Subject: Re: questions about IPNAT setup
To: None <port-mac68k@netbsd.org>
From: Bruce Anderson <brucea@wavefront.com>
List: port-mac68k
Date: 08/05/1998 02:27:00
<SMALLER><FIXED>On Tue, Aug 4, 1998 9:49 PM, ? wrote:
> Hi, all. This must be FAQ, so please tell me the reference
> point. Right now, I cannot connect to the "IP-NAT HOW-TO by Armen
> Babikyan".
>
> I'm trying to set up the IPNAT at my NetBSD box(SE/30,
> 1.3.2(GENERIC)). During the bootstrap process at the ipfilter, it
said
> like outgoing=3Dpass and incoming=3Dreject. And I cannot go out the
> INTNERNET from the pirvate net, yet. When I launched tcpdump on ae0
> and ppp0, the outgoing request seemed to be sent out.
>
> Any suggegtions will be appritiated.
>
> Thank you.
>
>
> --KITAMURA
>
>
>
This is my outbound ppp setup BA- :)
First from netbsd-
% sysctl -a |grep ip
net.inet.ip.forwarding =3D 1
net.inet.ip.redirect =3D 1
net.inet.ip.ttl =3D 64
net.inet.ip.forwsrcrt =3D 1
net.inet.ip.directed-broadcast =3D 0
net.inet.ip.allowsrcrt =3D 1
net.inet.ip.subnetsarelocal =3D 1
net.inet.ip.mtudisc =3D 0
net.inet.ip.mtudisctimeout =3D 600
% cat /etc/ipf.conf ( Empty, see man ipf.conf )
% cat /etc/ipnat.conf ( No static IP :(
map ppp1 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 40000:60000
map ppp1 192.168.0.0/16 -> 0.0.0.0/32
map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 40000:60000
map ppp0 192.168.0.0/16 -> 0.0.0.0/32
#end /etc/ipnat.conf
% cat /etc/netstart.local
sysctl -w net.inet.tcp.rfc1323=3D0
if [ -f /etc/ipnat.conf ]; then
sysctl -w net.inet.ip.redirect=3D1 ;
sysctl -w net.inet.ip.forwarding=3D1 ;
echo 'starting IP network address translation (ipnat)...' ;
/usr/sbin/ipnat -f /etc/ipnat.conf
fi
#end /etc/netstart.local
% cat /etc/resolv.conf ( this may not be right )
;
; BIND data file
; Created by NetBSD sysinst on Tue Jun 23 08:19:12 1998
;
;nameserver 192.168.206.41 ; I have a name server running
;nameserver PrimaryDNS-IP-NUMBER SecondaryDNS-IP-NUMBER
nameserver xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
lookup file
;search yourISPs-domainname.com (up to three names)
search wavefront.com wavefront.net VISI.com
; end /etc/resolv.conf
% cat /etc/hosts
# $NetBSD: hosts,v 1.4 1997/01/09 05:33:14 mikel Exp $
#
# Host Database
# This file should contain the addresses and aliases
# for local hosts that share this file.
# It is used only for "ifconfig" and other operations
# before the nameserver is started.
#
#
127.0.0.1 localhost homemailhost
#
# RFC 1918 specifies that these networks are "internal".
# 10.0.0.0 10.255.255.255
# 172.16.0.0 172.31.255.255
# 192.168.0.0 192.168.255.255
#
# ae0 segment
192.168.206.1 bobcat.home.org bobcat
192.168.206.21 jaguar.home.org jaguar
192.168.206.41 leopard.home.org home.org leopard
192.168.206.121 lynx.home.org lynx
# end /etc/hosts
then
% cat /etc/ppp/options
# options empty
# end /etc/ppp/options
% cat /etc/ppp/options.tty00
# options empty
# end /etc/ppp/options.tty00
% cat /etc/ppp/chat-script
#!/bin/sh
# This script is invoked with one argument, the phone number to call
# and optionally the account username. If the username in included
# the chat script used is one that logs into a Terminal Server using
# a Login protocol. In the absence of the username argument the
# connection is made to a Server using PAP, CHAP or MS-CHAP
authentication.
#
# If the modem requires any special initialization specify the INIT
# string here. If uncertain leave this blank or use the value
# used with the modem when running MacOS (or Windows).
# BA-
MODEM_INIT=3D'"AT&F H0 M0 E0 X4 W1 Y1 &S1 &D0 S2=3D14"'
# Y1 is essential to get the modem to hangup , &D0 is for
# cdtrcts hardware flow control. Change "+" ASCII 43 to Ctrl-N
# no more modem hangups while uploading AT commands, I hope.
# BA-
# Crack the argument string and get the phone number and optionally
# the account username.
#
NUMBER=3D`echo $1 | /usr/bin/awk '{print $1}'`
LOGIN=3D`echo $1 | /usr/bin/awk '{print $2}'`
#
# If LOGIN name is not blank it means we're going to attempt to
# connect to a Terminal Server using a Login protocol. In that
# case we need to extract the account password from the pap-secrets
# file. (This will not work if the user is a member of group users )
#
if [ -n "${LOGIN}" ]; then
PASSWD=3D`/usr/bin/grep ${LOGIN} /etc/ppp/pap-secrets |
/usr/bin/awk '{print $3}'`
fi
TMP=3D"/tmp/${$}"
#
rm -f ${TMP}
umask 077
echo 'REPORT ERROR'>>${TMP}
echo 'REPORT BUSY'>>${TMP}
echo 'REPORT CONNECT'>>${TMP}
echo 'ABORT ERROR'>>${TMP}
echo 'ABORT BUSY' >> ${TMP}
echo 'ABORT "NO CARRIER"' >>${TMP}
echo 'ABORT "NO DIAL"' >>${TMP}
echo 'TIMEOUT 15' >>${TMP}
echo '"" ^N^N^NATZ!!' >>${TMP}
if [ -n "${MODEM_INIT}" ]; then
echo "OK ${MODEM_INIT}" >>${TMP}
fi
echo "OK ATH0DT${NUMBER}" >>${TMP}
echo 'TIMEOUT 50' >>${TMP}
echo 'CONNECT ""' >>${TMP}
echo 'TIMEOUT 10' >>${TMP}
#
# This section might require some hand tweaking to deal with the
# prompt strings received from the Terminal Server during Login
# and what needs to be sent to bring up the PPP link. The default
# here assumes the Server will prompt for Username with "Username:"
# and Password with "Password:". Following validation the PPP link
# is started with the "ppp" command to the Server.
#
if [ -n "${LOGIN}" ]; then
echo ":-\r-: ${LOGIN}" >>${TMP}
echo "word: \q${PASSWD}" >>${TMP}
echo 'TIMEOUT 10' >>${TMP}
echo ' n-\r-n \d\c "" "ppp 0.0.0.0"' >>${TMP}
fi
#
# Now invoke the script we just built
#
usr/sbin/chat -v -f ${TMP}
#end /etc/ppp/chat-script
% cat /etc/ppp/ip-up
#!/bin/sh
# Flush the queue and pickup mail
echo $(date) " ip-up " >/etc/ppp/time-ppp
/usr/local/bin/fetchmail --invisible &
/usr/sbin/sendmail -q &
wait
echo $(date) " done with mail " >>/etc/ppp/time-ppp
# I could move in a new /etc/resolv.conf
# end /etc/ppp/ip-up
% cat /etc/ppp/ip-down
#!/bin/sh
echo $(date) " ip-down " >>/etc/ppp/time-ppp
echo "" >>/etc/ppp/time-ppp
echo "" >>/etc/ppp/time-ppp
# I could move the old /etc/resolv.conf back.
# end /etc/ppp/ip-down
% cat /etc/ppp/ppp-down
#!/bin/sh
#
# User command to tear down the dial-out PPP connection.
# Use a "ln -s /etc/ppp/ppp-down /usr/local/pppdown" to make
# command easily available. Unfortunately there is no easy
# way of knowing which port has the dial-out modem attached,
# so this script might need some local touch up.
#
SYSTEM=3D`uname -m`
if [ "mac68k" =3D "$SYSTEM" ]; then
MODEM=3Dtty00
else
MODEM=3Dtty01
fi
#
if [ -f /var/spool/lock/LCK..$MODEM ]; then
echo -n killing pppd...
kill -HUP `cat /var/spool/lock/LCK..$MODEM`
echo done
else
echo ppp already is down 1>&2
fi
# end /etc/ppp/ppp-down
Note I name my peer files by Phone number because
Wavefront has so many phone numbers to choose from.
To start a ppp connection I use : pppd call <<603>
where 603 is the name of the connection script file
in /etc/ppp/peers/
% cat /etc/ppp/peers/603
# This is an example script that connects to an ISP using PAP.
# Things to change:
# In the first non-comment line make sure the modem line is correct
# and the modem speed is properly specified.
# In the "connect" line specify the phone number of the ISP and
# optionally the account username specified in the "user" line.
# If the username is supplied it is blank separated from the
# phone number list and implies that a Terminal Server type
# Logon will be used. In the absence of the username field
# the connection will be made using PAP, CHAP or MS-CHAP
# authentication. In both cases the password will be obtained
# from the pap-secrets/chap-secrets file based on the value of
# the "user" parameter.
# In the "ipparam" line specify in a string the Domain,
Nameservers,
# and optionally the Searchlist. The three fields are blank
# separated and multiple values in an individual field are
# comma separated. This information is used to dynamically
# build the /etc/resolv.conf file when the link comes up.
# In the "domain" line specify the name of the domain for the ISP.
# In the "netmask" line specify the sub-net mask for the service
# which we will be connecting to. Normally this is
255.255.255.0.
# In the "user" line specify the account name used for login to the
# ISP. If connecting to an NT/RAS Server this should be in the
# form of NT/RAS Server Domain <<backslash> NT/RAS User name.
The
# <<backslash> must be quoted with a <<backslash>.
# If connecting to an NT/RAS Server it might be necessary to
include
# the "nopredictor1" and "nobsdcomp" options.
# change XXX and my-user-name to the appropriate value
tty00 38400 # modem port and speed
#tty00 57600 # modem port and speed
#connect '/etc/ppp/chat-script "603-XXXX my-user-name" ' # connect
script
connect '/etc/ppp/chat-script "603-XXXX" ' # connect
script
ipparam "wavefront.com xxx.xxx.xxx.xxx,192.168.206.41
wavefront.com,home.org"
disconnect /etc/ppp/ppp-down
lock # lock the modem port on connect
modem # use full modem control
passive # wait for remote to come up
cdtrcts # use hardware flow control
#mtu 296 # maximum transmission size for link
#mru 296
nobsdcomp
nodeflate
novj
defaultroute # add default routing when link comes
up
noipdefault # no local defaults for IP addresses
ipcp-accept-local # allow remote to specify our IP
address
ipcp-accept-remote # allow remote to specify his IP
address
lcp-echo-interval 30 # ping the remote every 30 seconds
lcp-echo-failure 10 # declare link down after 10 pings
fail
netmask 255.255.255.0 # netmask for our assigned IP address
domain wavefront.net # domain name we're connecting into
user my-user-name # account name to use to log onto
remote
#end /etc/ppp/peers/603
14 13 12 11 10 987654321
0010 0000 0000 0000
----------------------------------------------------------------
This message was created and sent using the Cyberdog Mail System
----------------------------------------------------------------
</FIXED></SMALLER>