| Basic Ethernet to Ethernet Router |
This is probably the least complex IPRoute implementation. In this case, IPRoute was used to build an interface between two Ethernet LANs, one of which has a router accessing the Internet. The only functions needed in this case are filters to protect the integrity of the "downline" LAN. Filters are implemented to block calls to and from NetBEUI interfaces, prohibit TELNET access to the router from "upline", and to prevent attempts to "spoof" the internal address of the "downline" LAN.
The common materials use were:
This router was tested in configurations using both the native packet drivers for the LAN cards as well as the ODI/ODIPKT combination. While the throughput and latency were unchanged with the different drivers, there were variations in the packet error results. This may be due to the native drivers. AUTOEXEC.BAT : Ethernet Card Packet Drivers EXP16.COM 0x60 0x300 EXP16.COM 0x61 0x320 : now start the router ipr router.ipr Finally, the configuration file for IPRoute must reflect the desired routing information. This file simply assigns the two Ethernets, establishes the routes and defines the filters. ROUTER.IPR ; 13:45 PM 3/20/98
; First ethernet interface is on the upline side
; Packet driver INT = 0x60
; Network address = mmm.nnn.ooo.1
; Second ethernet interface is on our side
; Packet driver INT = 0x61
; Network address = www.xxx.yyy.250
; Protocols:
; TCP = 6
; UDP = 17
; Start the console
command
ftpd
; Telnet Daemon - This goes in the top part of the
; script (startup section)
telnetd do_tel
user username password *:21
; Logs to local SysLog set to SysLog daemon
set log udp www.xxx.yyy.1
; Set up the upline network interfaces
packet en0 0x60 mmm.nnn.ooo.1/24
packet en1 0x61 www.xxx.yyy.250/24
; -----------------------------------------------
; Route everything to the IP the router
; that can reach the Internet.
route * en0 mmm.nnn.ooo.1
; Learn the routes on the downline interface
rip en1
; SECURITY
; Filter the NbT packets
; Port 137 use UDP for NetBIOS setup
; These filters will block aLL NbT service
; requests into the box on the upline
filter en0 log drop in udp * *:137
; Filter attempts to Telnet to the router, on either
; interface, from the outside - log them
filter en0 log deny in tcp * mmm.nnn.ooo.1:23
filter en0 log deny in tcp * www.xxx.yyy.250:23
; filter any INCOMING packets with our address
; in the source to prevent spoofing
filter en0 log drop in * www.xxx.yyy.0/24 *
; Otherwise let everything else through
filter en0 permit in * * *
filter en0 permit out * * *
exit
; This will run for each incoming telnet connection.
do_tel:
on timeout drop_tel
send "\r\nlogin: "
set echo on
read 60 "\r\n" NAME
send "\r\nPassword:"
set echo off
read 60 "\r\n" PASS
authenticate NAME PASS *:21
log "$NAME logged in from $IPADDR:$PORT"
send "\r\n\n"
command
drop_tel:
exit
In this configuration we have found round trip latency in the router to be on the order of 2 ms.
|
