Connect Your LAN to the Internet using PPP Dial-Up and Linux
Version 0.0.1 beta © 1999 Mikael Ejner, <mikael.ejnerlinuxnu>
Introduction
This document will tell you how to connect your small (or big) home network to the
Internet using the one IP address dynamically assigned by your ISP. The method described
may also by used for company LANs, and with minor modifications it could be applied to any
network connection, such as ISDN, ADSL or any kind of permanent connection. This document
will not provide the detail on how to configure your Ethernet adapters or your PPP
connection, but will provide useful pointers to information on how to do that. Having
followed the instructions in this document, you will finally have complete Internet access
for all computers connected to your LAN, be it a Macintosh, Unix workstation, PC with
Windows NT/98/95/3.11, Linux, SCO, FreeBSD, Solaris... etc, without having to modify any
browser settings or anything like that. The gateway machine could be referred to as a
transparent firewall, using Network Address Translation (NAT). One flavour of NAT is IP
masquerading, which is used here. You will be able to bring your modem
connection up and down from any client on the LAN that you think should have permission to
do this. You will optionally have easy printer access, and a mail forwarding
function for outgoing mail. Without any additional effort you will have an FTP-server and
a web server. The software is free (with free source code), and the hardware need not be
expensive. Techiques used in this solution include IP masquerading, firewalling, routing
and a specialised client-server application to remotely (within the LAN) establish the
modem connection on explicit demand. The platform for the gateway server is Red Hat Linux
5.2. Finally, a note for the faint at heart: No, you need NOT to recompile
your kernel. If you are very new to Linux, gather some knowledge at the
Linux official website www.linux.org before continuing
with this. At the end of this document you find links to information, documentation and
software referred to in this document.
Notably, the monetary cost for this installation is very low, provided that you already
have the following (or equal):
- A LAN with private IP addresses such as 10.x.x.x or 192.168.x.x.
- A modem.
- A dial-up Internet connection with a dynamically assigned IP address.
- A strong desire to be able to reach the Internet from any machine on the LAN, not only
from the one connected to the modem.
Disclaimer and Copyright
Permission to use, copy and distribute this document for non-commerical purposes is
hereby granted, provided that the author's and/or editor's name and this notice appear in
all copies and/or supporting documents and that this document is not modified. This
document is distributed WITHOUT ANY WARRANTY, either expressed or implied. While every
effort has been taken to ensure the accuracy of the information documented herein, the
author and/or editor and/or maintainer assumes NO RESPONSIBILITY for errors, or for
damages inflicted as a result of using the information documented herein.
Preparing for Installation
For the purpose of this document, let's assume that we have a small Ethernet LAN with
one 10-Mbps hub, one laser printer, one 56k-modem and a bunch of computers.
We assume that the network has a basic functionality and, if no DNS or NIS services are
available, that all hosts have all other hosts with IP addresses in their /etc/hosts.
The gateway (-router) and firewall (printer server, file server, intranet server, ...)
in this network does not have very high performance requirements. Any machine fulfilling
these requirements will be sufficient:
- At least a 386DX processor. 486DX33 recommended.
- At least 8 MB RAM. 16 MB recommended.
- Ethernet adapter, 10 Mbps or better, supported by Linux (any NE2000 compatible will do)
- A reasonably modern serial port, capable of at least 115200bps, UART16550A or better.
UART8250 will NOT be enough.
- Hard drive, 250 Mb or more. 500 Mb or more recommended.
- 1.44 Mb Floppy drive.
- A parallell port, if you want the machine to be a parallell port printer server.
- A good thing is if the machine is able to boot without keyboard and monitor, if you want
to hide it somewhere. Some machines have BIOS options this, some have not. Machines which
refuse to boot without keyboards (e.g. Compaq Prolinea with PS/2) will have to be equipped
with some fake keyboard plug (a couple of resistors for example). Send me a mail if you
believe you have a solution.
A monitor, mouse or keyboard is not necessary, you can borrow that from any other
machine on the LAN for the installation procedure. If you have another machine with a
CDROM (most likely you have that) you do not need a CD-ROM drive for this machine. The
other machine could be a Unix machine winth NFS or a Windows machine. To administer
the gateway server when it is up and running you simply telnet och rlogin to it. If you
have some kind of Unix box or an X-server for MS Windows or Macintosh, you will be able to
use the graphical configuration tools such as control-panel (and comanche for apache).
There are also web-based tools for some of the server applications, which you may use if
you choose to install the web-server (Apache) when installing Red Hat.
Supplementary documents
The information supplied in this document merely presents an explanation on how to
combine different techologies to form a system as described. Further information can be
obtained in the documents listed below. Note that many of the documents describe how to
configure a kernel with support for extra options. That is NOT necessary for achieveing
the functionality described in this document, as long as you use Red Hat 5.2 or later, or
any other Linux distribution with kernel version 2.0.36 or later.
- Linux-FAQ
- Ethernet-HOWTO
- PPP-HOWTO
- IP-masquerading Mini-HOWTO
- Firewall-HOWTO
- SMB-HOWTO
- The manual page for ipfwadm.
- Documentation and manual pages for pppd, Masqdialserver and its clients, samba, lpd,
apache and ftpd.
I recommend that you read at least the IP-masquerading Mini-HOWTO and the man-page for
ipfwadm (the IP Firewall administration tool). The HOWTO documents are
included on the Red Hat distribution CDs.
Installing the software
Once you have gathered and assembled your hardware, it's time to collect the necessary
software. This is the software you will need:
- Linux; Red Hat 5.2. Other distributions could work just as well, but this is the one I
use and refer to in this document. Make sure you use a modern distribution with kernel
version 2.0.36 or later. The 2.2.x kernel uses a different firewall tool, so that part of
this document is kernel version specific. Most of the software needed for the gateway
server is included in this distribution.
- Masqdialer Server, a client-server application that enable clients to activate the
modem-connection on the gateway server.
- Masqdialer Clients. Binaries and source are available for all major operating systems.
Masqdialserver and links to appropriate clients are available at the web site in the
"Links to..." section at the end of this document.
Installing Red Hat Linux 5.2
If your low-budget machine lacks a CD-ROM, you may borrow one from a machine on the
LAN, or you may choose to do an FTP installation, a feature available in Red Hat Linux.
You must then create an additional installation diskette (use your other Linux box for
this), and when the installation program asks for the FTP URL for the installation server,
you insert your Red Hat CD into your other Linux box, mount the CD-ROM, and supply the IP
address of the Linux box as the FTP server URL. If you have not installed anonymous FTP on
your other Linux box, you must also supply a username and password. If you haven't
installed FTP at all on your other Linux box, now is a good time to do it. Just type
rpm -i /mnt/cdrom/RedHat/RPMS/ftp-0.10-3.rpm
and press ENTER. Now you have an FTP server, ready to use.
Now you may continue with your installation, during which you will be asked to supply a
number of things. Some options are important for this kind of server. These are the
choises I recommend you to du when prompted:
- Choose "Custom installation".
- Choose a name and an IP address (preferrably 10.0.0.254 for a class A network, or
192.168.x.254 for a class C network).
- Do NOT supply a default gateway (There should only be exactly one, and that should be
dynamically supplied by your PPP-connection).
- Choose "IP forwarding".
These are the packages/applications you should choose to install:
- ftp (and anonymous ftp, if you like)
- network-tools
- apache (web server, optional)
- lpd (printer server, optional)
- samba (choose this if you choose lpd)
- jed (an emacs-like light-weight editor, if you know emacs you know this one)
- sendmail (mail server, optional)
- PPP.
Configuring a PPP dial-up connection
To configure a PPP connection, you may use Red Hat's netcfg. You must have a functional
PPP-configuration for Masqdialer Server to be able to operate. If you use a modem, ISDN or
even a leased line is not important for the rest of the document. Do not proceed with this
unless you have an operational PPP dial-up (or equal) connection
Configuring IP masquerading
Prepare your clients by adding your ISP's DNS information in the appropriate place. In
Linux, you add the following lines in your /etc/resolv.conf :
nameserver 195.53.105.124
nameserver 195.53.102.18
...for the primary and secondary DNS, respectively. Note that the numbers above are
just an example. You may have more entries.
In Windows NT 4, you go Start->Settings>Control
Panel->Network.->Protocols->TCP/IP->Properties->DNS and enter your numbers.
Now back to the gateway server. If you did not choose "IP forwarding" during
the installation of Red Hat, you can do it now; start linuxconf and choose Config ->
Networking -> Client tasks -> Routing and gateways -> Defaults. The "Default
gateway" field should be empty and the "Enable routing" checkbox should be
checked. Save and exit linuxconf.
For IP masquerading to work correctly for application protocols other than telnet and
HTTP, you must first load the modules that the IP masquerading function uses. Add the
following to your /etc/rc.d/rc.local :
/sbin/modprobe -v ip_masq_ftp # Load
module for FTP
/sbin/modprobe -v ip_masq_raudio # Load module for Real Audio
/sbin/modprobe -v ip_masq_irc # Load module for IRC
/sbin/modprobe -v ip_masq_quake # Load module for QUAKE
/sbin/modprobe -v ip_masq_cuseeme # Load module for CUSEEME
/sbin/modprobe -v ip_masq_vdolive # Load module for Voodoo Live
After that, you must set up the forwarding rules for IP masquerading. Add the following
to your /etc/rc.d/rc.local :
# Default forwarding policy: deny
ipfwadm -F -p deny
# Add forwaring rule: Masquerade IP packets coming from our LAN.
ipfwadm -F -a m -S 10.0.0.0/8 -D 0.0.0.0/0
If you have a LAN with class C addresses, such as 192.168.100.x, you should instead
have
ipfwadm -F -a m -S 192.168.100.0/24 -D 0.0.0.0/0
The number 24 is the netmask. It represents the number of binary '1's, counting from
the left, that should be bitwise AND-ed with the IP address to obtain the network address.
Consequently, 8 is for a class A network, 16 for a class B network and 24 for a class C
network. For an exact match, i.e. a single host address, the number should be 32
(equivalent of 255.255.255.255), and for any adress the number should be 0.
If you du not want to reboot you may enter the above commands by hand at the command
prompt as root. If everything works out well you should now be able to connect to your ISP
(using /etc/sysconfig/network-scripts/ifup ppp0 if you used
netcfg to configure your connection) and surf the web, transfer files, irc, play quake etc
happily from all of your machines connected to the LAN. You may even use ping and
tranceroute from the clients to servers on the Internet to verify the ICMP
masquerading/forwarding works correctly.
Installing the Masqdialer Server
After installing Red Hat, you should install Masqdialserver (also known as mserver or
c-mserver). Masqdialserver is able to handle multiple PPP accounts, and you may configure
different access rights for different LAN users. Follow the instructions to install the
software. There are RPMs available for download.
Configuring additional firewall functions
The default configuration of the firewall system is to accept all traffic wherever it
is going, which may not always be what you want. As we already have a firewall installed
in the box, we may add additional security to the system with much effort. Using ipfwadm,
we could add the following to the /etc/rc.d/rc.local:
source /etc/rc.d/rc.firewall
...and in the /etc/rc.firewall:
# Default policy for incoming packets: deny
ipfwadm -I -p deny
# Allow everything from the LAN
ipfwadm -I -a accept -S 10.0.0.1/8 -D 0.0.0.0/0
# Open up ephemeral ports for traffic from the Internet
ipfwadm -I -P tcp -a accept -S 0.0.0.0/0 -D 0.0.0.0/0 1025:65535
ipfwadm -I -P udp -a accept -S 0.0.0.0/0 -D 0.0.0.0/0 1025:65535
# Open up for ICMP from the Internet (such as replies from ping)
ipfwadm -I -P icmp -a accept -S 0.0.0.0/0 -D 0.0.0.0/0
If you have an FTP server on your gateway machine that you want access to from the
Internet (which is generally not recommended, as it introduces a security hole into your
system), you may also add the following:
# Open up for the FTP server:
ipfwadm -I -P tcp -a accept -S 0.0.0.0/0 -D 0.0.0.0/0 21
Note that the destination IP address is left empty (0.0.0.0) because it will be
dynamically assigned to your PPP interface when you connect. If you have a statically
assigned public IP address instead, you should have that as your destination address in
the above command.
If you have a telnet server on your gateway machine that you want access to, you add a
line similar to the above, except for the destination port number, which should be 23
instead. These numbers correspond to the services listed in /etc/services,
the so-called well known assigned port numbers. The ipfwadm command also supports
service names instead of port numbers, i.e. ftp instead of 21,
telnet instead of 23 etc.
Installing the printer server software
This section explains how set up a printer server, assuming that you have a local
parallell or serial printer supported by Red Hat.
If you chose "lpd" when you installed Red Hat, the software is already
installed. To configure the printer, use Red Hat's printtool.
Configure your printer as a local printer, with options and settings that matches your
printer. Make sure that you are able print a postscript test page before you continue.
When you have a functioning local printer, you should then add a file to your printer
server:
/etc/hosts.lpd
In this file you specify which computers on your LAN should be able to use the printer.
That is all you need to do in the server if you only have Unix clients on your LAN. To add
the printer to your Unix clients in the network, install it as a "remote"
printer. In Red Hat you would do this:
- Make sure you have lpd running on the client.
- Start the control-panel and choose the printtool.
- Choose "add printer". Your printer is a remote Unix printer using lpd.
- Choose the printer model you have from the list and set whatever options that matches
your printer.
- For names and paths, you should leave the defaults. The remote queue name should be
"lp".
- Try to print a postscript test page.
If you can't print, do an lpq to see what happened to printout.
If you want windows-based machines to be able to print, you must install the Samba
package (included in Red Hat). The next section lists the steps you should perform after
installing Samba.
Create a Samba guest user
When windows machines request services from your server, the processes that the
requests generates are executed by this user. You must first create this user account with
the following properties:
Login name = samba
Full name = Samba User # For example
Group = samba
# Default
Home directory = /home/samba # Default
shell = /bin/false
Password = <no password>
To do this, you may use any user account tool, such the command line interfaces
(useradd, adduser) or the graphical interface in Red Hat (available in the control-panel). You may also use linuxconf
to do this. Linuxconf is either text-based or GTK-based (graphical) depending on where and
you start it.
There is one problem about this, however, as the directory /home/samba is already
created with user and group ownership "root". That was done when samba was
installed. This is what you should do, step by step, if you are using linuxconf:
- Edit the file /etc/shells and add the line
/bin/false
at the end. The command does nothing and always returns with exit status 1, failure (and
yes, there is a corresponding /bin/true).
- Start linuxconf and add the Samba User with the properties mentioned above, except that
the home directory should be /home/bogus.
- Linuxconf may complain about having no password, so enter some bogus password.
- Exit linuxconf.
- Do chown samba /home/samba && chgrp samba /home/samba
to make Samba User own the samba home directory (Note that this can only be done after the
Samba User is created).
- Start linuxconf and change the properties for Samba User so that the home directory is /home/samba.
- Exit linuxconf.
- Edit the file /etc/passwd, go to the line starting with
samba and remove the encrypted password (located between the first two colons). Replace
the encrypted password with a star (*).
Modify your /etc/smb.conf
To allow the Samba User to operate on behalf of the windows machines, you should change
the following lines in your /etc/smb.conf:
workgroup = WORKGROUP (or whatever your NT/95/98 machines have as workgroup)
null passwords = yes (not needed)
guest account = samba
The settings for sharing printers are already set in this samba distribution.
When you have edit the file and saved your changes, restart samba with samba restart.
To configure your clients on the LAN, you may have to install drivers for your printer
locally. In Windows NT 4, you choose "Start menu" -> "Settings"
-> "Control Panel" -> "Printers" -> "Add printer"
-> "Network Printer". If everything works, you should be able to see your
printer server in the list. Double-click on it, and you should see the printer,
"lp". Click OK. You will then be asked if this should be the default printer,
and you may be prompted to choose a printer driver from a list.
When your printer is "installed" in Windows, you should try to print from
some graphical application.
Other services you get for free
The system you have set up includes software for numerous additional services that you
may want to use later. Some of these require no effort at all and are already activated
(such as FTP and anonymous FTP). Some services are running with basic functionality, but
require more configuration for advanced functions (The Apache Web Server). Other services
not yet configured are Windows and Unix home directory servers using Samba and NFS, and
name services for Windows and IP using Samba (WINS, PDC) and DNS. These functions gets
more important as your network scales. Already with three or four machines, it's desirable
to have a common home directory and login to avoid inconsistency. Having your
bookmark.html in several places is not very comfortable.
This document does not cover the configuration of these services, so the reader is
encouraged to study the HOWTOs to gain knowledge in these areas.
Setting up your Mail Server
Using sendmail, you have the possibility to send your mails directly to the receiver's
mail server, without having to rely on any external intermediate mail server.
Notes for Swedish readers
Ett NE2000-kompatibelt 10Mbps-nätverkskort kan man få för under 200 kronor idag
(ISA). Ett PCI kort kan kosta 50 kronor till. Ett 100MBps-kort kan kosta mellan 400 och
1500 kronor. En hub kostar 400-700 kronor för 10Mbps och bortåt 1500 för 100Mbps.
Hubbarna har i regel 4-8 portar. Twisted-pair-kablar kostar runt 50-120 kronor för 2-25
meter. Gör dig själv en tjänst och använd en hub istället för koaxialkabel. En 486:a
med 16Mb RAM kan man säkert få gratis. Jag köpte min 466DX2-66 med 40 Mb RAM och 270 MD
HD för 140 kr (med tangenbord). Kom ihåg att skärm, tangentbord, mus och cd-rom inte
behövs om du kan låna dessa tillfälligt från en annan dator.
Om du har problem med koppla upp dig med PPP mot de svenska ISP:arna Telia, Tele2,
Utfors, SBBS, Telenordia etc, så har Dala Linux Users Group (www.dalug.linux.nu) flera bra tips.
Links to information and software
© 1999 Mikael Ejner <mikael.ejnerlinuxnu>
|