Linux Network Admistrator's Guide

[ Pobierz całość w formacie PDF ]
.The you must hang up the modemusing your terminal program again:# route del default# route del cowslip# ifconfig sl0 down# kill -HUP 516Note that the 516 should be replaced with the process id (as shown in the output of ps ax) of the slattachcommand controlling the slip device you wish to take down.Dealing with Private IP NetworksYou will remember from Chapter 5, Configuring TCP/IP Networking, that the Virtual Brewery has an Ethernet-based IP network using unregistered network numbers that are reserved for internal use only.Packets to or fromone of these networks are not routed on the Internet; if we were to have vlager dial into cowslip and act as arouter for the Virtual Brewery network, hosts within the Brewery's network could not talk to real Internet hostsdirectly because their packets would be dropped silently by the first major router.To work around this dilemma, we will configure vlager to act as a kind of launch pad for accessing Internetservices.To the outside world, it will present itself as a normal SLIP-connected Internet host with a registered IPaddress (probably assigned by the network provider running cowslip).Anyone logged in to vlager can use text-based programs like ftp, telnet, or even lynx to make use of the Internet.Anyone on the Virtual BreweryLAN can therefore telnet and log in to vlager and use the programs there.For some applications, there may besolutions that avoid logging in to vlager.For WWW users, for example, we could run a so-called proxy serveron vlager, which would relay all requests from your users to their respective servers.Having to log in to vlager to make use of the Internet is a little clumsy.But apart from eliminating the paperwork(and cost) of registering an IP network, it has the added benefit of going along well with a firewall setup.Fire-walls are dedicated hosts used to provide limited Internet access to users on your local network without exposingthe internal hosts to network attacks from the outside world.Simple firewall configuration is covered in moredetail in Chapter 9, TCP/IP Firewall.In Chapter 11, IP Masquerade and Network Address Translation, we'lldiscuss a Linux feature called "IP masquerade" that provides a powerful alternative to proxy servers.Assume that the Brewery has been assigned the IP address 192.168.5.74 for SLIP access.All you have to do torealize that the setup discussed above is to enter this address into your /etc/hosts file, naming it vlager-slip.Theprocedure for bringing up the SLIP link itself remains unchanged.Using dipNow that was rather simple.Nevertheless, you might want to automate the steps previously described.It wouldbe much better to have a simple command that performs all the steps necessary to open the serial device, causethe modem to dial the provider, log in, enable the SLIP line discipline, and configure the network interface.Thisis what the dip command is for.dip means Dialup IP.It was written by Fred van Kempen and has been patched very heavily by a number ofpeople.Today there is one strain that is used by almost everyone: Version dip337p-uri, which is includedwith most modern Linux distributions, or is available from the metalab.unc.edu FTP archive.dip provides an interpreter for a simple scripting language that can handle the modem for you, convert the lineto SLIP mode, and configure the interfaces.The script language is powerful enough to suit most configurations.To be able to configure the SLIP interface, dip requires root privilege.It would now be tempting to make dipsetuid to root so that all users can dial up some SLIP server without having to give them root access.This is verydangerous, though, because setting up bogus interfaces and default routes with dip may disrupt routing on yournetwork.Even worse, this action would give your users power to connect to any SLIP server and launch danger-102ous attacks on your network.If you want to allow your users to fire up a SLIP connection, write small wrapperprograms for each prospective SLIP server and have these wrappers invoke dip with the specific script thatestablishes the connection.Carefully written wrapper programs can then safely be made setuid to root.44 Analternative, more flexible approach is to give trusted users root access to dip using a program like sudo [ Pobierz całość w formacie PDF ]

Tematy