Daniel Kahlin: Connect Your LAN to the Internet using Linux Saturday, 20 April 2024, 04:55 (Stockholm)
 
Index  Music  Software  Articles  Links  
    Main  

Connect Your LAN to the Internet using PPP Dial-Up and Linux

Version 0.0.1 beta © 1999 Mikael Ejner, <mikael.ejner at linux dot nu>

Introduction

This document will tell you how to connect your small (or big) home network to the Internet using the one IP address dynamically assigned by your ISP. The method described may also by used for company LANs, and with minor modifications it could be applied to any network connection, such as ISDN, ADSL or any kind of permanent connection. This document will not provide the detail on how to configure your Ethernet adapters or your PPP connection, but will provide useful pointers to information on how to do that. Having followed the instructions in this document, you will finally have complete Internet access for all computers connected to your LAN, be it a Macintosh, Unix workstation, PC with Windows NT/98/95/3.11, Linux, SCO, FreeBSD, Solaris... etc, without having to modify any browser settings or anything like that. The gateway machine could be referred to as a transparent firewall, using Network Address Translation (NAT). One flavour of NAT is IP masquerading, which is used here. You will be able to bring your modem connection up and down from any client on the LAN that you think should have permission to do this. You will optionally have easy printer access, and a mail forwarding function for outgoing mail. Without any additional effort you will have an FTP-server and a web server. The software is free (with free source code), and the hardware need not be expensive. Techiques used in this solution include IP masquerading, firewalling, routing and a specialised client-server application to remotely (within the LAN) establish the modem connection on explicit demand. The platform for the gateway server is Red Hat Linux 5.2. Finally, a note for the faint at heart: No, you need NOT to recompile your kernel. If you are very new to Linux, gather some knowledge at the Linux official website www.linux.org before continuing with this. At the end of this document you find links to information, documentation and software referred to in this document.

Notably, the monetary cost for this installation is very low, provided that you already have the following (or equal):

  • A LAN with private IP addresses such as 10.x.x.x or 192.168.x.x.
  • A modem.
  • A dial-up Internet connection with a dynamically assigned IP address.
  • A strong desire to be able to reach the Internet from any machine on the LAN, not only from the one connected to the modem.

Disclaimer and Copyright

Permission to use, copy and distribute this document for non-commerical purposes is hereby granted, provided that the author's and/or editor's name and this notice appear in all copies and/or supporting documents and that this document is not modified. This document is distributed WITHOUT ANY WARRANTY, either expressed or implied. While every effort has been taken to ensure the accuracy of the information documented herein, the author and/or editor and/or maintainer assumes NO RESPONSIBILITY for errors, or for damages inflicted as a result of using the information documented herein.

Preparing for Installation

For the purpose of this document, let's assume that we have a small Ethernet LAN with one 10-Mbps hub, one laser printer, one 56k-modem and a bunch of computers.

We assume that the network has a basic functionality and, if no DNS or NIS services are available, that all hosts have all other hosts with IP addresses in their /etc/hosts.

The gateway (-router) and firewall (printer server, file server, intranet server, ...) in this network does not have very high performance requirements. Any machine fulfilling these requirements will be sufficient:

  • At least a 386DX processor. 486DX33 recommended.
  • At least 8 MB RAM. 16 MB recommended.
  • Ethernet adapter, 10 Mbps or better, supported by Linux (any NE2000 compatible will do)
  • A reasonably modern serial port, capable of at least 115200bps, UART16550A or better. UART8250 will NOT be enough.
  • Hard drive, 250 Mb or more. 500 Mb or more recommended.
  • 1.44 Mb Floppy drive.
  • A parallell port, if you want the machine to be a parallell port printer server.
  • A good thing is if the machine is able to boot without keyboard and monitor, if you want to hide it somewhere. Some machines have BIOS options this, some have not. Machines which refuse to boot without keyboards (e.g. Compaq Prolinea with PS/2) will have to be equipped with some fake keyboard plug (a couple of resistors for example). Send me a mail if you believe you have a solution. 

A monitor, mouse or keyboard is not necessary, you can borrow that from any other machine on the LAN for the installation procedure. If you have another machine with a CDROM (most likely you have that) you do not need a CD-ROM drive for this machine. The other machine could be a Unix machine winth NFS or a Windows machine.  To administer the gateway server when it is up and running you simply telnet och rlogin to it. If you have some kind of Unix box or an X-server for MS Windows or Macintosh, you will be able to use the graphical configuration tools such as control-panel (and comanche for apache). There are also web-based tools for some of the server applications, which you may use if you choose to install the web-server (Apache) when installing Red Hat.

Supplementary documents

The information supplied in this document merely presents an explanation on how to combine different techologies to form a system as described. Further information can be obtained in the documents listed below. Note that many of the documents describe how to configure a kernel with support for extra options. That is NOT necessary for achieveing the functionality described in this document, as long as you use Red Hat 5.2 or later, or any other Linux distribution with kernel version 2.0.36 or later.

  • Linux-FAQ
  • Ethernet-HOWTO
  • PPP-HOWTO
  • IP-masquerading Mini-HOWTO
  • Firewall-HOWTO
  • SMB-HOWTO
  • The manual page for ipfwadm.
  • Documentation and manual pages for pppd, Masqdialserver and its clients, samba, lpd, apache and ftpd.

I recommend that you read at least the IP-masquerading Mini-HOWTO and the man-page for ipfwadm (the IP Firewall administration tool). The HOWTO documents are included on the Red Hat distribution CDs.

Installing the software

Once you have gathered and assembled your hardware, it's time to collect the necessary software. This is the software you will need:

  • Linux; Red Hat 5.2. Other distributions could work just as well, but this is the one I use and refer to in this document. Make sure you use a modern distribution with kernel version 2.0.36 or later. The 2.2.x kernel uses a different firewall tool, so that part of this document is kernel version specific. Most of the software needed for the gateway server is included in this distribution.
  • Masqdialer Server, a client-server application that enable clients to activate the modem-connection on the gateway server.
  • Masqdialer Clients. Binaries and source are available for all major operating systems. Masqdialserver and links to appropriate clients are available at the web site in the "Links to..." section at the end of this document.

Installing Red Hat Linux 5.2

If your low-budget machine lacks a CD-ROM, you may borrow one from a machine on the LAN, or you may choose to do an FTP installation, a feature available in Red Hat Linux. You must then create an additional installation diskette (use your other Linux box for this), and when the installation program asks for the FTP URL for the installation server, you insert your Red Hat CD into your other Linux box, mount the CD-ROM, and supply the IP address of the Linux box as the FTP server URL. If you have not installed anonymous FTP on your other Linux box, you must also supply a username and password. If you haven't installed FTP at all on your other Linux box, now is a good time to do it. Just type
rpm -i /mnt/cdrom/RedHat/RPMS/ftp-0.10-3.rpm
and press ENTER. Now you have an FTP server, ready to use.

Now you may continue with your installation, during which you will be asked to supply a number of things. Some options are important for this kind of server. These are the choises I recommend you to du when prompted:

  • Choose "Custom installation".
  • Choose a name and an IP address (preferrably 10.0.0.254 for a class A network, or 192.168.x.254 for a class C network).
  • Do NOT supply a default gateway (There should only be exactly one, and that should be dynamically supplied by your PPP-connection).
  • Choose "IP forwarding".

These are the packages/applications you should choose to install:

  • ftp (and anonymous ftp, if you like)
  • network-tools
  • apache (web server, optional)
  • lpd (printer server, optional)
  • samba (choose this if you choose lpd)
  • jed (an emacs-like light-weight editor, if you know emacs you know this one)
  • sendmail (mail server, optional)
  • PPP.

Configuring a PPP dial-up connection

To configure a PPP connection, you may use Red Hat's netcfg. You must have a functional PPP-configuration for Masqdialer Server to be able to operate. If you use a modem, ISDN or even a leased line is not important for the rest of the document. Do not proceed with this unless you have an operational PPP dial-up (or equal) connection

Configuring IP masquerading

Prepare your clients by adding your ISP's DNS information in the appropriate place. In Linux, you add the following lines in your /etc/resolv.conf :

nameserver 195.53.105.124
nameserver 195.53.102.18

...for the primary and secondary DNS, respectively. Note that the numbers above are just an example. You may have more entries.

In Windows NT 4, you go Start->Settings>Control Panel->Network.->Protocols->TCP/IP->Properties->DNS and enter your numbers.

Now back to the gateway server. If you did not choose "IP forwarding" during the installation of Red Hat, you can do it now; start linuxconf and choose Config -> Networking -> Client tasks -> Routing and gateways -> Defaults. The "Default gateway" field should be empty and the "Enable routing" checkbox should be checked. Save and exit linuxconf.

For IP masquerading to work correctly for application protocols other than telnet and HTTP, you must first load the modules that the IP masquerading function uses. Add the following to your /etc/rc.d/rc.local :

/sbin/modprobe -v ip_masq_ftp      # Load module for FTP
/sbin/modprobe -v ip_masq_raudio   # Load module for Real Audio     
/sbin/modprobe -v ip_masq_irc      # Load module for IRC
/sbin/modprobe -v ip_masq_quake    # Load module for QUAKE
/sbin/modprobe -v ip_masq_cuseeme  # Load module for CUSEEME
/sbin/modprobe -v ip_masq_vdolive  # Load module for Voodoo Live

After that, you must set up the forwarding rules for IP masquerading. Add the following to your /etc/rc.d/rc.local :

# Default forwarding policy: deny
ipfwadm -F -p deny
# Add forwaring rule: Masquerade IP packets coming from our LAN.
ipfwadm -F -a m -S 10.0.0.0/8 -D 0.0.0.0/0

If you have a LAN with class C addresses, such as 192.168.100.x, you should instead have

ipfwadm -F -a m -S 192.168.100.0/24 -D 0.0.0.0/0

The number 24 is the netmask. It represents the number of binary '1's, counting from the left, that should be bitwise AND-ed with the IP address to obtain the network address. Consequently, 8 is for a class A network, 16 for a class B network and 24 for a class C network. For an exact match, i.e. a single host address, the number should be 32 (equivalent of 255.255.255.255), and for any adress the number should be 0.

If you du not want to reboot you may enter the above commands by hand at the command prompt as root. If everything works out well you should now be able to connect to your ISP (using /etc/sysconfig/network-scripts/ifup ppp0 if you used netcfg to configure your connection) and surf the web, transfer files, irc, play quake etc happily from all of your machines connected to the LAN. You may even use ping and tranceroute from the clients to servers on the Internet to verify the ICMP masquerading/forwarding works correctly.

Installing the Masqdialer Server

After installing Red Hat, you should install Masqdialserver (also known as mserver or c-mserver). Masqdialserver is able to handle multiple PPP accounts, and you may configure different access rights for different LAN users. Follow the instructions to install the software. There are RPMs available for download.

Configuring additional firewall functions

The default configuration of the firewall system is to accept all traffic wherever it is going, which may not always be what you want. As we already have a firewall installed in the box, we may add additional security to the system with much effort. Using ipfwadm, we could add the following to the /etc/rc.d/rc.local:

source /etc/rc.d/rc.firewall

...and in the /etc/rc.firewall:

# Default policy for incoming packets: deny
ipfwadm -I -p deny
# Allow everything from the LAN
ipfwadm -I -a accept -S 10.0.0.1/8 -D 0.0.0.0/0
# Open up ephemeral ports for traffic from the Internet
ipfwadm -I -P tcp -a accept -S 0.0.0.0/0 -D 0.0.0.0/0 1025:65535
ipfwadm -I -P udp -a accept -S 0.0.0.0/0 -D 0.0.0.0/0 1025:65535
# Open up for ICMP from the Internet (such as replies from ping)
ipfwadm -I -P icmp -a accept -S 0.0.0.0/0 -D 0.0.0.0/0

If you have an FTP server on your gateway machine that you want access to from the Internet (which is generally not recommended, as it introduces a security hole into your system),  you may also add the following:

# Open up for the FTP server:
ipfwadm -I -P tcp -a accept -S 0.0.0.0/0 -D 0.0.0.0/0 21

Note that the destination IP address is left empty (0.0.0.0) because it will be dynamically assigned to your PPP interface when you connect. If you have a statically assigned public IP address instead, you should have that as your destination address in the above command.

If you have a telnet server on your gateway machine that you want access to, you add a line similar to the above, except for the destination port number, which should be 23 instead. These numbers correspond to the services listed in /etc/services, the so-called well known assigned port numbers. The ipfwadm command also supports service names instead of port numbers, i.e. ftp instead of 21, telnet instead of 23 etc.

Installing the printer server software

This section explains how set up a printer server, assuming that you have a local parallell or serial printer supported by Red Hat.

If you chose "lpd" when you installed Red Hat, the software is already installed. To configure the printer, use Red Hat's printtool. Configure your printer as a local printer, with options and settings that matches your printer. Make sure that you are able print a postscript test page before you continue.

When you have a functioning local printer, you should then add a file to your printer server:

/etc/hosts.lpd

In this file you specify which computers on your LAN should be able to use the printer. That is all you need to do in the server if you only have Unix clients on your LAN. To add the printer to your Unix clients in the network, install it as a "remote" printer. In Red Hat you would do this:

  1. Make sure you have lpd running on the client.
  2. Start the control-panel and choose the printtool.
  3. Choose "add printer". Your printer is a remote Unix printer using lpd.
  4. Choose the printer model you have from the list and set whatever options that matches your printer.
  5. For names and paths, you should leave the defaults. The remote queue name should be "lp".
  6. Try to print a postscript test page.

If you can't print, do an lpq to see what happened to printout.

If you want windows-based machines to be able to print, you must install the Samba package (included in Red Hat). The next section lists the steps you should perform after installing Samba.

Create a Samba guest user

When windows machines request services from your server, the processes that the requests generates are executed by this user. You must first create this user account with the following properties:

Login name     = samba
Full name      = Samba User     # For example
Group          = samba           # Default
Home directory = /home/samba    # Default
shell          = /bin/false
Password       = <no password>

To do this, you may use any user account tool, such the command line interfaces (useradd, adduser) or the graphical interface in Red Hat (available in the control-panel). You may also use linuxconf to do this. Linuxconf is either text-based or GTK-based (graphical) depending on where and you start it.

There is one problem about this, however, as the directory /home/samba is already created with user and group ownership "root". That was done when samba was installed. This is what you should do, step by step, if you are using linuxconf:

  1. Edit the file /etc/shells and add the line
    /bin/false
    at the end. The command does nothing and always returns with exit status 1, failure (and yes, there is a corresponding /bin/true).
  2. Start linuxconf and add the Samba User with the properties mentioned above, except that the home directory should be /home/bogus.
  3. Linuxconf may complain about having no password, so enter some bogus password.
  4. Exit linuxconf.
  5. Do chown samba /home/samba && chgrp samba /home/samba to make Samba User own the samba home directory (Note that this can only be done after the Samba User is created).
  6. Start linuxconf and change the properties for Samba User so that the home directory is /home/samba.
  7. Exit linuxconf.
  8. Edit the file /etc/passwd, go to the line starting with samba and remove the encrypted password (located between the first two colons). Replace the encrypted password with a star (*).

Modify your /etc/smb.conf

To allow the Samba User to operate on behalf of the windows machines, you should change the following lines in your /etc/smb.conf:

workgroup = WORKGROUP (or whatever your NT/95/98 machines have as workgroup)
null passwords = yes  (not needed)
guest account = samba

The settings for sharing printers are already set in this samba distribution.

When you have edit the file and saved your changes, restart samba with samba restart.

To configure your clients on the LAN, you may have to install drivers for your printer locally. In Windows NT 4, you choose "Start menu" -> "Settings" -> "Control Panel" -> "Printers" -> "Add printer" -> "Network Printer". If everything works, you should be able to see your printer server in the list. Double-click on it, and you should see the printer, "lp". Click OK. You will then be asked if this should be the default printer, and you may be prompted to choose a printer driver from a list.

When your printer is "installed" in Windows, you should try to print from some graphical application.

Other services you get for free

The system you have set up includes software for numerous additional services that you may want to use later. Some of these require no effort at all and are already activated (such as FTP and anonymous FTP). Some services are running with basic functionality, but require more configuration for advanced functions (The Apache Web Server). Other services not yet configured are Windows and Unix home directory servers using Samba and NFS, and name services for Windows and IP using Samba (WINS, PDC) and DNS. These functions gets more important as your network scales. Already with three or four machines, it's desirable to have a common home directory and login to avoid inconsistency. Having your bookmark.html in several places is not very comfortable.

This document does not cover the configuration of these services, so the reader is encouraged to study the HOWTOs to gain knowledge in these areas.

Setting up your Mail Server

Using sendmail, you have the possibility to send your mails directly to the receiver's mail server, without having to rely on any external intermediate mail server.

Notes for Swedish readers

Ett NE2000-kompatibelt 10Mbps-nätverkskort kan man få för under 200 kronor idag (ISA). Ett PCI kort kan kosta 50 kronor till. Ett 100MBps-kort kan kosta mellan 400 och 1500 kronor. En hub kostar 400-700 kronor för 10Mbps och bortåt 1500 för 100Mbps. Hubbarna har i regel 4-8 portar. Twisted-pair-kablar kostar runt 50-120 kronor för 2-25 meter. Gör dig själv en tjänst och använd en hub istället för koaxialkabel. En 486:a med 16Mb RAM kan man säkert få gratis. Jag köpte min 466DX2-66 med 40 Mb RAM och 270 MD HD för 140 kr (med tangenbord). Kom ihåg att skärm, tangentbord, mus och cd-rom inte behövs om du kan låna dessa tillfälligt från en annan dator.

Om du har problem med koppla upp dig med PPP mot de svenska ISP:arna Telia, Tele2, Utfors, SBBS, Telenordia etc, så har Dala Linux Users Group (www.dalug.linux.nu) flera bra tips.

Links to information and software

© 1999 Mikael Ejner <mikael.ejner at linux dot nu>

  

These pages are being maintained by Daniel Kahlin <daniel at kahlin dot net>. [kahlin.net]