I made the same choices as you. mapping-scheme is incorrectly documented. I cannot remember what was wrong, but attached is an
example mapping-scheme script...
A system-wide fw script does the global setup for the firewall. then, as each interface is added, fw-iface adds rules for it (called from interfaces) So one can have both copper and wireless interfaces up.
hope it helps, but ymmv.
sime wrote:
I would like to know how linux laptop users are managing multiple interfaces (eth and wifi).
I use ethernet with DHCP regardless of location. Wireless one location WEP, other location WPA.
By choice none of my interfaces are initialised on boot. I prefer to bring them up using ifup(8).
Below is essentially my /etc/network/interfaces file: auto lo iface lo inet loopback
iface eth0 inet dhcp # Wireless hostname tempest wireless-essid blah wireless-nick blah wireless-key blah
iface eth1 inet dhcp # Ethernet
After managing to get WPA to work, I started hacking around in interfaces(5) but got no where. Now if I action `ifup eth0` with the eth1 line commented out I get:
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 8
If the ethernet cable is plugged in, it will get the DHCPACK: DHCPACK from 192.168.1.1 bound to 192.168.1.117 -- renewal in 43200 seconds.
Why is eth1 making DHCPREQUEST ? Further it would be great if someone chould show how the mapping works as I am getting no results. Additionally if you are using any other packages for managing multiple interfaces please let me know!
-sime
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface
# automatically added when upgrading
auto lo
iface lo inet loopback
iface eth0 inet dhcp
up /etc/network/fw-iface
mapping eth1
script /usr/local/sbin/mapping-scheme
iface HOME inet dhcp
wireless-essid home
wireless-mode Managed
wireless-key wep4home
up /etc/network/fw-iface
iface RELATIVES inet dhcp
wireless-essid relatives
wireless-mode Managed
wireless-key wep4relatives
up /etc/network/fw-iface
iface WORK inet dhcp
wireless-essid work
wireless-mode Managed
wireless-key wep4work
up /etc/network/fw-iface
iface AWAY inet dhcp
up /etc/network/fw-iface
iwlist eth1 scanning | awk -F: '/ESSID/ { print $2;};' | sed 's/"//g'
>/tmp/iwlist
ESSIDS="`cat /tmp/iwlist`"
if [ "`grep home /tmp/iwlist`" ]; then
echo HOME
exit
fi
if [ "`grep relatives /tmp/iwlist`" ]; then
echo RELATIVES
exit
fi
if [ "`grep work /tmp/iwlist`" ]; then
echo WORK
exit
fi
echo AWAY
exit
#!/bin/sh
# global rules (independent of interfaces.)
UNIVERSE="0.0.0.0/0"
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
if [ -n "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
iptables -F
# Delete all User-specified chains
iptables -X
#
# Reset all IPTABLES counters
iptables -Z
if [ "$1" = stop ]; then
exit
fi
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -N drop-and-log-it
#fixme drop-and-log-it was too verbose...
#iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j DROP
# loopback interfaces are valid.
#
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
#
# Stuff we are worried about.
#
echo "Rejecting all connections to 137:139"
iptables -N NETBIOS
iptables -A INPUT -p udp --sport 137:139 -j NETBIOS
iptables -A NETBIOS -j LOG --log-prefix "IPTABLES NETBIOS: "
iptables -A NETBIOS -j DROP
echo "Enabling SYN-FLOODING PROTECTION"
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 3/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
echo "Making sure NEW tcp connections are SYN packets"
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
echo "NO Logging fragments caught"
#iptables -N fragments
#iptables -A INPUT -f -j fragments
#iptables -A fragments -j LOG --log-prefix "IPTABLES FRAGMENTS:"
#iptables -A fragments -j DROP
# loopback interface is valid.
#
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
#!/bin/sh
#env
#EXTIF="ppp0"
EXTIF="eth1"
EXTIF="$IFACE"
EXTIP="`ifconfig $EXTIF | awk /$EXTIF/'{next}//{split($0,a,":");split(a[2],a,"
");print a[1];exit}'`/24"
UNIVERSE="0.0.0.0/0"
# Allow any related traffic coming back to the MASQ server in
#
echo "incoming traffic on established connections are ok"
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state
ESTABLISHED,RELATED -j ACCEPT
echo "incoming DHCP ok"
iptables -A INPUT -i $EXTIF -p tcp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp --sport 68 --dport 67 -j ACCEPT
echo "incoming DNS ok"
iptables -A INPUT -i $EXTIF -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp --sport 53 -j ACCEPT
# anything else outgoing on remote interface is valid
#
echo "outbound ok"
iptables -A OUTPUT -s $EXTIP -d $UNIVERSE -j ACCEPT
# Catch all rule(s), all other traffic is denied and logged.
#
echo "block everything else"
#iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
#iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
#Peter... not sure about this one.
#iptables -A FORWARD -j drop-and-log-it
