a Knoppix disc making it into a router distro is IMO overkill. There are already a multitude of distros that do this both on floppy and cd. Generally speaking a dedicated router isn't going to have the necessary RAM to boot and run a GUI. Most router distros don't have X windows but certainly do have menus that are easy to use. My router has a whopping 16M RAM and is incapable of booting from cd. Additionally every line of code you add creates another opportunity for a hole in your firewall.

Certainly it is possible and has been suggested before and I believe there are some people actively working on just such a version of Knoppix.

adamm- Using a DNS cache is a great way to speed things up because of course you no longer need to rely on your ISP's DNS for resolution. Now for the true test of your router- have you scanned all 65535 ports? Not just the most common ones but all of them. What were the results? My little floppy distro is completely invisible except for port 22 as I like to ssh in from work from time to time and that requires a signature key AND a MAC address.

[Fabianx]

Hi to all,

I am new of Knoppix, but I am astonished!!!

I tried it and I found it incredible,,,

Now, my 1 cent tip:

why not the possibility to share a connection with other machines ? I mean enabling Knoppix to act as a gateway/proxy/router. It should be possible also to add a dhcp/nat server to integrate with the existing Samba tools.
I know some mini-distributions doing all this on a single 'enhanced' floppy. So, the total weight it should be not so terrible...

In any case, my sincere congratulations!

regards,
vanni

Let's laugh its already possible!

K, Knoppix, Services, Knoppix-Terminalserver

Fire it up, and select the appropriate things and voila you have a router

cu

Fabian

[adamm]

adamm- Using a DNS cache is a great way to speed things up because of course you no longer need to rely on your ISP's DNS for resolution. Now for the true test of your router- have you scanned all 65535 ports? Not just the most common ones but all of them. What were the results? My little floppy distro is completely invisible except for port 22 as I like to ssh in from work from time to time and that requires a signature key AND a MAC address.

I'm not using a DNS cache I'm using a web cache, so I don't have to download images all the time over my 33.1 connection (living in the country is nice, but no broadband sucks). I visit a site once and it's cached, for all computers. I'm doing a transparent squid caching server.
http://www.squid-cache.org/

The ports I have open are
22 ssh
25 smtp
3128 squid

All ports are locked down using tcpwrappers and these services are configured to only be used from eth0 and not the ppp0, except ssh, and that is locked down to only be accessed from my computer at work. (I couldn't get in anyway since it's not dialed up while i'm at work, although I do have a cron job running that emails me my IP address every time it connects to the internet, that way when my wife dials up and i'm at work, i can ssh if i need)

I've been messing with linux since Red Hat 5.2 and Knoppix is probably the most fun distro I have messed with. I have learned so much from tinkering with it. I'm used to Cisco routers, but i've been having a lot of fun with iptables lately.
Now that you mention it, I might setup a caching DNS server too

BTW, which floppy distro are you using...LRP?

[rickenbacherus]

[quote="adamm"]

I'm not using a DNS cache I'm using a web cache, so I don't have to download images all the time over my 33.1 connection (living in the country is nice, but no broadband sucks). I visit a site once and it's cached, for all computers. I'm doing a transparent squid caching server.
http://www.squid-cache.org/

Heard of it- obviously I've never used it. :P

All ports are locked down using tcpwrappers and these services are configured to only be used from eth0 and not the ppp0, except ssh, and that is locked down to only be accessed from my computer at work.

Same here except that I just forward all ports but 22 to a non-existant machine on my network.

I'm used to Cisco routers, but i've been having a lot of fun with iptables lately.

Uh oh- you shouldn't have told me that- I must have at least a million questions about Cisco routers and iptables. I really only know ipchains and not that well.

BTW, which floppy distro are you using...LRP?

Actually..........these Linux routers are a hobby in and of themselves. I have built several. I've used Clark Connect, IPCop, Gibralter and, Devil.

Currently working on Digital DEC 486 laptop w/ 8M and a dual pcmcia card. No luck there yet w/ a few different distros. Linux router through pcmcia is killing me.

Main router is a K5 w 16M & Coyote Linux. Just started building a Bering floppy (LEAF) yesterday for same box. Considering buying a Toshiba laptop 233Mhz 160M which would boot a cd distro quite nicely. These different cd distros (floppies too) all have their little intricacies (sp?) so they're each a new challenge. Bering is quite awesomely configurable AND it uses iptables- Shorewall in fact. AAMOF- I'm off to work on it now.

[aay]

Same here except that I just forward all ports but 22 to a non-existant machine on my network.

Perhaps this will expose my ignorance, but what is the advantage of doing this as opposed to closing the port? Is this simply what it takes to stealth your ports?

[rickenbacherus]

Same here except that I just forward all ports but 22 to a non-existant machine on my network.

Perhaps this will expose my ignorance, but what is the advantage of doing this as opposed to closing the port? Is this simply what it takes to stealth your ports?

It does stealth your ports. There are other ways of doing it but I'm not really clear on how.

Suppose I'm a hacker- I do a port scan on your ip address. Port 23 comes back as closed- no you're not running telnet on that port but I know for a fact that you're there. If you forward to a non-existant machine the packets don't get sent back- there is no response. It's alot like spammers- if you 'Reply' then they just know that they have an active email account.

[aay]

Is it possible then to have all ports forwarded to a non existant address (even ones you want to access) unless your incomming request meets certain requirements: for example, having a specific mac address? That would be really nice.

[adamm]

Is it possible then to have all ports forwarded to a non existant address (even ones you want to access) unless your incomming request meets certain requirements: for example, having a specific mac address? That would be really nice.

You should be able to do something like that using

--mac-source [!] address
Match source MAC address. It must be of the form
XX:XX:XX:XX:XX:XX. Note that this only makes sense for packetscoming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains.

found this in
man iptables