[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: managing ethernet and wireless interfaces

I made the same choices as you. mapping-scheme is incorrectly documented. I cannot remember what was wrong, but attached is an
example mapping-scheme script...

A system-wide fw script does the global setup for the firewall. then, as each interface is added, fw-iface adds rules for it (called from interfaces) So one can have both copper and wireless interfaces up.

hope it helps, but ymmv.

sime wrote:

I would like to know how linux laptop users are managing multiple interfaces (eth and wifi).

I use ethernet with DHCP regardless of location. Wireless one location WEP, other location WPA.

By choice none of my interfaces are initialised on boot. I prefer to bring them up using ifup(8).

Below is essentially my /etc/network/interfaces file:
auto lo
iface lo inet loopback

iface eth0 inet dhcp        # Wireless
        hostname tempest
        wireless-essid blah
        wireless-nick blah
        wireless-key blah

iface eth1 inet dhcp        # Ethernet

After managing to get WPA to work, I started hacking around in interfaces(5) but got no where. Now if I action `ifup eth0` with the eth1 line commented out I get:
DHCPREQUEST on eth1 to port 67
DHCPDISCOVER on eth0 to port 67 interval 8

If the ethernet cable is plugged in, it will get the DHCPACK:
bound to -- renewal in 43200 seconds.

Why is eth1 making DHCPREQUEST ? Further it would be great if someone chould show how the mapping works as I am getting no results. Additionally if you are using any other packages for managing multiple interfaces please let me know!


# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
# automatically added when upgrading
auto lo
iface lo inet loopback

iface eth0 inet dhcp
	up /etc/network/fw-iface

mapping eth1 
	script /usr/local/sbin/mapping-scheme

iface HOME inet dhcp
	wireless-essid home
	wireless-mode  Managed
	wireless-key   wep4home
	up /etc/network/fw-iface

iface RELATIVES inet dhcp
	wireless-essid relatives
	wireless-mode  Managed
	wireless-key   wep4relatives
	up /etc/network/fw-iface

iface WORK inet dhcp
	wireless-essid work
	wireless-mode  Managed
	wireless-key   wep4work
	up /etc/network/fw-iface

iface AWAY inet dhcp
	up /etc/network/fw-iface

iwlist eth1 scanning | awk -F: '/ESSID/ { print $2;};' | sed 's/"//g' >/tmp/iwlist

ESSIDS="`cat /tmp/iwlist`"

if [ "`grep home /tmp/iwlist`" ]; then
  echo HOME
if [ "`grep relatives /tmp/iwlist`" ]; then
    echo RELATIVES
if [ "`grep work /tmp/iwlist`" ]; then
    echo WORK

echo AWAY

# global rules (independent of interfaces.)

iptables -P INPUT ACCEPT  
iptables -P OUTPUT ACCEPT  
iptables -P FORWARD ACCEPT  
iptables -F INPUT 
iptables -F OUTPUT 
iptables -F FORWARD 
iptables -F -t nat
if [ -n "`iptables -L | grep drop-and-log-it`" ]; then
     iptables -F drop-and-log-it
iptables -F
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z

if [ "$1" = stop ]; then

iptables -P INPUT DROP  
iptables -P OUTPUT DROP  
iptables -P FORWARD DROP  
iptables -N drop-and-log-it
#fixme drop-and-log-it was too verbose...
#iptables -A drop-and-log-it -j LOG --log-level info 
iptables -A drop-and-log-it -j DROP
# loopback interfaces are valid.
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT 

# Stuff we are worried about.
echo "Rejecting all connections to 137:139"
iptables -N NETBIOS
iptables -A INPUT -p udp --sport 137:139 -j NETBIOS
iptables -A NETBIOS -j LOG --log-prefix "IPTABLES NETBIOS: "
iptables -A NETBIOS -j DROP

iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 3/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

echo "Making sure NEW tcp connections are SYN packets"
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

echo "NO Logging fragments caught"
#iptables -N fragments
#iptables -A INPUT -f -j fragments
#iptables -A fragments -j LOG --log-prefix "IPTABLES FRAGMENTS:"
#iptables -A fragments -j DROP

# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT



EXTIP="`ifconfig $EXTIF | awk /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`/24"

# Allow any related traffic coming back to the MASQ server in
echo "incoming traffic on established connections are ok"
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "incoming DHCP ok"
iptables -A INPUT -i $EXTIF -p tcp --sport 68 --dport 67 -j ACCEPT 
iptables -A INPUT -i $EXTIF -p udp --sport 68 --dport 67 -j ACCEPT

echo "incoming DNS ok"
iptables -A INPUT -i $EXTIF -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp --sport 53 -j ACCEPT

# anything else outgoing on remote interface is valid
echo "outbound ok"

# Catch all rule(s), all other traffic is denied and logged. 
echo "block everything else"
#iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
#iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
#Peter... not sure about this one.
#iptables -A FORWARD -j drop-and-log-it

Reply to: