Fullscreen Med Res (?MB)Non Flash

COMPUTERS: Linux & Cable Modems Using Linux to Share an Optus Cable Modem Internet Con­nection Pt.1: Getting the Cable Modem Working A Linux box connected to a cable modem is ideal for sharing an Internet connection between PCs on a small local area network (LAN). It’s generally faster than using Windows’ Internet Connection Sharing and you don’t need fancy hardware to run Linux. And it’s easy to set up. By JOHN BAGSTER This article describes my adventures with an Optus<at> Home cable modem and RedHat 7.0 Linux, but the principles are similar for Bigpond Advance and for other variations of Linux. You do not need to be a rocket scientist to get a cable modem going with Linux but you do need to be comfortable with installing Linux and basic things like typing files, editing them, creating folders (directories) and shutting down, etc. You don’t need fancy hardware for a Linux gateway and just about any old PC (Pentium 133MHz or better) will do the job. So if you have an old PC that’s gathering dust because you haven’t the heart to throw it out, it can be resurrected and pressed into service. If you don’t have one, scrounge it – there are lots of old machines “out there”. It only has to have 64MB of RAM and a 1GB hard drive, although you might be able to get away with 32MB of RAM and a 540MB hard drive at a pinch. To make scrounging even easier, you don’t even need a moni­tor or a keyboard once you have it all set up. Nor are CD-ROM and floppy disk drives necessary once Linux is installed. You will need to have all these items for installation and setting up though – perhaps temporarily borrowed from another machine. You also need two network cards – one to connect to the cable modem and the other to connect to your network hub. Speed isn’t an issue here and 10MB cards, even ISA types if you can get them going with Linux, will do the job. However, PCI plug and play network 38  Silicon Chip cards are easier to get going, as Linux is very good at detecting these. Installing Linux How many of the Linux packages do you need to install for a gateway and firewall? Not many actually and in fact, the less you install, the better. That’s because the less stuff you have in­stalled, the harder it will be for someone to hack in and wreak havoc. For example, you don’t normally require any web, ftp or email servers, nor do you require any games. In fact, you don’t even need the GUI (graphical user interface) – either Gnome or KDE. All you require is basic networking, the DHCP client (ie, dhcpcd – not to be confused with dhcpd), named (part of bind) and the DHCP server (ie, dhcpd). Both named and dhcpd will make life easier but are not essential. And that is all you really need. My installation took up about 500MB and I think I installed too much! By the way, if you have an existing Linux PC you could con­figure that as a gateway and firewall, but for security reasons I would advise against it. Leave it alone and set up a separate Linux PC just as a gateway and firewall. Note that the following article is specific to RedHat Linux. The procedure should be similar for other distribu­ tions although some file names may be different of the files may be installed in different folders. To set up the system, you must be logged in as root www.siliconchip.com.au so be very careful! User root can do just about anything and a wrong command can totally destroy a Linux installation. During installation, Linux will identify your two network (ethernet) cards as eth0 and eth1. We’ll assume here that eth0 is connected to your internal (Windows PC) network (ie, to the hub) and that eth1 is connected to the cable modem. However, it does­n’t matter if they are the other way around – just swap them in this Fig.1: you can test the network card in a Linux box by entering the command article. ifconfig eth0 at a terminal Window. Additional network cards can be tested in the same manner; eg, ifconfig eth1. When setting up, the card for the internal network is given a fixed of its dependents. RedHat 7.0 has dhcpcd in the dhcpcd IP address, while the external network card (ie, the rpm, named in the bind rpm and dhcpd in the dhcp card that connects to the cable modem) is assigned a rpm. dynamic IP. I used a fixed IP of 192.168.0.2 and the PC was named “firewall” but you can change these to suit Checking the network cards yourself. Redhat 7.0 is very good at finding network cards so the When installing Linux, it’s just a matter of making in­stallation should have found both without any trouble sure that “Configure with DHCP” is not set for eth0. You – especial­ly if they are both PCI types. Note, however, that then feed in the IP address (192.168.0.2), subnet mask earlier ver­sions (eg, 6.2) weren’t very good at finding a sec(255.255.255.0), the network address (192.168.0.0), and ond card. If one of the network cards hasn’t been detected the broadcast address (192.168.0.255). (or you think it hasn’t), take a look at /etc/modules.conf. Don’t worry about the primary, secondary and tertiary It should look someth­ing like this: DNS addresses or the gateway address. Conversely, “Configure with DHCP” must be set to “on” alias eth0 tulip for eth1, as the cable modem supplies the IP add-ress. Set alias eth1 pcnet32 both cards to “Activate on boot” and select the option to alias parport_lowlevel parport_pc boot in text mode (choose graphical only if you decide alias usb-controller usb-uhci to install the GUI). Don’t worry if you get the networking information wrong or are not sure what to enter during What you are looking for here are entries for both eth0 installation, as you can check and fix it later. I have done and eth1 (note: the driver modules will probably be about half a dozen Linux installations and have finished up different on your PC). If they are both there, then both with the same number of incorrect network con­figurations network cards have been found. If not, try shutting down (usually I forget about the second network card and it isn’t and restarting, especially if only eth0 is there. The second enabled by default)! card may then be detected on restart. Once setup is complete, check that dhcpcd has been If it isn’t, then you will either have to work out which in­stalled (you will not get a cable modem going without module(s) are required and manually load them or try a it). It will more than likely be in the /sbin directory and different type of card. There’s plenty of information on there should be an /etc/dhcpcd directory as well. this in the “Ethernet-HowTo”. Now check on named and dhcpd. These will probIn the above example, “tulip” and “pcnet32” are the ably both be in the /usr/sbin directory, and will also modules that are loaded for the particular network cards. have scripts of the same name in the /etc/rc.d/init.d They are the equivalent of device drivers in Windows. directory. If any of these are missing you can install the Unfortunately, they are usually not much help in idenappropriate rpm (Red Hat Packet Manager file) and any Fig.2: you can test the local network by pinging the IP address of each of the Windows PCs in turn – eg, ping 192.168.0.2 -c 1 -w 1. The “-c” switch sets the number of pings, while the “-w” switch sets the timout. www.siliconchip.com.au November 2002  39 COMPUTERS: Linux & Cable Modems tifying which card is which. In my case, eth0 is a PCI Netgear type, while eth1 is an on-board AMD type – so “tulip” and “pcnet32” by themselves don’t help with identification! If your two cards are different and you don’t know which is which, then (provided they are PCI cards) you can type cat /proc/pci|more in a console window. This will identify the cards and list their IRQ assignments. If you then type cat /proc/interrupts the IRQs will tell you which is eth0 and which is eth1. If you can’t get Linux to find the second card you can edit /etc/modules.conf and add the line for the second card yourself. The “Ethernet-HowTo” lists the driver modules for a range of ethernet cards. If you don’t know what module to use, use two identical ethernet cards and insert a line for eth1 that uses the same module as eth0. Checking network setup Once both network cards are recognised, you can check the network configuration. At this stage, you do NOT want the PC connected to the cable modem. If you are feeling lucky you can use Linuxconf to check the network configuration and hope that it works. Linuxconf never works for me so I prefer to check the appropriate files manually. First, there must be a configuration file for each network card. If they don’t exist, you will have to create them using a text editor (eg, vi). One or both of these files may be missing, depending on what you did during the installation. They are: /etc/sysconfig/network-scripts/ ifcfg-eth0 and /etc/sysconfig/network-scripts/ifcfg-eth1 respectively. Assuming that eth0 is connected to your internal network, its file should look like this: DEVICE=eth0 BOOTPROTO=static BROADCAST=192.168.0.255 IPADDR=192.168.0.2 NETMASK=255.255.255.0 NETWORK=192.168.0.0 ONBOOT=yes The order of the lines is not important but note that all text on the lefthand side of the “=” symbols must be in upper case. Conversely, the letters on the righthand side must be in lower case, as shown. In addition, all text on the righthand side can be in quotes (but this isn’t necessary). The BOOTPROTO=static line tells Linux that this network card has fixed network parameters. This line can be left out as this is the default anyway. The ONBOOT=yes line tells Linux you want the network card to 40  Silicon Chip be configured when networking is started (ie, when the PC is started). The /etc/sysconfig/network-scripts/ifcfg-eth1 file should look like this: DEVICE=eth1 BOOTPROTO=dhcp DHCP_HOSTNAME=”ab1234567-z” ONBOOT=yes The rules governing the order, case, quotes, etc, are the same as for eth0. The text in quotes on the DHCP_HOSTNAME line is the name that Optus has assigned you. If you currently have a Windows PC connected to your cable modem, you can discover this name by right-clicking Network Neighborhood (or My Network Places), selecting Properties from the drop-down menu and then clicking on the Identification tab. As far as I know, this name is no longer required but it can’t hurt to include it. The BOOTPROTO=dhcp line tells Linux that the configuration addresses for this network card will be assigned to it – in this case by the ISP. This is why this file does not have any IP addresses, etc included. It is the equivalent of selecting “Assign An IP Address Automatically” in the TCP/IP Properties dialog box of Network Neighbourhood on a Windows PC. When RedHat Linux sees the BOOTPROTO=dhcp line, it attempts to run the /sbin/pump program to do the work. If this program starts without an error then well and good. Alternatively, if it fails, then /sbin/ dhcpcd is run. The problem with this is that /sbin/pump does not work properly with cable modems! However, the /sbin/dhcpcd program does work, so the /sbin/pump program has to be stopped from starting in the first place. The easiest way of doing this is to change the permissions of /sbin/pump to 644. How do you do that? Easy – just type chmod 644 /sbin/pump (eg, in a terminal window) and press <Enter>. This will change its file permissions from -rwxr-xr-x to -rw-r—r— which means that it cannot be executed as a program You will now see a pump protection error message when the Linux networking starts but this doesn’t matter. The important thing is that pump cannot run and hence dhcpcd will instead. You could be a bit more drastic and delete /sbin/pump if you wanted to, of course. IP forwarding At this stage, Linux still isn’t going to talk to the Internet because the Internet does not use internal network addresses such as 192.168.0.x. There is a way around this, though. Linux has the ability to forward Internet addresses from your internal network to an external network (this is where the “gateway” part www.siliconchip.com.au comes in). However, this is disabled by default so we have to enable it. RedHat Linux has a file called /etc/sysctl.conf and you need to edit this to enable IP forwarding. The default file looks like this: # Disables packet forwarding net.ipv4.ip_forward = 0 # Enables source route verification net.ipv4.conf.all.rp_filter = 1 # Disables automatic defragmentation (needed for # masquerading, LVS) net.ipv4.ip_always_defrag = 0 # Disables the magic-sysrq key kernel.sysrq = 0 You will have to edit this file and also add some extra lines so that it looks like this: # Enables packet forwarding net.ipv4.ip_forward = 1 # Enables source route verification net.ipv4.conf.all.rp_filter = 1 # Enables automatic defragmentation (needed for # masquerading, LVS) net.ipv4.ip_always_defrag = 1 # Disables the magic-sysrq key kernel.sysrq = 0 # Extra lines added: # Enables dynamic-ip address hacking in IP MASQ # (needed for dhcp) net.ipv4.ip_dynaddr=1 #The following enables the LooseUDP patch which # some Internet-based games require # If you are trying to get an Internet game to work and # you have set it up to the best of your ability without # it working, include this option. Leave it commented # out unless required. # net.ipv4.ip_masq_udp_dloose=1 I have not used the last line in my file. Apparently it can cause security problems, so don’t remove the “#” (which comments the line out) unless you have to. My son plays lots of Internet games and so far it has not been necessary to include it. If you are using a different Linux distribution, this file may not exist. In that case, IP forwarding can be enabled by creating your own script file as follows and including it some­where in the system start-up: echo “1” > /proc/sys/net/ipv4/ip_forward echo “1” > /proc/sys/net/ipv4.conf.all.rp_filter echo “1” > /proc/sys/net/ipv4/ip_always_defrag echo “1” > /proc/sys/net/ipv4/ip_dynaddr # if you require it: #echo “1” > /proc/sys/net/ipv4.ip_masq_udp_dloose If you wish, these lines could be added to the end of the /etc/rc.d/rc.local file, since this file is executed each time the computer boots. That said, editing sysctl.conf is the preferred method of enabling IP forwarding in RedHat linux, as ip_forward and ip_always_defrag are both set to 0 when you shut down the net­work. If you have enabled these by editing sysctl. conf, then they will be set to 1 again when you restart the network. However, if you use a separate start-up script, then this would also have to be run after restarting the network. Testing the network setup If you know which network card is eth0 and which is eth1 then you can skip this section. Subscribe & Get This FREE!* *Australia only. Offer valid only while stocks last. THAT’S RIGHT! Buy a 1- or 2-year subscription to SILICON CHIP magazine and we’ll mail you a free copy of “Electronics TestBench”, just to say thanks. “Electronics TestBench” is a valuable 128-page collection of the best test equipment projects from the pages of Australia’s only consumer electronics magazine. By subscribing to SILICON CHIP you’ll save money on the news-stand price. And we’ll give you a 10% discount on any other SILICON CHIP merchandise (books, etc). Contact: Silicon Chip Publications, PO Box 139, Collaroy, NSW 2097 Phone Orders: (02) 9979 5644   Fax Orders: (02) 9979 6503   Email Orders: office<at>silchip.com.au www.siliconchip.com.au November 2002  41 COMPUTERS: Linux & Cable Modems At this stage, eth0 should be configured but eth1 won’t be because the cable modem hasn’t been connected to it (which means that the DHCP parameters cannot be retrieved). Now type /sbin/ifconfig eth0 and check that eth0 is there with its correct IP address, etc – see Fig.1. If not, configure it by typing /sbin/ifup eth0 This done, type /sbin/ifconfig again to see if it is there. If it isn’t, go back and check /etc/sysconfig/network-scripts/ifcfg-eth0 and also /etc/modules.conf. You could also type cat /proc/interrupts to make sure the eth0 card shows up in that. If it doesn’t, then you have a hardware problem or Linux does not know about the particular card you are using. Once eth0 is showing up in ifconfig, install network cards into your Windows PCs and assign them fixed IP addresses; eg, 192.168.0.2, 192.168.0.3, etc – see Fig.3 (this is just temporary – we’ll show you how to dynamically assign IP addresses by set­ting up DHCP on the Linux box next month). You can then test whether or not the network is working by attempting to ping the Windows boxes from your Linux box; ie: ping 192.168.0.x -c 1 -w 1 where “x” is the number assigned to an individual Windows PC. If the network is working, you should get a response simi­lar to that shown in Fig.2. If you cannot ping your Windows PCs, check the cabling, IP addresses, etc. Testing the modem Once you have identified the network cards in your Linux box, you can test your cable modem. A word of caution here: at this stage, your Linux PC has no firewall and is very vulnerable to nasty people on the Internet who like to search out and destroy things. An unprotected Linux PC is an answer to their prayers because it is capable of doing so many things; eg, a Linux PC can operate as a server, depending on what you have installed. When you do plug in the cable modem, leave it plugged in just long enough to test it. You should only need to have it connected for a minute at the most. OK, you can now connect your modem to eth1 by transferring the cable over from your Windows PC. If you need to use a differ­ent cable, it must be a straight through type (ie, the type you would use to connect a PC to a hub or switch) – do not use a crossover cable. 42  Silicon Chip The next part is very important! You must now switch off the power to your cable modem and then switch it back on again after all its indicator LEDs go out. You can do this by either switching it off at the power point and then back on or by un­plugging the power cable from the back of the modem and then plugging it back in again. Note that simply switching the modem off via the switch on the front of it is not good enough (I wasted days trying to get it to work because of this). The reason that the power must be removed briefly is that every network card has what is called a MAC (Media Access Con­trol) address which should be unique. The cable modem remembers this address and will refuse to work if it changes! Removing the power causes the modem to lose its memory and it will load the address again when power is reapplied. Of course, the address will now be different because it is connected to a new network card. The next step is restart the network on your Linux PC by typing: /etc/rc.d/init.d/network restart If you are enabling IP forwarding via a start-up script (rather than via sysctl.conf), you will have to run that script as well. Alternatively, you can reboot the PC. You should see a message that /sbin/pump failed to start, which is correct. If the command takes a minute or so and times out, try removing and reapplying power to the cable modem again. Now try typing /sbin/ifup eth1 again. If it still doesn’t work, then start looking for hardware problems. For example, you could try swapping the eth0 and eth1 con­ figuration files and plug the modem into the eth0 card if you know that eth0 works. Don’t forget to remove the power to the modem and reapply it again. After restarting the network (/etc/rc.d/init.d/network restart), check that eth0 “sees” your modem (/sbin/ifup eth0). Once the cable modem has been recognised, try pinging an Inter­net site. You should get a response. Hit <Ctrl>-C to stop a Linux box from pinging. Bigpond wrinkles If you are using Bigpond, there is one more thing you must do to get full Internet access. We’ll get to that shortly. Howev­er, you can test that the connection is working properly by typing: ftp dce-server If it is working, you should get an ftp login prompt. Hit <Ctrl>-C to exit from this prompt. Testing the Optus connection You can test the Optus connection by typing: cat /etc/resolv.conf The response should look something like this: www.siliconchip.com.au Itching To Go? – Modify The Silicon Chip Firewall If you’re really itching to start using your Linux box, you can use a slightly modified version of the firewall found in the June 2001 issue of SILICON CHIP. This involves removing the following lines from the firewall as these are for a dialup modem, not a network card and cable modem: # Set telnet, www, smtp, pop3 and FTP for minimum delay /sbin/ipchains -A output -p tcp -d $ANY 80 -t 0x01 0x10 /sbin/ipchains -A output -p tcp -d $ANY 22 -t 0x01 0x10 /sbin/ipchains -A output -p tcp -d $ANY 23 -t 0x01 0x10 /sbin/ipchains -A output -p tcp -d $ANY 21 -t 0x01 0x10 /sbin/ipchains -A output -p tcp -d $ANY 110 -t 0x01 0x10 /sbin/ipchains -A output -p tcp -d $ANY 25 -t 0x01 0x10 # Set ftp-data for maximum throughput /sbin/ipchains -A output -p tcp -d $ANY 20 -t 0x01 0x08 You also need to change all references to ppp0 in the fire­wall to either eth1 or eth0 (depending on the card that’s con­nected to your cable modem). In addition, if you have edited sysctl.conf to enable IP forwarding, etc, you can also remove the relevant lines from the start of the firewall (although it won’t matter if you don’t). Finally, because named isn’t running (yet), you will have to manually configure your Windows’s PCs with the nameserver IP addresses found in /etc/resolv.conf. This simply involves adding those IP addresses into the DNS search list of the TCP/IP proper­ties dialog box of each Windows PC. You also have to enter the gateway address (ie, 192.168.0.1) into each Windows PC. Fig.4 & Fig.5 below show how this is done. Further detailed information on manually configuring your Windows PCs can be found on pages 19-20 of the May 2001 issue of SILICON CHIP. Fig.3: each Windows machine is given a unique IP address while the subnet mask is always the same; ie, 255.255.255.0. Fig.4: the IP address of the Linux gateway (192.168.0.1) must be entered in the Gateway dialog box. Do this for all Windows PCs. Fig.5: the IP addresses of the nameservers must also be entered. You get these numbers from the resolve.conf file on the Linux box. domain qld.optushome.com.au nameserver 203.2.75.132 nameserver 198.142.0.51 search qld.optushome.com.au but it should look something like the above. Fairly obviously, the domains, etc, will be different for a Bigpond connection. The addresses may be different and the “qld” may be “nsw” or “vic” or whatever (depending on your state) Now that you have proved that the cable modem works with your Linux PC you should shut down the eth1 net- www.siliconchip.com.au Shut it down November 2002  43 COMPUTERS: Linux & Cable Modems work. Do this by typing ifdown eth1, then unplug the modem and reconnect it to your Windows PC. Don’t forget to remove and reapply the power to the modem again so that it picks up the network card MAC address for the Windows PC! Getting Bigpond going If you are using Optus<at>Home, that is all you have to do to get the cable modem talking to Linux. However, if you are using Bigpond Advance, you also need to download a utility called bpalogin (use a search engine to find suitable download sites) and install it. Once it’s installed, edit /etc/bpalogin.conf and insert your username and password as follows: debuglevel 1 username myusername password mypassword You now place bpalogin in your system star­tup so that it starts after eth1. The command to start it is: /path/bpalogin -c /etc/bpalogin.conf where /path is the directory bpalogin resides in (probably /usr/bin or /usr/sbin). By the way, I haven’t used Bigpond Advance and hence have not installed or configured bpalogin. Apparently, it has a star­tup script supplied that you can use. I also assume that bpalogin runs as user root. For security, since /etc/bpalogin.conf con­ tains your account and password, you should protect it so that only root can read it: chmod 400 /etc/bpalogin.conf chown root /etc/bpalogin.conf chgrp root /etc/bpalogin.conf Check out http://www.luv.asn.au/overheads/broadbandhowto/x54.html for more information on configuring Bigpond Advance. For more information on 44  Silicon Chip Iptables Is Taking Over From Ipchains RedHat Linux 7.0 and later versions include an updated replacement for ipchains called iptables, although ipchains is still installed (and RedHat still defaults to the ipchains script in /etc/rc.d/init.d). What if you want to run iptables instead? Fortunately, you don’t have to understand iptables to create your own firewall. Many Linux distributions now include graphical firewall configuration utilities, or you can use a third-party configuration utility; eg, Firestarter (note: Firestarter works with both iptables and ipchains). Alternatively, you could download and modify an iptables firewall from the net to suit your own requirements. Two possible starting points are: www.spodzone.org.uk/packages/secure/iptables.sh www.amber.co.uk/files/iptablesrc Don’t forget to change any references to ppp0 (which is for a dial-up modem) to eth1 (or eth0) if using a cable modem. Finally, you should turn off all unwanted services on your Linux box. Refer to the Linux articles in the May, June, August & September 2001 issues of SILICON CHIP for details on improving security. bpalogin, go to http://www.linuxathome.net/bpalogin. php Now you can relax with the knowledge that it is all going to work! Pt.2 next month will describe how to set up a name server and a DHCP server on your Linux box – this will make it really easy to configure your Windows PCs. Pt.3 will show you how set up a secure firewall, while Pt.4 will have information on firewall logging and using the Linux box without a keyboard, monitor or mouse. There’s even information on how to shut Linux down in an orderly fashion just by pressing the power switch – SC provided you have an ATX power supply, that is! www.siliconchip.com.au