RIMBoy's Tech Support @Home Firewall Config How-to 2/12/99 5. Who you are, your @Home configuration Ok, you have the cable modem, the cable modem connected to your WIN/MAC system, and you want to connect the other six computers in your closet to the net. Or better yet, you don't want to leave your Win box with valuable client information exposed to the net (Have file sharing setup? Did you have to sign a waiver? There is a reason for that). Have no fear, Linux to the rescue. WAIT. Before you unplug everything, you need to get some configuration information. First and foremost, are you using the account @Home provides for email? I highly recommend setting your account for netmail services. It will not only allow you to access your email from behind the firewall, it will also allow you to receive email from anywhere on the net. This faq will also provide some other Linux based solutions for email. To configure your account for Netmail, follow the following steps: The following instructions are based on the java based browser @home uses to display their content 1.At the bottom, click on Member's Services. 2.Click on Email Services. 3.Click on Netmail, and then click on Netmail in the scrolling window. 4.Enter your Username and Password. 5.Click on Enable Netmail, located further down the screen. Notes: Your email address will remain the same. For configuration purposes, your pop3 mail client is netmail.home.com. Your outgoing email configuration will be answered later in this faq. Need to know information In order to answer some questions during your Linux install, it will now be necessary to gather some information. 1.Click on Account Management. 2.Click on Home Networking. 3.Click on Network Address, and then click on Network Address in the scrolling window. 4.Enter your Username and Password. 5.Click on View Address. 6.Click "here" for network address details. 7.Print (preferred) or copy down all of the information listed. This information will be crucial during your Linux install. 8.Keep this information handy, as you may need it later should you add other services or have to do some reconfiguration of your Linux system. 6. Setting up ethernet IRQ's and IO's Now comes the fun part, setting the IRQ's and IO's for your ethernet cards. Although not difficult, you should have a good grasp as to what devices are using what on your system. Please note, Plug and Play (Pray?) configuration is not well supported by Linux, it is well advised that you configure your cards manually. It will save you many headaches. Some software will recognize both of the cards installed together, others might only recognize one. Long story short, install one card, set the configuration, SHUTOFF COMPUTER uninstall, install the other, repeat, rinse. Once the cards are configured, install them both. Write down the configuration of both cards on a piece of paper. Better yet, attach a label with the IRQ's and IO's you have assigned to the exposed section of the card. Decide which one you want connected to the hub and which one is connected to the cable modem. Write these connections down. (Nothing like trying to read around back of your system with very little light.) Some Suggestions IRQ 5 IO 0x220 is often used with SoundBlaster Cards, keep this in mind if you have one. IRQ 10 0x300 is often the default used by ethernet cards. IRQ 3 and 4 are used by serial devices IRQ 6 is the floppy disk IRQ 7 is the printer 7. Setting up and installing the distro Installing the distro should be pretty straightforward, provided you purchased one or have the instruction manual (or have a good friend helping you out). You should consider if you want to be able to have FTP server access setup, and be able to send and receive e-mail from the system that is your linux firewall. If so, make sure that wu-ftp (or equivalent) is checked to be installed, and that sendmail (or equivalent) is checked also. Furthmore, when it asks later in the install what services you want started, be sure sendmail is checked. Likewise, be sure that you are installing e-mail clients for your system. I personally use Pine, you may prefer Elm, or another program. Or, you can configure your WIN/MAC system to get email off of your linux firewall. He who hath experienced it, shall speaketh with truth: If you do not want to run the ftp server (wu-ftpd), be sure to at least check off ftp. It is the ftp client for Linux. If you do not check it off, you will NOT be able to download files onto your system. You will need to get a Domain Name if you want to send and receive e-mail from your Linux system. If you are configuring the system as text only (my 486sx 20 w 8meg ram could not handle the Xserver / windows packages), make sure that you are not installing X stuff. Basically, anything with an X in front of it is X software. If you do check something that relies on anything X, go ahead and satisfy that DEPENDANCY. It will not hurt, just take a few extra k's on that HD. Look for any packages / programs that support the firewall setup. These include IP_masq, rwall, The distro (RedHat) will ask if you would like to setup networking. Answer yes and proceed. It will ask you questions about your network card. 8. Recognizing the ethernet card To get things going, we are only going to make sure one of the network cards starts running. Remember all of that ethernet config stuff you wrote down? This is where you will be putting it to use. In RedHat, you can specify autoprobe, or specify manual parameters. Go ahead and do the manual parameters, you have answers to its questions. Be sure that the parameters you give it are for the Ether card connected to the cable modem. It will ask for IO, enter the address (ie 0x300). Then IRQ, enter it (ie 10). Skip the additional parameters and proceed. Remember the @Home configuration information you wrote down? This is where you will put that info to use. Answer the questions, IP address, Gateway, etc. The primary Name Server is your DNS given by @home (ie 24.2.7.33), along with secondary DNS (ie 24.2.7.34). For the tertiary, you can specify another nameserver. I myself have configured 161.45.1.2 the nameserver at MTSU. Follow the rest of the instructions... put that old dot matrix printer back into use as a text only line printer, assign yourself a root password, and reboot. Welcome to Linux... Your about to go where your computer has never gone before... 9. Recognizing both of the ethernet cards AHH yes. Now the fun. Hopefully you have remembered all of the Unix commands you have forgotten, or have had a crash course into the beast. First and foremost, it is time to get both of the ethercards running. This is accomplished by changing the config file called conf.modules (or modules.conf). To get there type: cd /etc ENTER If you have installed the Pine e-mail program, use pico, if not, use vi. pico conf.modules vi conf.modules Ok, you see the configuration of the card that is connected to @Home. It should be eth0. Now you will need to change this file to recognize the second ethercard. For instance, this is my setup: alias eth0 ne alias eth1 ne options ne io=0x220,0x300 Where ethercard 0x220 is eth0, 0x300 is eth1. 0x220 is connected to @Home, 0x300 is connected to the hub. You can copy this above configuration and it should work OK, provided you have ISA NE2000 cards. Matter of fact, this is about the best way to get ISA NE2000 cards to work. To exit PICO, type (ctrl)-x, answer Y if wanting to save, and you will then be at the prompt. To exit VI, type (esc), (colon) write, (colon)quit, and you will be at the prompt. You can go ahead and follow the rest of this faq as far as setup goes, or you can go ahead and reboot your system (as root or su, shutdown -r now). This will ensure that everything is operating properly upon reboot should you ever have to do another shutdown (such as a few months down the road). 10. Setting up the masq / firewall Now that we have the ethercards happening, It is time to get that firewall action happening that you have been waiting for so long. There are many different ways to get this working, but the quickest, dirtiest way to get up an running was a suggestion by John Boswell of NLUG. You will need to add this script to your rc.local file, which is found in: /etc/rc.d/ echo "1" > /proc/sys/net/ipv4/ip_forward #setup IP masq echo "masquerading 192.168.1.0/24" /sbin/depmod -a /sbin/modprobe ip_masq_ftp.o /sbin/modprobe ip_masq_raudio.o /sbin/ipfwadm -F -p deny /sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 /sbin/ifconfig eth1 192.168.1.1 /sbin/route add -net 192.168.1.0 More or less, this will allow ftp connections thru the firewall (from WIN/MAC to outside servers), Real Audio to stream through, and will allow IP forwarding to your WIN/MAC/DOS systems. Now it is time to get your systems behind the firewall up and running. If you have not done so, go ahead and reboot your system now. Issue the command shutdown -r now from the command line. Linux will now start shutting down services, and will then reboot. Once you have rebooted, log in as root or su, and type ifconfig (enter). This should give you all of the specifics of your network configurations, and will indicate if your cards are initiated correctly. 11. Configuration of your Win / Mac / DOS boxes The following information comes from: http://sunsite.unc.edu/LDP/HOWTO/mini/IP-Masquerade-3.html It contains other information regarding IP Masquerade setup that may be of interest. For simplicity sake, I have included only Win95, Win3.x, DOS, and Mac TCP configurations. The site contains OS/2, Novell, Mac w/ Open Transport, etc. configurations. Assigning Private Network IP Address Since all OTHER machines do not have official assigned addressees, there must be a right way to allocate address to those machines. From IP Masquerade FAQ: There is an RFC (#1597) on which IP addresses are to be used on a non-connected network. There are 3 blocks of numbers set aside specifically for this purpose. One which I use is 255 Class-C subnets at 192.168.1.n to 192.168.255.n . From RCF 1597: Section 3: Private Address Space The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 We will refer to the first block as "24-bit block", the second as "20-bit block", and to the third as "16-bit" block". Note that the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers, and third block is a set of 255 contiguous class C network numbers. So, if you're using a class C network, you should name your machines as 192.168.1.1, 192.168.1.2, 192.168.1.3, ..., 192.168.1.x 192.168.1.1 is usually the gateway machine, which is your Linux host connecting to the Internet. Notice that 192.168.1.0 and 192.168.1.255 are the Network and Broadcast address respectively, which are reserved. Avoid using these addresses on your machines. Configuring the OTHER machines Besides setting the appropriate IP address for each machine, you should also set the appropriate gateway. In general, it is rather straight forward. You simply enter the address of your Linux host (usually 192.168.1.1) as the gateway address. For the Domain Name Service, you can add in any DNS available. The most apparent one should be the one that your Linux is using. You can optionally add any domain search suffix as well. After you have reconfigured those IP addresses, remember to restart the appropriate services or reboot your systems. The following configuration instructions assume that you are using a Class C network with 192.168.1.1 as your Linux host's address. Please note that 192.168.1.0 and 192.168.1.255 are reserved. Configuring Windows 95 1.If you haven't installed your network card and adapter driver, do so now. 2.Install the TCP/IP 32b package if you don't have it already. 3.In 'Main'/'Windows Setup'/'Network Setup', click on 'Drivers'. 4.Highlight 'Microsoft TCP/IP-32 3.11b' in the 'Network Drivers' section, click 'Setup'. 5.Set IP Address to 192.168.1.x (1 < x < 255), then set Subnet Mask to 255.255.255.0 and Default Gateway to 192.168.1.1 6.Do not enable 'Automatic DHCP Configuration' and put anything in those 'WINS Server' input areas unless you're in a Windows NT domain and you know what you're doing. 7.Click 'DNS', fill in the appropriate information mentioned in STEP 6 of section 3.3.1, then click 'OK' when you're done with it. 8.Click 'Advanced', check 'Enable DNS for Windows Name Resolution' and 'Enable LMHOSTS lookup' if you're using a look up host file, similar to the one mentioned in STEP 10 of section 3.3.1 9.Click 'OK' on all dialog boxes and restart system. 10.Ping the linux box to test the network connection: 'File/Run', type: ping 192.168.1.1 (This is only a LAN connection testing, you can't ping the outside world yet.) Configuring DOS using NCSA Telnet package 1.If you haven't installed your network card, do so now. 2.Load the appropriate packet driver. For an NE2000 card, issue nwpd 0x60 10 0x300, with your network card set to IRQ 10 and hardware address at 0x300 3.Make a new directory, and then unpack the NCSA Telnet package: pkunzip tel2308b.zip 4.Use a text editor to open the config.tel file 5.Set myip=192.168.1.x (1 < x < 255), and netmask=255.255.255.0 6.In this example, you should set hardware=packet, interrupt=10, ioaddr=60 7.You should have at least one individual machine specification set as the gateway, i.e. the Linux host: name=default host=yourlinuxhostname hostip=192.168.1.1 gateway=1 8.Have another specification for a domain name service: name=dns.domain.com ; hostip=123.123.123.123; nameserver=1 Note: substitute the appropriate information about the DNS that your Linux host uses 9.Save your config.tel file 10.Telnet to the linux box to test the network connection: telnet 192.168.1.1 Configuring MacOS Based System Running MacTCP 1.If you haven't installed the appropriate driver software for your Ethernet adapter, now would be a very good time to do so. 2.Open the MacTCP control panel. Select the appropriate network driver (Ethernet, NOT EtherTalk) and click on the 'More...' button. 3.Under 'Obtain Address:', click 'Manually'. 4.Under 'IP Address:', select class C from the popup menu. Ignore the rest of this section of the dialog box. 5.Fill in the appropriate information under 'Domain Name Server Information:'. 6.Under 'Gateway Address:', enter 192.168.1.1 7.Click 'OK' to save the settings. In the main window of the MacTCP control panel, enter the IP address of your Mac (192.168.1.x, 1 < x < 255) in the 'IP Address:' box. 8.Close the MacTCP control panel. If a dialog box pops up notifying you to do so, restart the system. 9.You may optionally ping the Linux box to test the network connection. If you have the freeware program MacTCP Watcher, click on the 'Ping' button, and enter the address of your Linux box (192.168.1.1) in the dialog box that pops up. (This is only a LAN connection testing, you can't ping the outside world yet.) 10.You can optionally create a Hosts file in your System Folder so that you can use the hostnames of the machines on your LAN. The file should already exist in your System Folder, and should contain some (commented-out) sample entries which you can modify according to your needs.