OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [suse-security] network options
From: Russell Evans (revanse-z.net)
Date: Fri Oct 06 2000 - 22:31:34 CDT

The Cisco 675 will do PAT, port address translation as will as NAT,
network address translation. You want to do a set nat entry add on the
675 to open a port on the DHCP address WAN port that will be forwarded
to a computer IP address and port. The full command you want to use is
command is set nat entry add inside_ipaddress port. The
inside_ipaddress is the computer's IP address port is the port you wish
opened.

The full command for port fowarding is set nat entry add
inside_ipaddress port outside_ipaddress port protocol. By leaving the
outside address unspecified, the Cisco 675 will open a port on any
address you recieve. If you specify the address then it will break if
you are assigned a new one.

Now, to assign a name to your box I would suggest. wwdhs.org. Sign up
for a dyn.dhs.org host and then apply the DHCP address that the Cicso
675 has on it's wan0-0 port. Use the command sh nat on the Cisco to get
the address.

cbos#sh nat
NAT is currently enabled
Inside Global Address set to 216.160.111.159
Inside Local Inside Global Timer Flags
Protocol
10.0.0.30: 222 216.160.111.159: 222 0 0x2041 ***
10.0.0.10: 25 216.160.111.159: 25 0 0x2041 ***
10.0.0.10: 22 216.160.111.159: 22 0 0x2041 ***

You can see that I have two computers. I have PAT pointing connections
for ssh and SMTP and 222, which is ssh running on the second host. You
can only point one port to one computer, so to ssh in the second
computer required another port to be opened. I used 222 because it is
easy for me to remember.

There where a few times that I wanted access to my computers when away
where service had been interrupted and I recieved a new DHCP address.
Of course being away from the systems I had no way of know the address
assigned and so myhost.dyn.dhs.org was not pointing to my machine. To
fix this I used a script and setup the Cicso 675 to log its syslog to
one of my machines. The cisco commands aare

cbos#set syslog
SET SYSLOG requires one of the following arguments
disabled Turn off Syslog
enabled Turn on Syslog
port Set Syslog Port Number
remote Set Remote IP Address
test Test Syslog server

So enable it and use set syslog remote ipaddress to point the logging
to your computer. Using yast, it is very easy to setup syslog to accept
traffic from other host. System Administration/Change configuration/
look for SYSLOGD_PARAMS and add -r to the options. Now do as root
/sbin/init.d/syslog restart, and then on the cisco use the command

cbos#set syslog test HELLO, this is cool.

to test that is works by using as root, the command, grep HELLO,
/var/log/messages

So now every time the cisco picks up a new address it will log this
fact to the syslog daemon on your computer. The script will search for
the ip address logged and if it does not match the current DNS setting
at dhs.org it will change them to match.

Now set up the attached file with the appropraite settings and set up a
cron job as root to run it every hour or so. It has to be root because
only root has access to /var/log/messages. This will test the current
DNS settings of your dyn.dhs.org host on the dhs.org DNS server, if the
current ip address of the cisco matches, then logger logs this fact to
syslog. If the ipaddress isn't the same, the script updates your
settings and logs if it was successful or not.

#!/bin/sh
#
#
#
#
########################################
# Set these variables to your DHS Info #
########################################

LOGIN="" # your username
PASSWORD="" # your password
HOSTNAME="" # your hostname
DHSDOMAIN="dyn.dhs.org" # your dynamic DHS domain (
dyn.dhs.org, 2y.net ) ATHome will not work with this script
MAILHOST="" # where you want mail to this host delivered to
LOGFILE="/var/log/messages" # your syslog file
OFFLINE_URL="" # offline url if
your want to redirect
CLOAK="" # Y / N ( yes or no
)
CLOAK_TITLE="" # I'm off line at the moment,
will be back REAL SOON NOW

#########################################################
# You shouldn't have to modify anything below this line #
#########################################################
DATE=`date +%b" "%e`
IPADDRESS="`grep "$DATE" "$LOGFILE" |grep IPCP | tail -n1 | cut -d " "
-f26 | cut -d "^" -f1`"
DHS="http://members.dhs.org/nic/hosts?hostscmd=edit&hostscmdstage=2&typ
e=4&submit=Update&updatetype=Online&domain=$DHSDOMAIN&hostname=$HOSTNAM
E&ip=$IPADDRESS&mx=$MAILHOST&offline_url=$OFFLINE_URL&cloak=$CLOAK&cloa
k_title=$CLOAK_TITLE"

if test "`nslookup $HOSTNAME.$DHSDOMAIN wombat.dhs.org | tail -n2 |
grep Address:| cut -d " " -f3`" = "$IPADDRESS" ; then
        logger "IP `echo "$IPADDRESS"` is still mapped to `echo
"$HOSTNAME.$DHSDOMAIN"` `date +%D" "%l:%M%p`" ; else
        lynx -dump -auth=$LOGIN:$PASSWORD $DHS
        sleep 30
                if test "`nslookup $HOSTNAME.$DHSDOMAIN wombat.dhs.org
| tail -n2 | grep Address:| cut -d " " -f3`" = "$IPADDRESS" ; then
                        logger "IP `echo "$IPADDRESS"` is now mapped to
`echo "$HOSTNAME.$DHSDOMAIN"` `date +%D" "%l:%M%p`" ; else
                        logger "Unrecognized response updating ip
record! `date +%D" "%l:%M%p`"
                fi
fi
exit

Thank you
Russell

> I get service through USWest and I believe that I have a Cisco
> 675 DSL modem. I'm interested in what you develop for a setup on this...
>
> Thanks,
> Ryan

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com