Planetarion Forums - PPPD-only Dial on Demand

Gayle29uk · 8 Jan 2003, 09:58

I seem to remember someone saying they had pppd configured for dial on demand without using wvdial or any other dialer. Anyone any ideas?

I'm off to find out how to set it up so that only http requests initiate the connection...

Mong · 8 Jan 2003, 11:17

What's wrong with wvdial?

M.

Gayle29uk · 8 Jan 2003, 11:24

Quote:

Originally posted by Mong
What's wrong with wvdial?

M.

Elegance. If I can do it all using one programme then I prefer to do it using one programme. Less to go wrong

Atm I use wvdial and pppd, I just remember someone having a more elegant solution involving just pppd.

MT · 8 Jan 2003, 17:17

that was me!

Gayle29uk · 8 Jan 2003, 17:28

Quote:

Originally posted by MT
that was me!

Can I persuade you to post copies of the relevant config files?

MT · 8 Jan 2003, 18:07

Quote:

Originally posted by Gayle28uk
Can I persuade you to post copies of the relevant config files?

yes

MT · 8 Jan 2003, 18:16

The other scripts that I use ..

Code:

/etc/netfilter/rc.masq-strong
#!/bin/bash
FWVER=0.70s
echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
EXTIF="ppp0"
INTIF="eth0"
echo "  External Interface:  $EXTIF"
echo "  Internal Interface:  $INTIF"
echo "  ---"
EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
echo "  External IP: $EXTIP"
echo "  ---"
INTNET="192.168.0.0/24"
INTIP="192.168.0.2/24"
echo "  Internal Network: $INTNET"
echo "  Internal IP:      $INTIP"
echo "  ---"
IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
GREP=/bin/grep
AWK=/usr/bin/awk
ECH=/bin/echo
UNIVERSE="0.0.0.0/0"
echo "  - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en "    Loading kernel modules: "
echo -en "ip_tables, "
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
   /sbin/insmod ip_tables
fi
echo -en "ip_conntrack, "
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
   /sbin/insmod ip_conntrack
fi
echo -e "ip_conntrack_ftp, "
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
   /sbin/insmod ip_conntrack_ftp
fi
echo -en "                             ip_conntrack_irc, "
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
   /sbin/insmod ip_conntrack_irc
fi
echo -en "iptable_nat, "
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   /sbin/insmod iptable_nat
fi
echo -e "ip_nat_ftp"
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   /sbin/insmod ip_nat_ftp
fi
echo "  ---"
echo "  Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "  Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "  ---"
echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
   $IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z
echo "  Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j DROP
echo -e "\n   - Loading INPUT rulesets"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
echo -e "      - Allowing EXTERNAL access to the WWW server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e "   - Loading OUTPUT rulesets"
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e "   - Loading FORWARD rulesets"
echo "     - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j drop-and-log-it
echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"

Code:

/etc/ppp/ip-up
#!/bin/sh
/bin/wall pppd up - `/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`
/etc/netfilter/rc.masq-strong
/bin/echo 1 >/etc/ppp/isup
/bin/kill -USR2 `cat /var/run/pppdaemon.pid`

Code:

/etc/ppp/ip-down
#!/bin/sh
/bin/wall pppd down - `/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`
/etc/netfilter/rc.masq-strong
/bin/echo 0 >/etc/ppp/isup
/bin/kill -USR1 `cat /var/run/pppdaemon.pid`

er ... better explain those last two..

They get run when the connection dies/is brought up.
The wall is so I can see when it happens, the reloading of the firewall is to account for any changes in ip, and hte last two are irrelevant (for a program I'm working on that tells other machines on the subnet the status of pppd ..)