Linuxで作るADSL(PPPoE)ルーター

以下のテキストは、執筆時当時の情報を元に書いたものであり、 現在の情勢にそぐわないことを含む場合があるので注意されたい。 また、テキストは最終提出原稿で校正を経る前のものなので、実際にUNIXUSER 本誌に記載されたものとは異なる。誤字脱字等そのままである。

致命的な誤り以外は加筆修正等は行なわないので情報の鮮度に気をつけつつ 利用して欲しい。

目次


Part3 LinuxADSL(PPPoE)

Part2Linux 
Turbo Linux 7 Server : 20022CD-ROMFTP 
ADSL(PPPoE)

NIC2

Part2FreeBSDLinux
2Linux2 
 eth0, eth1 


	WAN(ADSL)		eth0
	LAN				eth1



OS

 Turbo Linux 7 Server HDD


 

---[ ]------------------------------------------------------------


       %image(tl-install-sec.png)


----------------------------------------------------------------------

CD-ROM Turbo Linux 7 
PPPoE
(ppp  rp-pppoe)Linux
 ppp, rp-pppoe 

  :
	# rpm -i ppp-2.4.1-2.i386.rpm
	# rpm -i rp-pppoe-3.2-3.i386.rpm



FreeBSDIP
/etc/sysctl.conf 

  # Disables packet forwarding
  net.ipv4.ip_forward = 0



  # Enables packet forwarding
  net.ipv4.ip_forward = 1

IP


  # sysctl net.ipv4.ip_forward=1



PPPoE

LinuxPPPoE rp-pppoe
: http://www.roaringpenguin.com
 rp-pppoe 
PPPoErp-pppoe adsl-setup 



	IP		192.168.1.12
				PPPoEaccount@provider
				PPPoEpassword
	LAN	10.0.1.0/24
	ADSL	eth0
	LAN		eth1

ADSL
/etc/sysconfig/network 
 GATEWAY  GATEWAYDEV 

  ---[ /etc/sysconfig/network ]---
	GATEWAY=172.16.212.1	    
	GATEWAYDEV=eth0		    

  /etc/sysconfig/network-scripts/ifcfg-eth0 eth0


  ---[ /etc/sysconfig/network-scripts/ifcfg-eth0 ]---
	DEVICE=eth0
	ONBOOT=no

adsl-setup 

# adsl-setup
Welcome to the Roaring Penguin ADSL client setup.  First, I will run
some checks on your system to make sure the PPPoE client is installed
properly...

Looks good!  Now, please enter some information:

  

USER NAME

>>> Enter your PPPoE user name (default bxxxnxnx): PPPoEaccount@provider
                                                   ~~~~~~~~~~~~~~~~~~~~~

  PPPoE


INTERFACE

>>> Enter the Ethernet interface connected to the ADSL modem
For Solaris, this is likely to be something like /dev/hme0.
For Linux, it will be ethn, where 'n' is a number.
(default eth1): eth0
                ~~~~

   no 

Do you want the link to come up on demand, or stay up continuously?
If you want it to come up on demand, enter the idle time in seconds
after which the link should be dropped.  If you want the link to
stay up permanently, enter 'no' (two letters, lower-case.)
NOTE: Demand-activated links do not interact well with dynamic IP
addresses.  You may have some problems with demand-activated links.
>>> Enter the demand value (default no): no
                                         ~~

   /etc/resolv.conf 
  [Enter] server 

DNS

Please enter the IP address of your ISP's primary DNS server.
If your ISP claims that 'the server will provide DNS addresses',
enter 'server' (all lower-case) here.
If you just press enter, I will assume you know what you are
doing and not modify your DNS setup.
>>> Enter the DNS information here: server
                                    ~~~~~~

  PPPoE

PASSWORD

>>> Please enter your PPPoE password: PPPoEpassword     ()
                                      ~~~~~~~~~~~~~
>>> Please re-enter your PPPoE password: PPPoEpassword  ()
					 ~~~~~~~~~~~~~

  NAT
   2 

FIREWALLING

Please choose the firewall rules to use.  Note that these rules are
very basic.  You are strongly encouraged to use a more sophisticated
firewall setup; however, these will provide basic security.  If you
are running any servers on your machine, you must choose 'NONE' and
set up firewalling yourself.  Otherwise, the firewall rules will deny
access to all standard servers like Web, e-mail, ftp, etc.  If you
are using SSH, the rules will block outgoing SSH connections which
allocate a privileged source port.

The firewall choices are:
0 - NONE: This script will not set any firewall rules.  You are responsible
          for ensuring the security of your machine.  You are STRONGLY
          recommended to use some kind of firewall rules.
1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation
2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway
                for a LAN
>>> Choose a type of firewall (0-2): 2
				     ~


   y 

** Summary of what you entered **

Ethernet Interface: eth0
User name:          PPPoEaccount@provider
Activate-on-demand: No
DNS addresses:      Supplied by ISP's server
Firewalling:        MASQUERADE

>>> Accept these settings and adjust configuration files (y/n)? y
								~

   /etc/ppp 

Adjusting /etc/ppp/pppoe.conf
Adjusting /etc/ppp/pap-secrets and /etc/ppp/chap-secrets
  (But first backing it up to /etc/ppp/pap-secrets-bak)
  (But first backing it up to /etc/ppp/chap-secrets-bak)

Congratulations, it should be all set up!

Type 'adsl-start' to bring up your ADSL link and 'adsl-stop' to bring
it down.  Type 'adsl-status' to see the link status.


 adsl-start 

# adsl-start
. Connected!

 Connected!adsl-status 


# adsl-status
adsl-status: Link is up and running on interface ppp0
ppp0      Link encap:Point-to-Point Protocol  
          inet addr:192.168.1.12  P-t-P:192.168.1.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:46 (46.0 b)  TX bytes:52 (52.0 b)

Part2FreeBSD


adsl-start 


	# chkconfig adsl on

LAN

FreeBSDIP1
LANPCNAT


 adsl-setup FIREWALLING2 -
MASQUERADEPPPoE /etc/ppp/firewall-masq 
NAT
 ipchains 
2.62.8ipchains
iptables 


iptablesNAT 


iptables

  ipchainsiptables

  2.4 iptables ipchains
  
  ipchains
  

	# lsmod

  ipchains  chkconfig ipchains off 
  ipchains
  :  ipchains 
  

  iptables

  iptables
  iptables
   

    * INPUT	
    * FORWARD	IP
		
    * OUTPUT	

  3
  iptables
  


http://www.linux.or.jp/JF/JFdocs/packet-filtering-HOWTO-6.html

----[ ]-----------------------------------------------------------
               
      FORWARD 
                            
                                
                                              
                                           
                                    OUTPUT
               INPUT                     
                                        
                                              
                      
----------------------------------------------------------------------

  

  iptables INPUT, OUTPUT,
  FORWARD 
  

	# iptables -A <> <> -j 

  

	ACCEPT	
	DROP	
	QUEUE	

  
  (PPPoE
  ppp0) INPUT, FORWARD 
  
  INPUT/FORWARD
  
  
  ()

  //

  * 
	# iptables -N <>
  * 
	# iptables -F <>
  * 
	# iptables -X <>

   -X 
  -F -F INPUT, OUTPUT, FORWARD
  

  
  

	# iptables -A INPUT <> -j <>
	# iptables -A FORWARD <> -j <>

  

  

   iptables
  0
  []
   iptables(8) 
   Linux 2.4 Packet Filtering HOWTO
  http://www.linux.or.jp/JF/JFdocs/packet-filtering-HOWTO.html
  

  --------------------------------------------------
  -p [!] 		
  (--protocol)			tcp, udp, icmp, all 
				/etc/protocols 
				!  NOT 
				
  --------------------------------------------------
  -s [!] [/]	
  (--source, --src)		! 
  --------------------------------------------------
  -d [!] [/]	
  (--destination, --dst)	! 
  --------------------------------------------------
  -i [!] 	
				INPUT, FORWARD, PREROUTING 
				
				! 
  --------------------------------------------------
  -o [!] 	
				OUTPUT, FORWARD, POSTROUTING 
				
				! 
  --------------------------------------------------
  [!] -f			
  (--fragment)			! (
				)
  --------------------------------------------------



   -p 

  	     		 
  ----+---------------------------------+-------
  tcp	--source-port [!] [port[:port]]	 
  udp	--sport				 2:
					 
					 !
  ----+---------------------------------+-------
  tcp	--destination-port [!] [port[:port]]	
  udp	--sport				 2:
					 
					 !
  ----+---------------------------------+-------
  tcp	--tcp-flags [!] mask comp
		    TCPmask
		    (,)
		    comp
		    ! 
  ----+---------------------------------+-------
  tcp	[!] --syn
		   --tcp-flags SYN,RST,ACK SYN 
		   TCP
  ----+---------------------------------+-------

   -p 
   -m 
  
  

  				
  multiport	--source-port <>	
		(--sport) 			
						-p tcp, -p udp 
						
		+----------------------------------------------------------
  		--destination-port <> 
		(--dport)			
						-p tcp, -p udp 
						
						
		+----------------------------------------------------------
  		--port <> 		
		(--dport)			
						
						-p tcp, -p udp 
						
   -------------------------------------------------------------------------
   state	--state <>	  
				<>
				INVALID		
				ESTABLISHED	
				NEW		
				RELATED		
						
						ftp-data
						

  

  iptables
  
  iptables-P

	# iptables -P <> <>

   <>  <
  > 

	# iptables -P INPUT DROP

  INPUT DROP()


  
  FreeBSD(ipfw)(???)
  

	* 	
	* LAN
	* 
	* LANTCP
	* UDP
	* 
	* ICMP
	* 

  ipfw
  iptables
  
  OUTPUT
  ACCEPT INPUT, FORWARD
   ??? (ipfw)
   myrule 
  INPUT, FORWARD
  myrule 
   

----[ ]-----------------------------------------------------------
               
      FORWARD 
                            
                            
                                          
                        +------+         
                |myrule|        OUTPUT
               INPUT  +------+           
                                      
                                              
                      

 INPUTFORWARD myrule 
----------------------------------------------------------------------

  

  * 

    OUTPUTINPUT, FORWARD
    
    

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT

    INPUT, FORWARD myrule 
    

iptables -N myrule
iptables -F myrule

    INPUTFORWARD myrule
    

iptables -A INPUT -j myrule
iptables -A FORWARD -j myrule

  * 

    (lo)
    127.0.0.0/8

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -i '!' lo -j DROP

  * LAN

    LAN eth0  10.0.1.0/24 
    

iptables -A myrule -i eth1 -s 10.0.1.0/24 -j ACCEPT

    LAN

  * 

    TCPestablished connection
     state 
     -m state 

iptables -A myrule -p tcp -m state --stat ESTABLISHED -j ACCEPT
iptables -A myrule -f -j ACCEPT

  * LANTCP

    OUTPUT
    

  * UDP

    DNS(53)NTP(123)

iptables -A myrule -p udp --dport 53 -j ACCEPT
iptables -A myrule -p udp --sport 53 -j ACCEPT
iptables -A myrule -p udp --dport 123 -j ACCEPT
iptables -A myrule -p udp --sport 123 -j ACCEPT

  * 

     SSH(22), SMTP(25),
    HTTP(80), POP3(110)
     multiport 1

iptables -A myrule -p tcp -m multiport --dport 22,25,80,110 -j ACCEPT

  * ICMP

    ICMP

iptables -A myrule -p icmp -j ACCEPT

  * 

    myruleINPUT
    FORWARD DROP 
    
    

iptables -A myrule -j LOG

	-	-	-	-

NAT

  iptables3
   "filter" "nat",
  "mangle" iptables NAT "nat" 
  

  LANppp0
  NATnat  POSTROUTING 
   MASQUERADE 

	# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

  LAN(NAT)
  



  PPPoE
  /etc/ppp/firewall-masq  

---[  /etc/rc.firewall.local]---------------------------------
#!/bin/sh
#
# firewall-masq         This script sets up firewall rules for a machine
#                       acting as a masquerading gateway
#
# Copyright (C) 2000 Roaring Penguin Software Inc.  This software may
# be distributed under the terms of the GNU General Public License, version
# 2 or any later version.

# Interface to Internet
EXTIF=ppp+

ANY=0.0.0.0/0

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT

# Make own rule set chain
iptables -N myrule
iptables -F myrule

# Bypass to myrule
iptables -A INPUT -j myrule
iptables -A FORWARD -j myrule

# Allow packets in local
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -i '!' lo -j DROP

# Allow packets within LAN
iptables -A myrule -i eth1 -s 10.0.1.0/24 -j ACCEPT
# Established packets
iptables -A myrule -p tcp -m state --stat ESTABLISHED -j ACCEPT
# Fragments

iptables -A myrule -f -j ACCEPT
# Essential UDP's
iptables -A myrule -p udp --dport 53 -j ACCEPT
iptables -A myrule -p udp --sport 53 -j ACCEPT
iptables -A myrule -p udp --dport 123 -j ACCEPT
iptables -A myrule -p udp --sport 123 -j ACCEPT
# Pass SSH, SMTP, HTTP, POP3
iptables -A myrule -p tcp -m multiport --dport 22,25,80,110 -j ACCEPT
# Allow ICMP
iptables -A myrule -p icmp -j ACCEPT

# Log the rest
iptables -A myrule -j LOG

# Do masquerading
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Ensure IP forwarding here
sysctl -w net.ipv4.ip_forward=1
----------------------------------------------------------------------


DHCP

Linux ISC-DHCP  Turbo Linux 7
Server DHCP


	# rpm -qa | grep dhcp
	dhcp-client-2.0pl5-3
	dhcp-2.0pl5-3

 dhcp-2.0pl5-3 DHCP
dhcp-<>.rpm 

	# rpm -i dhcp-<>.rpm 



isc-dhcp 2.x  dhcpd.conf 

---[ /etc/dhcpd.conf ]------------------------------------------------
#
# dhcpd.conf
#

# 
option domain-name "example.com";
option domain-name-servers ns.example.com;

# lease
default-lease-time 600;
max-lease-time 7200;

# LAN
subnet 10.0.1.0 netmask 255.255.255.0 {
        # 
        option routers 10.0.1.1;
        # Unknown clients get this pool.
        # IP
        range 10.0.1.200 10.0.1.253;
}
----------------------------------------------------------------------

  /var/dhcp/dhcpd.leases dhcpd-d
  

	# touch /var/lib/dhcp/dhcpd.leases
	# dhcpd -d

  DHCP
  

	# chkconfig dhcpd on

  



PPPoENATDHCP

WWW



yuuji@gentei.org
Fingerprint16 = FF F9 FF CC E0 FE 5C F7 19 97 28 24 EC 5D 39 BA
HIROSE Yuuji - ASTROLOGY / BIKE / EPO / GUEST BOOK / YaTeX [Tweet]