ITEM: CK3507L
PPP demand interfaces for static IP addresses on AIX 4.2
env:
AIX 4.2.0.0
7012-32H
description:
You are having difficulties limiting ppp access to
certain ttys. You were using morningstar software at
3.2.5 aix which accomplished that. he is trying to
find a way around the dynamic ip addressing for
clients that call in. he is at a university and
fears becoming a free ISP for the community,
so needs to restrict access.
Peter just upgraded from 3.2.5 to 4.2.0 and at 3.2.5 he has
Morningstar PPP for AIX which gave him the ability to associated
a certain IP address with a particular tty - you login to tty\#\#
and start PPP and you are assigned by the PPP server a static IP
the server associates with that tty... This way he could have a
pool of modems and restrict it so that callers could only start
up PPP on certain tty's... Any way to accomplish this under AIX
4.2's PPP?
ACT:
1) You can't restrict PPP from being started on a certain tty. Suggest
writing a script that checks the output of the `tty` command and
only starts pppattachd server if you are on a certain tty.
2) To assign out a static IP address to a PPP caller, use demand
interfaces to assign it a static IP.
We began by installing latest PPP maintenance: bos.net.ppp at the
4.2.0.8 level
To setup an AIX machine as a PPP demand server I did the
following:
smit ppp
Link control
Add link control
0 client
0 server
1 demand (my system on has one modem on it)
PPP interfaces
Add a demand interface
Local IP: My server IP for the connection
Starting remote IP: The IP address I want to assign out
for THIS demand interface
stop and then restart PPP.
Now netstat -in will show the ppp interface created above (pp0
in my case) has an IP address and if I do an ifconfig pp0 I see
that in addition, it has the remote IP address its going to
assign out also.
I created a user called "ppp" and in then in that user's .profile
I put the following:
export PPP_DEMAND_NET=0
exec /usr/sbin/pppattachd demand
So, when some one calls up to my system and logs in as "ppp" they
will always be given the same IP address, the client IP address
assigned the IP addresses corresponding to pp\# interface where \#
is the value in PPP_DEMAND_NET. Another example, if I set
PPP_DEMAND_NET=5 then the caller would be assigned the IP address
seen in ifconfig pp5.
Wrote a small sample script to restrict which tty's PPP could
be started from:
\#!/bin/ksh
if [ `tty` = "/dev/tty\#\#" ]
then
PPP_DEMAND_NET=\#\#
exec /usr/sbin/pppattachd demand
else
echo "You can't run PPP from `tty` "
fi
Instead of putting the above into .profile you created a script
called "ppplogin" which users run to start PPP. Your script was
something like this:
\#!/bin/ksh
PPP_DEMAND_NET=0
exec /usr/sbin/pppattachd demand
We did a kill -30 on the PID of pppcontrold to put ppp into detailed
debugging mode and when we do this the server shows this in its output
to syslog when some one dials in and runs the script above:
Feb 11 13:27:40 /usr/sbin/pppcontrold[11484]: 0838-301 DEBUG TURNED ON
Feb 11 13:29:04 pppattachd[10770]: 0838-005 Invalid arguments specified
Suspected that this may have something to do with starting a new
shell - you're execing pppattachd, but not from the lowest level
(login) shell.
After much testing this version of ppplogin script fails:
PPP_DEMAND_NET=0
exec /usr/sbin/pppattachd demand
This works flawlessly:
export PPP_DEMAND_NET=0
exec /usr/sbin/pppattachd demand
Now the PC dialing in using Trumpet Winsock can ping the RS/6000 and
vice-versa. Since you have the ppp IP addresses on a seperate subnet
(good!) there is no need to do pseudo proxy arp to get the RS/6000 to
pick up packets destined for the PC's IP. Just added a route into
your routers routing table making the RS/6000's ethernet interface the
gateway to the PPP subnet.
Now in order to get AIX to forward packets between its IP interfaces
(the pp\# and en\# interface in this case):
no -o ipforwarding=1
and added routes to your router so that it knew to forward
packets to the RS/6000's ethernet interface as the gateway
to the ppp subnet. To make this change take affect on each
reboot, you can add the above no command to /etc/rc.net
Though you have done this correctly by putting the PPP IP's on a
seperate subnet, just as FYI if the PPP interfaces and the en0 interface
were IP addresses that were on the same subnet, you could get the
RS/6000's ethernet interface to pick up packets destined for the PPP
client's IP address with:
arp -s ether \ \ perm
Support Line: PPP demand interfaces for static IP addresses on AIX 4.2 ITEM: CK3507L
Dated: February 1997 Category: N/A
This HTML file was generated 99/06/24~13:30:17
Comments or suggestions?
Contact us