|
|
|
| mn :: comp :: net | |
Pre-Intro: I haven't looked closely at this in some time, and it's getting dated. I'll be doing a rewrite soon, but until then look before you leap! Lots of references and links point to the old version that I'm using, which is something like two major revisions behind the curve. You'll still find this helpful, but it's not perfect.
Intro: I wanted a simple way to connect several PC's to the internet using a single fulltime connection. I couldn't get RedHat to install on the Compaq 486 I planned to use, and found LRP while looking for RH fixes. It is a far better solution, and actually quite simple if you take the time to read the documentation. It is hoped that this document helps a few others in similar situations.
These are instructions for installing and configuring a masquerading network firewall with LRP. In my example I cover a static IP internet connection. DHCP on LRP also works just fine, and will be covered in the next revision of this document.
These instructions assume that you have an existing connection to the internet and are running MS-DOS or Win95/98/NT on another PC. If your other PC is *nix, (man dd and you'll be fine. We will refer to the box that is going to be the router as the RPC or Router PC, and the other machine as the Windows box.
Revision History:
10/9/99 -- shamelessly copied and modified Gary J.'s
CABLE-MODEM HOWTO. Still not much xDSL specific stuff in it.
10/13/99 -- fixed FTP forwarding commands.
10/16/99 -- added package stuff and some xDSL info.
10/18/99 -- fixed telnet ipfwadm command.
11/23/99 -- added how to make modules.lrp
09/01/00 -- removed modmaker advice
09/06/00 -- added link to Jeff Newmiller's more extensive module descriptions
xDSL Provider Information
If your provider gave you a static IP address and netmask, a gateway, and a couple of DNS servers, you probably can skip to section 1. If you heard anything about PPPoE or PPPoA, I can explain what they are here but I don't know anything about getting them to work in LRP yet. If you have an internal PCI xDSL card, again I know the theory but not the implementation. Please write me with details and I'll include it.
DSL has been a lab technology for over 10 years, until the cable companies jumped into the telco's pond with both feet. I'm going to keep the details skimpy here, if you want major information about xDSL you can start reading here:
This document will assume that you've been given a bridge by your DSL provider. If you are getting service from Southwestern Bell, Pacific Bell, Nevada Bell, Bell Atlantic, or Ameritech then you have an Alcatel 1000 ADSL bridge. (Circuit service, regardless of your ISP.) Your bridge can operate in one of two ways: It can use RFC1483 coding on its 10Base-TX port, or it can use RFC1577 coding on its ATM-25 port.
RFC1483: [Transport Layer][IP][IEEE 802.3][AAL-5][ADSL]
RFC1577: [Transport Layer][IP][AAL-5][ADSL]
I believe that Ameritech is the only US provider offering an ATM-25 based service -- if you're using it, please let me know as I have no idea how to get LRP to talk to an ATM-25 NIC. It must be possible and is probably easy.
If you're using RFC1483, life is easy on the end-user side. (It gets very ugly on the host side, but that's not your problem right now.) All you need to do is build a dual Ethernet router, which is what this document explains.
1. Set up hardware on the Router PC
Install 2 NIC's and at least 8MB of RAM in an old PC (386/SX or better). While you have the case open, write down the MAC address of the cards (typically something like 0b03a10c0001 or 0b:03:a1:0c:00:01) usually written on the card or a chip. This information will come in handy later. If you are using ISA network cards, write down the irq and memory settings for the cards that you have installed. ISA ethernet cards need to be set to non conflicting irq and memory settings, and PnP must be disabled. If you don't have the settings or need to disable PnP, you will need to boot the PC using a dos floppy and run the configuration tool on the disk that came with the network card. You don't even need a hard drive installed in this PC as everything in LRP is installed from the floppy disk. This is a great way to recycle all those useless PC's you've got lying around. For example, I used an old 486-33 with 12MB and two cheap NE2000 clone network cards - total investment, one evening of helping a relative upgrade, plus $10 for a second NIC.
2. Obtain the latest version of LRP
Using your windows machine download the "idiot image" from ftp://ftp.linuxrouter.org/linux-router/dists/stable/ or a mirror. This file is an extremely basic LRP installation (basic meaning no modules). Be careful when downloading the file using Netscape. The file may be corrupted if it does not download as a binary file. Try right-clicking and choosing "save as." MS Internet Explorer usually properly detects binaries. Currently the latest stable version is 2.9.4, which uses the Linux 2.0.36 kernel. There is a project underway to move LRP into a 2.2.x kernel, which would mean ipchains instead of ipfwadm. This project is named Kilimanjaro, check http://lrp.c0wz.com for details.
Open a command prompt and rename the file in MS-DOS 8.3 naming convention. For instance: RENAME IDIOT-~1.IMG IDIOT.IMG
3. Download rawrite2.exe from the ftp site.
You will need rawrite to write the "idiot image" to the boot floppy. This can be found at ftp://ftp.linuxrouter.org/linux-router/utils/ or a mirror.
4. Create the boot floppy
Using your windows box: Format a 1.44 floppy disk as a blank, (it does not need to be formatted as bootable, as rawriting the image file will take care of that). Don't use the /q quick switch, as that will not catch errors that will prevent rawrite from working.
Assuming that the "idiot Image" that you downloaded was saved as IDIOT.IMG, place a blank, 1.44MB formatted floppy in the A: drive. Type in:
RAWRITE IDIOT.IMG A: [press enter]
You might not be able to see anything on the floppy from your DOS prompt after rawrite is finished. This is normal, don't worry!
5. Boot the floppy for the first time.
Insert the boot floppy into the Router PC and boot. If the boot fails simply try a different floppy disk and downloading a fresh copy of the "idiot image". On some PC's you may need to change some BIOS settings so that the machine boots from the floppy and not the harddrive. Some systems may complain that they can't find the keyboard or hard disk, because you took them off. This could be a problem if you plan to run the box headless, so check to see if the PC can boot and start seeking an OS when configured as you plan to run it. Also, some useful information is sent to the screen and nowhere else during boot, so don't remove the monitor until you're sure everything works like you want it to.
Floppy drives are inexpensive and not the most accurately aligned devices in the world. LRP can be very sensitive to imperfect floppy drives, especially when using large-format disks. If you just can't get the PC to boot no matter how many floppies you try, try changing floppy drives in one or both machines.
Once the PC has booted and you get the login: prompt, take the floppy out and turn the PC off again. Now it's time to use your windows machine to put the appropriate modules for your ethernet cards on the boot disk.
6. Insert the floppy back into the Windows PC. You should now be able to see the contents of the floppy disk.
7. Obtain the appropriate modules needed for your NIC's. The idiot image of LRP comes with NO NIC support so you have to create a new modules.lrp.
7.1 From www.linuxrouter.org or a mirror, download 2.0.36pre15-1.tar.gz or similar. This file contains binaries of an LRP kernel and modules. LRP is based on Debian, if you care, and you can download the kernel patches used to make it from www.linuxrouter.org as well. More importantly, it is glibc 2.0, so if you're going to use a glibc 2.1 system (such as RH6.0) to patch and compile a new LRP, then you'll need to do some extra work to link on the proper libraries. The 2.0.36pre15-1 tar.gz file contains different "kinds" of modules in different subdirectories, but when they are copied to LRP 2.9.4 they ALL go into the same subdirectory "/lib/modules". If you put your module in /lib/modules/net/ or something, it won't start. Also of interest: the .lrp files are just tar'ed and gzip'ed at level 9.
7.2 Next, you need to get into the tar.gz file and copy out the modules you need. On Windows, you can use WinZip 7.0 (clumsy, but effective) or Windows Commander; there may be others. On Linux, simply tar -xzvf the file or use mc. Copy all the modules that you'll need to a MS-DOS formatted floppy, which we'll call the modules floppy.
7.3 Boot your router with the idiot image you made in step 5. Log in as root (no password) and quit from the lrcfg configuration utility. Next, replace the idiot image floppy with the modules floppy and type:
mount -t msdos /dev/fd0 /mnt cp /mnt/*.o /lib/modules umount /floppy lrcfg
7.4 Now you should be back in the lrcfg configuration utility. Press 3, 2, 1 to get to /etc/modules, and edit appropriately. CTRL-W to save, CTRL-C to exit, Q twice to get back to the main menu. Back up the modules package, reboot the system, and watch to make sure that all modules are installed properly. If you can't catch what's going by, press SHIFT-PGUP to see what happened.
The modules and what they do:
(note, Jeff Newmiller has a more complete page at:
http://www.dcn.davis.ca.us/~jdnewmil/lrp/modulenotes.html.
You'll only need one of these filesystem modules if you plan to mount a filesystem from your LRP. If you're not running an FTP or HTTP server, these are probably not for you. The MS-DOS filesystem used on the floppy boot media was compiled into the kernel -- if you build your own kernel, don't forget that :-)
IPv4 modules are pretty self-explanatory -- most people will only need the masq modules, unless your LRP will be terminating a VPN tunnel or running a server with IP-based virtual hosting.
Again, self-explanatory. If you plan to use a modem (inbound or outbound) or log in via serial cable, don't forget the serial module.
If you don't know what it is then you probably don't need it! You don't want to just select everything because it won't all fit on the floppy (or two floppies, for that matter). Let modmaker generate the modules.lrp file, and download it (again windows users may find this easier using IE). Don't forget to download a new kernel as well or nothing will work. If you have a system with a co-processor (i.e. a Pentium, 486dx, 386dx) then you can download the kernel without co-processor support. SX owners need to download the one with co-processor support. If in doubt, download the one with co-processor support and get a kernel that's about 12k bigger than necessary.
8. Copy the new "module.lrp" and "linux"(the kernel) files to the boot floppy. You will notice that these files already exist on the boot floppy, and you can overwrite them.
9. Reboot the router with the updated floppy disk.
If your boot fails, you probably forgot to download the new files as binaries, or have the wrong co-processor kernel. After the PC boots you will notice a message telling you to configure your NIC's.
10. Log onto the router.
Type "root" at the login: prompt. No password is required for this system since no remote access is allowed and should not really be allowed in the future as well. Once logged in you will see the LRP configuration menu. Almost everything you need to do, you can do from here.
11. Make any "cosmetic" changes you like to the system. More experienced users may comment out the menu program from /root/.profile To get a clean login, but that's up to you. Be careful not to mess with anything you don't understand.
If you decide to use an unregistered domain name internally, make sure it really is unregistered or else your LRP login banner will pick up the name of the machine that really owns the domain name you chose. That can be disconcerting.
12. Set up the NIC's in the RPC
This is done most easily from the menu. If the menu is not displayed type "lrcfg" to bring it up. Select "3) Package Settings" from the menu. Then select "1) modules" and then "1) modules.." again. This will bring up the "ae" editor which is not that bad since it is small but has features friendly to windows people. You can also get ae by typing the name of your favorite editor, it's probably been aliased already. Under the 8390 line you need to specify the device settings for your NIC's. I used two ne2000 cards so my settings looked like this: ne io=0x300,0x340 irq=5,10 That's all we have to do with this file. Press CTRL W to save and CTRL C to exit. Press 'q' twice to get you back to the main menu.
13. Set up the IP's of the NIC's.
This is also done from the menu. Press "1) Network Settings" from the menu and then press "1) IP's .." This edits a script that gets run at boot time. See the note that says "All network and routing settings are placed in this file"?
You really only have to do a few things here. I suggest using "eth1" as your "trusted" interface and "eth0" for the internet interface. This is the way that all the documentation shows things and the way that people's examples on the mail list will be probably be configured. Or you can have it the other way if you want. This example assumes fixed IP addresses supplied by your ISP. DHCP client also works, and that will be covered in another version of this document. For now, see the mail archives at www.linuxrouter.org.
Note: 13.1 and 13.2 are required only for fixed IP addresses supplied by your ISP. (If you will be using DHCP, forge ahead and configure everything but eth0. When you get to section 21, install the dhcpcd.lrp package.)
13.1 Un-comment the "Gateway" item and set this to the Gateway IP supplied by your ISP.
13.2 Un-comment the IF0 interface and edit the IP's for eth0 to match the IP info supplied by your ISP. Be really careful with the Network, Broadcast, and Subnet Mask entries. You might want to check with your ISP to make sure you don't put anything here that might cause problems later -- if you want to figure out how it's done, here's a good place to start: http://www.ccci.com/tools/subcalc/f1.html. Also, get a copy of Buck Graham's _IP Addressing_ book.
13.3 Un-comment the IF1 interface and edit the IP's for eth1 to match your internal "trusted" network. The ones already there are RFC 1918 reserved addresses, so the defaults provide you with a subnet that is suitable for NAT. If you have a registered subnet and don't want NAT, you'll need to edit the config files appropriately.
13.4 Look down the file until you find the section called "IP Masquerade" (aka NAT). Un-comment the first line here. This allows traffic from IF1 (eth1) to be forwarded. THIS IS IMPORTANT! If you don't do this, your system will not forward traffic and you will be left wondering why it doesn't seem to work.
13.5 Save this file and exit the editor (CTRL W CTRL C).
14. Write the changes to the floppy. From the lrcfg menu select "b" for backup and write everything except logs to the floppy. Actually you only need to write "etc" and "modules" but I always feel better writing everything, just in case.
15. Reboot the machine.
Watch to see if the PC loads the network cards correctly. Login as
root and quit from the menu to the command line.
type:
ifconfig -a
to see the interfaces.
type:
route -n
to see the route table.
type:
dmesg
or
less dmesg
to look at the boot up messages.
If you see errors in either ifconfig -a or dmesg check the mailing list
archive for people with similar problems or mail them to the list at
linux-router@linuxrouter.org. Using the MAC addresses that you wrote down
earlier and the output of these two commands you can figure out which card
is interface 0 and interface 1. You might want to use a marker to write
eth0 and eth1 on the backs of the cards, too.
16. This is also a convenient time to change the root password. Type: passwd root and set the password to something a bit more secure! Root is the only account on this machine. By default, root also has no ability to log in via telnet. This is good news when you think about the external interface, but annoying when you think about the internal interface. To allow telnet access, edit inetd.conf to allow telnet and edit securetty to allow ttyP0 and ttyP1. Always allow more than 1 tty, especially if your router won't be physically accessible! If your connection is terminated unexpectedly, the tty stays live, and you won't be able to log in unless you're at the machine with a keyboard and a monitor. However, if you are going to allow telnet access, be careful with ipfwadm, and verify that you can't telnet into your router from the Internet. Consider using a serial link or SSH instead. More on that in the packages section.
17. Configure your client PC's and your networking equipment to use the IP address you specified for eth1 as the default gateway. Of course, make sure the client's IP is on the same subnet as eth1 or nothing will work at all. Make sure you have the DNS entries on the client set to the ones provided by your ISP.
17.1 example: I have 2 client machines on the hub:
machine 1:
IP: 192.168.2.2
Netmask: 255.255.255.0
Gateway: 192.168.2.1
Name Server: (the one supplied by your ISP, or the router if it's running a caching DNS)
Machine 2:
IP: 192.168.2.3
Netmask: 255.255.255.0
Gateway: 192.168.2.1
Name Server: (the one supplied by your ISP)
18. You should now be able to ping both the trusted interface (eth1) and the external interface (eth0) from the client. You should also be able to ping the ISP's Gateway address. Once you have done this everything should work just great!
19. Configure ipfwadm.
IMHO, the ipfw suite of tools isn't very intuitive compared to Cisco IOS or the newer ipchains. If you would rather use ipchains, have a look at the Kilimanjaro release of LRP at http://lrp.c0wz.com. In the meantime, you can get the ipfwadm FAQ at:
http://www.fwtk.org/ipfwadm/faq/ipfwadm-faq.html
You might also have luck with the auto-configurator at:
http://linux-firewall-tools.com/linux/firewall/index.html
20. If your Linux router still does not work, check the mailing list archive (http://www.linuxrouter.org/listarch/linux-router/) for people with similar problems or mail them to the list at linux-router@linuxrouter.org. Is this your first Linux experience? You may appreciate some more links:
http://cesdis.gsfc.nasa.gov/linux/misc/multicard.html
http://metalab.unc.edu/pub/Linux/docs/HOWTO/Ethernet-HOWTO
http://metalab.unc.edu/pub/Linux/docs/HOWTO/NET-3-HOWTO
http://metalab.unc.edu/pub/Linux/docs/HOWTO/Firewall-HOWTO
21. Load some packages.
At this point, you should have about 1.1 MB used. That leaves 340 KB for packages! You could also superformat your floppy, boot from larger removable media, or use a msdos formatted hard drive for more storage. There are LRP packages for nearly any service that you might want to run on a Linux box: some of them are important to have, some of them seem to exist "because it was there." Any FTP mirror will have a selection, but the best place to look is Koon Wong's LRP site at:
http://wpkgate.kc.com.my.cpwright.com/lrp/
Some recommendations:
And many more for the low low price of your time! There are also web servers, FTP servers, NFS clients/servers, SAMBA clients/servers, SNMP daemons, databases, an X server, protocol modules for IPX and AppleTalk... LRP is useful for any service that needs to be secure and easily restored. Imagine building an image that read-only mounts its data files from elsewhere, then runs a database and web server for serving that data up to Internet users. Burn the image to an El Torito CD-ROM and drop the box into the DMZ. Problems? Hackers? Simply hit the reset button.
Here's how to install a package:
21.1 Download it and copy it to your floppy.
22.2 Edit syslinux.cfg and add the package name to the end of the
LRP list (after root etc modules). **Note, some editors will insert \n
characters into the file, which will cause your boot to fail. Turn off
word wrap!**
22.3 Boot. Watch the messages on your screen. If the package
name comes up, you're fine. If it comes up followed by a signal, you have
a problem:
(cpt!) = corrupt. Download the package again and start over.
(nf!) = not found. Check your typing. Try a 'tar -xzvf' on the package
and make sure there's something in it. Try adding a fake package name
after your new package, sometimes syslinux barfs on the last package.
22.4 Login and configure your new package, then back everything up.
22.5 Reboot. If it still works, make a backup of your floppy and enjoy.
Working 2.9.4 Configs: !!!Please note, I haven't had time to study ipfwadm and make sure that my access lists are optimal, effective, or sane. At any rate, what works for me probably won't for you. Please do not assume that this config file protects you from anything or forwards any service properly, without verifying it yourself.
######################################################################## # Auto configuration bypass (Say NO to use this file) ######################################################################## DIRECT_SETTINGS_ONLY=NO ######################################################################## # Default Settings ######################################################################## VERBOSE=YES MAX_LOOP=6 IPFWDING_KERNEL=YES IPFWDING_FW=YES CONFIG_HOSTNAME=YES CONFIG_HOSTSFILE=YES CONFIG_DNS=YES ######################################################################## # Interfaces ######################################################################## IF0_IFNAME=eth0 IF0_IPADDR= the ip your isp gave you IF0_NETMASK= the netmask your isp gave you IF0_BROADCAST= the broadcast your isp gave you IF0_IP_SPOOF=YES IF1_IFNAME=eth1 IF1_IPADDR=192.168.1.254 IF1_NETMASK=255.255.255.0 IF1_BROADCAST=192.168.1.255 IF1_IP_SPOOF=YES ######################################################################## # Hosts ######################################################################## # ######################################################################## # Networks ######################################################################## NET0_NETADDR= the network that your isp-facing interface (IF0) is on NET0_NETMASK= that network's netmask NET0_GATEWAY_IF=$IF0_IFNAME NET0_GATEWAY_IP=default NET0_IPMASQ=NO #(because your isp has registered addresses) NET0_IPMASQ_IF=default NET1_NETADDR=192.168.1.0 NET1_NETMASK=255.255.255.0 NET1_GATEWAY_IF=$IF1_IFNAME NET1_GATEWAY_IP=default NET1_IPMASQ=YES #(because you don't have registered addresses) NET1_IPMASQ_IF=$IF1_IFNAME ######################################################################## # Gateways (Default Routes) ######################################################################## GW0_IPADDR= the default gateway that your isp gave you GW0_IFNAME=$IF0_IFNAME GW0_METRIC=1 ######################################################################## # Hostname Requires: CONFIG_HOSTNAME=YES ######################################################################## HOSTNAME=myrouter ######################################################################## # Hosts file (Static domainname entires) Requires: CONFIG_HOSTSFILE=YES ######################################################################## # IP FQDN hostname alias1 alias2.. #Make sure that your internal network name is either registered #to you or unused -- otherwise the canonical name of the registered name #will be appended to your LRP's name. HOSTS0=$IF0_IPADDR foobar.isp.net foobar HOSTS1=$IF1_IPADDR $HOSTNAME.private.org HOSTNAME.private.org myrouter ######################################################################## # Domain Search Order and Name Servers Requires: CONFIG_DNS=YES ######################################################################## DOMAINS="isp.net private.org" DNS0= your isp's 1st dns DNS1= your isp's 2nd dns DNS2= your isp's 3rd dns ######################################################################## # Direct Network Settings ######################################################################## #Extensive firewall rules # By default, deny all forwarding ipfwadm -F -p deny # Flush all rules echo "Flushing rules..." ipfwadm -F -f ipfwadm -I -f ipfwadm -O -f ipfwadm -A -f ipfwadm -F -a masq -S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0 #Avoid MS NetBIOS over IP passing out of LAN echo "Denying Microsoft NetBIOS..." ipfwadm -F -a deny -P tcp -S 0/0 137:139 ipfwadm -F -a deny -P udp -S 0/0 137:139 #Forward Quake connections to an IP Masq'ed machine echo "Enabling Quake..." ipautofw -A -r tcp 26000 26999 -h 192.168.1.1 ipautofw -A -r udp 26000 26999 -h 192.168.1.1 #Foward RealAudio behind IP Masq (requires ip_masq_raudio.o module) echo "Enabling RealAudio..." ipautofw -A -r udp 6970 7170 -c tcp 7070 #Forward FTP to an IP Masq'ed machine #This is a pretty risky thing to do -- if you do this, keep an eye on #/var/log/secure and watch them find you. It's a little uncomfortable... echo "Enabling FTP... gulp!" ipfwadm -F -a accept -m -P tcp -S 192.168.1.1 20 -D 0.0.0.0/0 1024:65535 ipfwadm -F -a accept -m -P tcp -S 0.0.0.0/0 1024:65535 -D 192.168.1.1 21 ipportfw -A -t 'your-registered-address'/21 -R 192.168.1.1/21 #Forward SSH to an IP Masq'ed machine echo "Enabling SSH..." ipfwadm -F -a accept -m -P tcp -S 192.168.1.1 22 -D 0.0.0.0/0 1024:65535 ipfwadm -F -a accept -m -P tcp -S 0.0.0.0/0 1024:65535 -D 192.168.1.1 22 ipportfw -A -t 'your-registered-address'/22 -R 192.168.1.1/22 # Block telnet to outside interface echo "Blocking telnet..." ipfwadm -I -i deny -S 0.0.0.0/0 -D 'your-registered-address' 23 -P tcp
|
Last modified: Oct 24, 2008 2:28 pm.
|
||
|
|
