OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [suse-security] network options
From: Russell Evans (revanse-z.net)
Date: Fri Oct 06 2000 - 23:41:46 CDT

Cleaned up the grammer, I hope. I hate it when I sound like an idiot.

The Cisco 675 will do PAT, port address translation as will as NAT,
network address translation. You want to do a, set nat entry add, on
the 675 to open a port on the DHCP addressed WAN port. This port will
be forwarded to the specified computer's IP address and port. The full
command you want to use is, set nat entry add inside_ipaddress port.
The inside_ipaddress port is the computer's IP address / port you wish
opened.

The full command for port fowarding is set nat entry add
inside_ipaddress port outside_ipaddress port protocol. By leaving the
outside address unspecified, the Cisco 675 will open a port on any
address you recieve on the wan port via dhcp. If you specify the
address then it will break, if you are ever assigned a new one.

To assign a name to your box I would suggest. www.dhs.org. Sign up for
a dyn.dhs.org host and then apply the DHCP address that the Cicso 675
has on it's wan0-0 port. Use the command sh nat on the Cisco to get the
DHCP address you recieved.

cbos#sh nat
NAT is currently enabled
Inside Global Address set to 216.160.111.159
Inside Local Inside Global Timer Flags
Protocol
10.0.0.30: 222 216.160.111.159: 222 0 0x2041 ***
10.0.0.10: 25 216.160.111.159: 25 0 0x2041 ***
10.0.0.10: 22 216.160.111.159: 22 0 0x2041 ***

You can see that I have two computers. I have PAT pointing connections
for ssh (22) , and SMTP (25), and port 222, which is ssh running on the
second host. You can only point one port on the wan interface to one
computer / port, so to ssh in the second computer required another port
to be opened and the sshd deamon on the that host to listen on port
222. I used 222 because it is easy for me to remember. ssh
myhost.dyn.dhs.org 222

There where a few times when I wanted access to my computers when
away, where service had been interrupted and I had recieved a new DHCP
address. Of course being away from the systems I had no way of know
what the address assigned was and myhost.dyn.dhs.org was not pointing
to the new address. I had no way to know what to connect to and was
locked out. To fix this, I used a script and setup the Cicso 675 to log
its syslog to one of my machines. The cisco commands are

cbos#set syslog
SET SYSLOG requires one of the following arguments
disabled Turn off Syslog
enabled Turn on Syslog
port Set Syslog Port Number
remote Set Remote IP Address
test Test Syslog server

So enable it and use set syslog remote ipaddress to point the logging
to your computer. Using yast, it is very easy to setup syslog to accept
traffic from other host. System Administration/Change configuration/
look for SYSLOGD_PARAMS and add -r to the options. Now do as root
/sbin/init.d/syslog restart, and then on the cisco use the command

cbos#set syslog test HELLO, this is cool.

To test that this works, use, as root, on the host with syslogd
accepting input from the 675 , the command, grep HELLO,
/var/log/messages

Now every time the cisco picks up a new address it will log this fact
to the syslog daemon on your computer. The script will search for the
ip address logged in /var/log/messages and if it does not match the
current DNS setting at dhs.org it will change them to match.

Set up the attached file with the appropraite settings for your dhs.org
account. Then set up a cron job as root to run the script every hour
or so. It has to be root because only root has access to
/var/log/messages. When run, the script will test the current DNS
settings of your dyn.dhs.org host on the dhs.org DNS server, if the
current ip address of the cisco matches, then logger logs this fact to
syslog. If the ipaddress isn't the same, the script updates your
settings and logs if it was successful or not.

Thank you
Russell

> I get service through USWest and I believe that I have a Cisco
> 675 DSL modem. I'm interested in what you develop for a setup on this...
>
> Thanks,
> Ryan

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com