Words in CAPS are defined under the Definitions section
This how-to / faq is intended to aid in the configuration of a Linux system with @Home service. Furthermore, the purpose of the how-to / faq is to provide instructions regarding configuration of the Linux system as a DUAL-HOMED Firewall, providing internet connectivity to one or more WIN/DOS/MAC/*nix systems setup behind the firewall. This how-to / faq assumes you are using PC hardware for the firewall.
Note that the dual-homed firewall setup differs from the screened-host model. After some discussion on the NLUG list, the conclusion was made that the dual-homed firewall approach is the only way an @Home user should set up their firewall. Although the screened-host is a valid model for a firewall configuration, the screened-host setup relies on a router as part of the configuration. The cable modem provided by @Home does not meet the definition of a router as required by the screened-host model. Furthermore, because of the screened-host setup, systems that are supposed to be protected by the screened-host could cause bandwidth problems for other users, and in return, prompt a response from @Home.
By default, @Home provides one IP ADDRESS to its users. An additional IP can be purchased on a monthly basis. However, with a dual-homed firewall configuration this will not be necessary. Furthermore, please read over your @Home agreement before embarking on this mission. Please know where you stand. Unlike other ISP's or Cable Modem Services, @Home is relatively friendly to its users having Linux systems, but please do not abuse their policies. This means, do NOT run an internet site that receives enough hits to start BANDWIDTH problems for your area. You have been warned.
Furthermore, please be advised that your Linux system is exposed to the net. Unless you take precautions to shutdown unnecessary SERVICES, your system is open to attack. Do not be afraid, your Win system is just as vunerable, if not more, depending on what you are running. Security is covered in another faq... the link will be here shortly.
If you are reading this faq and are considering @Home cable modem
service, please follow these suggestions:
This how-to / faq was put together by Sean Jewett. I will attempt to answer any questions, however, I had to ask alot of the questions you are now receiving the answer for. If I cannot answer your question, a Linux User Group (LUG) will be your best bet for answers. In the Nashville area, NLUG is very active in supporting Linux. You may also want to hit some of the other various how-to's available. A list of how-to's and other relavent links are listed towards the end.
Why would you want to put another computer inbetween your cable modem and computer? Why would you want to set up a linux system? Why would you want to learn Unix / Linux? Why do these questions keep appearing?
The fact of the matter is, although the internet is a great utopia, it is not without its problems. Even if the US could stop the crackers, there would still be ones across the world trying to exploit your system. The fact of the matter is an @Home c able modem provides you with not only a fast connection, but one that is available for anyone on the Internet to see. @Home gives your system an IP ADDRESS (your street address on the web if you will), and that is the basis of what a cracker needs to beg in their attack.
Windows 3.x, Win95, Win98, and even WinNT (based on service pack) are vunerable to what is known as the "ping of death". In a nutshell, this will bring your system to its knees in a matter of seconds. Upon receiving a ping of death attack you will be forced to reboot your system, which if the cracker is nice enough, will allow to stay on the internet for another couple of seconds. At this point you will be completely fed up with your cable modem service. However, the solution is to use Linux as a means of preventing such attacks.
What Linux offers is packages with a proven track record (Unix was around long before DOS was even thought of), and offers the greatest development team ever assembled: the world. Furthermore, current trends have seen support from Corel and IBM, not to mention all of the companies that have and are being spawned via Linux. From the trends, basic knowledge of Unix will be a major key to using computers in the future (if it has not happened already). In a nutshell, you have nothing to lose except time and possible knowledge gained. For more gospel of Linux, hit some of the links listed at the end.
The buzzword... The frequent topic of discussion... the source of flame wars is: "What distribution (DISTRO) should I run?", "Which is the best distribution?" Sadly I won't give you the answer here, just what I know. We have many people in NLUG that are running many of the distributions available. They include Slackware, RedHat, Debian, Linux PPC, MkLinux, and SuSE. With the exception of MkLinux and Linux PPC (both for MAC), any of these distributions should suit your needs for the firewall.
If you consider yourself a power user, one that knows a lot about Unix, you might consider Slackware. For entry level users, Debian, RedHat, and SuSE may fit the bill quite well. Investigate each disto thoroughly, and evaluate what you are wanting them to do. Furthermore, consider if you will want to run them on other systems. E.G. you want an old 486 to run as your firewall, but have a Pentium that you also want to run Linux on. In this case, you may want to configure the 486 without any of the XWindows servers, however on the Pentium you can. This can be done. It just varies by distro.
Furthmore, look at what the distro offers. Debian offers a lot, however it's D-select program is criticized for the girth of software available for it to install (a new user-friendly installer is supposed to be on the way). SuSE offers it's own, which is supposed to be nice. RedHat has RPM, a package manager. In a nutshell, you download the package of the program you want, execute RPM to install / upgrade the package. It will tell you if you need to upgrade any of the other packages in order to run the new package, or it will install / upgrade it if all DEPENDENCIES are satisfied. Both Debian and SuSE distros offer compatibility with RPM in so much as being able to download RPM's and use them on a Debian / SuSE system. Please keep in mind that you will have to satisify any dependancies for any RPM, regardless of the distro.
SuSE and RedHat offer the most when commercially purchased. SuSE spans 5 cd-roms, with just about anything and everything you could ever want to install. Furthermore, its manual is supposed to be one of the most complete offered for any Linux distro. RedHat offers a lot, and its latest release, 5.2, marks a major milestone in terms of packaging, development and having a friendly manual. For users just starting out with Linux, I would suggest (and the only time I have EVER suggested one of these books) Unix for Dummies. It should be available at any bookstore that carries "for Dummies" books. It gives specifics, and picks up a lot where the RedHat manual leaves off.
Finally this faq give specifics regarding MODULES. Some Linux users use them (like me), others swear them off like the plague. This faq will give specifics in configuration with modules.
To get your Linux firewall up and running, consider this a minimum (because it just about is!):
Ok, you have the cable modem, the cable modem connected to your WIN/MAC system, and you want to connect the other six computers in your closet to the net. Or better yet, you don't want to leave your Win box with valuable client information exposed to the net (Have file sharing setup? Did you have to sign a waiver? There is a reason for that). Have no fear, Linux to the rescue.
WAIT. Before you unplug everything, you need to get some configuration information. First and foremost, are you using the account @Home provides for email? I highly recommend setting your account for netmail services. It will not only allow you to access your email from behind the firewall, it will also allow you to receive email from anywhere on the net. This faq will also provide some other Linux based solutions for email. To configure your account for Netmail, follow the following steps:
The following instructions are based on the java based browser @home uses to display their content
Notes: Your email address will remain the same. For configuration purposes, your pop3 mail client is netmail.home.com. Your outgoing email configuration will be answered later in this faq.
In order to answer some questions during your Linux install, it will now be necessary to gather some information.
Now comes the fun part, setting the IRQ's and IO's for your ethernet cards. Although not difficult, you should have a good grasp as to what devices are using what on your system. Please note, Plug and Play (Pray?) configuration is not well supported by Linux, it is well advised that you configure your cards manually. It will save you many headaches.
Some software will recognize both of the cards installed together, others might only recognize one. Long story short, install one card, set the configuration, SHUTOFF COMPUTER uninstall, install the other, repeat, rinse. Once the cards are configured, install them both.
Write down the configuration of both cards on a piece of paper. Better yet, attach a label with the IRQ's and IO's you have assigned to the exposed section of the card.
Decide which one you want connected to the hub and which one is connected to the cable modem. Write these connections down. (Nothing like trying to read around back of your system with very little light.)
IRQ 5 IO 0x220 is often used with SoundBlaster Cards, keep this in mind if you have one.
IRQ 10 0x300 is often the default used by ethernet cards.
IRQ 3 and 4 are used by serial devices
IRQ 6 is the floppy disk
IRQ 7 is the printer
Installing the distro should be pretty straightforward, provided you purchased one or have the instruction manual (or have a good friend helping you out).
You should consider if you want to be able to have FTP server access setup, and be able to send and receive e-mail from the system that is your linux firewall. If so, make sure that wu-ftp (or equivalent) is checked to be installed, and that sendmail (or equivalent) is checked also. Furthmore, when it asks later in the install what services you want started, be sure sendmail is checked. Likewise, be sure that you are installing e-mail clients for your system. I personally use Pine, you may prefer Elm, or another program. Or, you can configure your WIN/MAC system to get email off of your linux firewall.
He who hath experienced it, shall speaketh with truth: If you do not want to run the ftp server (wu-ftpd), be sure to at least check off ftp. It is the ftp client for Linux. If you do not check it off, you will NOT be able to download files onto your system.
You will need to get a Domain Name if you want to send and receive e-mail from your Linux system.
If you are configuring the system as text only (my 486sx 20 w 8meg ram could not handle the Xserver / windows packages), make sure that you are not installing X stuff. Basically, anything with an X in front of it is X software. If you do check something that relies on anything X, go ahead and satisfy that DEPENDANCY. It will not hurt, just take a few extra k's on that HD.
Look for any packages / programs that support the firewall setup. These include IP_masq, rwall,
The distro (RedHat) will ask if you would like to setup networking. Answer yes and proceed. It will ask you questions about your network card.
To get things going, we are only going to make sure one of the network cards starts running. Remember all of that ethernet config stuff you wrote down? This is where you will be putting it to use.
In RedHat, you can specify autoprobe, or specify manual parameters. Go ahead and do the manual parameters, you have answers to its questions. Be sure that the parameters you give it are for the Ether card connected to the cable modem.
It will ask for IO, enter the address (ie 0x300). Then IRQ, enter it (ie 10). Skip the additional parameters and proceed.
Remember the @Home configuration information you wrote down? This is where you will put that info to use. Answer the questions, IP address, Gateway, etc. The primary Name Server is your DNS given by @home (ie 24.2.7.33), along with secondary DNS (ie 24.2.7.34).
For the tertiary, you can specify another nameserver. I myself have configured 161.45.1.2 the nameserver at MTSU.
Follow the rest of the instructions... put that old dot matrix printer back into use as a text only line printer, assign yourself a root password, and reboot. Welcome to Linux... Your about to go where your computer has never gone before...
AHH yes. Now the fun. Hopefully you have remembered all of the Unix commands you have forgotten, or have had a crash course into the beast.
First and foremost, it is time to get both of the ethercards running. This is accomplished by changing the config file called conf.modules (or modules.conf). To get there type:
cd /etc ENTER
If you have installed the Pine e-mail program, use pico, if not, use
vi.
pico conf.modules
vi conf.modules
Ok, you see the configuration of the card that is connected to @Home. It should be eth0. Now you will need to change this file to recognize the second ethercard. For instance, this is my setup:
alias eth0 ne
alias eth1 ne
options ne io=0x220,0x300
Where ethercard 0x220 is eth0, 0x300 is eth1. 0x220 is connected to @Home, 0x300 is connected to the hub.
You can copy this above configuration and it should work OK, provided you have ISA NE2000 cards. Matter of fact, this is about the best way to get ISA NE2000 cards to work.
To exit PICO, type (ctrl)-x, answer Y if wanting to save, and you will then be at the prompt.
To exit VI, type (esc), (colon) write, (colon)quit, and you will be at the prompt.
You can go ahead and follow the rest of this faq as far as setup goes, or you can go ahead and reboot your system (as root or su, shutdown -r now). This will ensure that everything is operating properly upon reboot should you ever have to do another shutdown (such as a few months down the road).
Now that we have the ethercards happening, It is time to get that firewall action happening that you have been waiting for so long.
Please Note: Any distro based on Kernel 2.2.x (such as RH6.0)
will use IPChains. IPChains is the replacement for ipfwadm that is used
in 2.0.x kernels. Chains supports some new features that ipfwadm does not
support. If you are going to use the following rules, please add
-wrapper after ipfwadm.
ipfwadm-wrapper
Currently someone is writing up a chain's how-to for @home, and there are websites available that will convert ipfwadm rules to IPChains rules.
Also note: The stock 2.2.x kernel shipped with RH6.0 and other distributions needs to be upgraded. The bug fix is directly related to having a system on the net, so it is imperative that the upgrade be applied before placing your system on the net. You have been warned. Check your favorite distribution site for details.
There are many different ways to get this working, but the quickest,
dirtiest way to get up an running was a suggestion by John Boswell of
NLUG. You will need to add this script to your rc.local file, which is
found in:
/etc/rc.d/
echo "1" > /proc/sys/net/ipv4/ip_forward
#setup IP masq
echo "masquerading 192.168.1.0/24"
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe ip_masq_raudio.o
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
/sbin/ifconfig eth1 192.168.1.1
/sbin/route add -net 192.168.1.0
More or less, this will allow ftp connections thru the firewall (from WIN/MAC to outside servers), Real Audio to stream through, and will allow IP forwarding to your WIN/MAC/DOS systems. Now it is time to get your systems behind the firewall up and running.
If you have not done so, go ahead and reboot your system now. Issue the command shutdown -r now from the command line. Linux will now start shutting down services, and will then reboot.
Once you have rebooted, log in as root or su, and type ifconfig (enter). This should give you all of the specifics of your network configurations, and will indicate if your cards are initiated correctly.
http://sunsite.unc.edu/LDP/HOWTO/mini/IP-Masquerade-3.html
It contains other information regarding IP Masquerade setup that may
be of interest. For simplicity sake, I have included only Win95, Win3.x,
DOS, and Mac TCP configurations. The site contains OS/2, Novell, Mac w/
Open Transport, etc. configurations.
Since all OTHER machines do not have official assigned addressees, there must be a right way to allocate address to those machines.
From IP Masquerade FAQ:
There is an RFC (#1597) on which IP addresses are to be used on a non-connected network. There are 3 blocks of numbers set aside specifically for this purpose. One which I use is 255 Class-C subnets at 192.168.1.n to 192.168.255.n .
From RCF 1597:
Section 3: Private Address Space
The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private networks:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
We will refer to the first block as "24-bit block", the second
as
"20-bit block", and to the third as "16-bit"
block". Note that the
first block is nothing but a single class A network number, while the
second block is a set of 16 contiguous class B network numbers, and
third block is a set of 255 contiguous class C network numbers.
192.168.1.1 is usually the gateway machine, which is your Linux host connecting to the Internet. Notice that 192.168.1.0 and 192.168.1.255 are the Network and Broadcast address respectively, which are reserved. Avoid using these addresses on your machines.
Besides setting the appropriate IP address for each machine, you should also set the appropriate gateway. In general, it is rather straight forward. You simply enter the address of your Linux host (usually 192.168.1.1) as the gateway address.
For the Domain Name Service, you can add in any DNS available. The most apparent one should be the one that your Linux is using. You can optionally add any domain search suffix as well.
After you have reconfigured those IP addresses, remember to restart the appropriate services or reboot your systems.
The following configuration instructions assume that you are using a Class C network with 192.168.1.1 as your Linux host's address. Please note that 192.168.1.0 and 192.168.1.255 are reserved.
Ping the linux box to test the network connection:
'File/Run', type: ping 192.168.1.1ping the
outside world yet.)
nwpd 0x60 10 0x300, with your network card set to IRQ 10 and
hardware address at 0x300
pkunzip tel2308b.zip
config.tel file
myip=192.168.1.x (1 < x < 255), and
netmask=255.255.255.0
hardware=packet, interrupt=10,
ioaddr=60
name=default
host=yourlinuxhostname
hostip=192.168.1.1
gateway=1
name=dns.domain.com ; hostip=123.123.123.123; nameserver=1
config.tel file
telnet
192.168.1.1
Hosts file in your System
Folder so that you can use the hostnames of the machines on your LAN. The
file should already exist in your System Folder, and should contain some
(commented-out) sample entries which you can modify according to your
needs.
For those that remember ml.org, dhs.org is now available in replacement for ml.org. Stop on by and get yourself a *.dhs.org name for your box... send and receive email!
In other words, just a reminder about security. Please remember that anyone and everyone can and will try to connect and crack your Linux system. It is just the nature of the net. If you have having problems with an @Home user, you can email abuse@home.net and let them know of the problem. Furthermore, you can let other ISP's (the one the abuser is coming from) know of your problems...They are usually more than willing to help out. Last but not least, there will be a @Home linux firewall security faq I will be putting up sometime soon to help out new people.
Furthmore, review your logs ever so often.
/var/log
The main ones you should be concerned about is messages and secure.
These files can be opened either with vi or pico.
Here are some sites that either contain information taken for this faq, or have information that may be useful (In a somewhat orderly fashion):
WIN/DOS/MAC: Short for Windows (95 or 3.x), DOS (5.0 or later) and Macintosh.
PC: Personal Computer, in this case, IBM or clones (386, 486, Pentium) based architecture.
IP ADDRESS: Your assigned numberical address on the net. Each @Home user has their own unique address, usually in the form of 24.x.x.x
RPM: Short for RedHat Package Management. A utility for upgrading or installing software on a linux system. The program lets you know if you need other software to run the program you want to install, of if anything else needs to be upgraded. Executed by rpm -Uvh package.name for upgrades, or rpm -ivh package.name for installs.
BANDWIDTH: How much space you are taking to offer or recieve a specific service. Downloading a 10 meg file will take more bandwidth than to send an email. With an @Home connection, you are basically on a local area network... The more users, the slower the response.
SERVICES: What your Linux system offers. E.G. Web Server, FTP Server, E-Mail Server, Gopher (never used much anymore), Real Audio, etc.
NLUG: Nashville Linux Users Group. www.nlug.org
DISTRO: Short for Distribution
DEPENDENCIES: A term used by RedHat and RPM. In short, another program depends on another program to run.
MODULES: A point of contention amongst Linux users, Modules offers a way to load drivers for a device or devices, without having to compile the Kernel (OS) to recognize them. You do suffer a performance hit using modules, however unless you are running a major server / site, it is probably to your advantage to use modules.
DNS: Domain Name Server. It's job is to convert domain names (such as rimboy.ml.org) into an IP Address.
ISP: Internet Service Provider. @Home is considered an ISP.
Questions, comments, contact Sean Jewett @
sean@rimboy.com