Fullscreen HTML5Med Res (??MB)HTML4

Using Linux To Share An Internet Connection; Pt.2 Last month, we looked at connecting a small local area network to a Linux box, intended for use as an gateway so that all the machines could share an Internet connection. This month, we are going to connect the Linux box to the Internet, configure it for demand dialling and set up a firewall. By GREG SWAIN There’s a lot to think about when setting up an Internet gateway for a small LAN. One thing that you definitely don’t want it to do is hold the line open indefinitely if you forget that you’re connected – and maybe run up a big bill with your ISP (Internet Service Provider) in the process! Similarly, you don’t want it repeatedly dialling out, con­necting and disconnecting, if there is something wrong at your ISP’s end. This could be a real problem if you run a program that automatically triggers dial-outs according to a preset schedule – eg, an email server that regularly connects to send and retrieve email. A 20-cent local call mightn’t sound like much but several thousand calls made at 1-minute intervals over a long-weekend will give you a real pain in the wallet. Do the sums – ouch! This Linux gateway overcomes the above problems by automat­ically disconnecting after a preset “idle” time (ie, when there has been no Internet traffic) and by limiting the number of unsuccessful connection attempts. You can adjust both the idle time and the number of connection attempts to your liking. Another important thing to be considered is security. There are plenty of bad guys out there on the Internet, just waiting to hack their way in and wreak all kinds of havoc. We’ll tackle that problem as well. Actually, we’re going to cover a fair bit of ground this month to get the gateway working. First, we’re going to set up the modem, then we’re going to get pppd (the pointto-point protocol dialler) working. After that, we’re going to cover demand dialling, IP masquerading, IP forwarding and firewalling. What is IP masquerading? Fig.14: the “modemtool” utility is used to create the link between your modem and the file /dev/modem by selecting the relevant serial port. 62  Silicon Chip “IP masquerading” might sound intimidating but the concept is really very simple. Our problem is that we want to give all the client machines on our network simultaneous Internet access. But how do we do that when each client has a different IP address – especially when 192.168.0.x IP addresses are not valid on the Internet? The answer is to use IP masquerading. This “hides” the real IP packet addresses coming from the clients, so that it appears that everything is coming from a single machine; ie, the Linux box. This is done by translating local IP packet addresses into a valid Internet IP number before relaying the packets out onto the Internet. Conversely, IP masquerading translates any incoming packets into local addresses, so that they can be correctly forwarded to the client machines. Where does the valid Internet IP number come from? Answer – it’s dynamically assigned by your ISP to the PPP adapter in the Linux box each time it dials out and connects. This means that your Linux box has two IP numbers while ever it is connected to the Internet – a valid IP address bound to the PPP adapter and a static IP (ie, 192.168.0.2) bound to the network card (eth0). It’s the IP number assigned to the ppp adapter when you connect that your ISP recognises (not the IP numbers of the individual clients). Basically, IP masquerading works transpar­ently in the background, translating IP addresses back and forth between the dynamically assigned Internet IP number and the IP addresses of the clients. It’s really all something of a masquerade – hence the name “IP Masquerading”. IP Masquerading is carried out in Linux using a program called “ipchains” (older distributions of Linux used “ipfwadm”). This program is also used for building a firewall so the rules are often bundled together in a single script file. More on this later. By the way, IP masquerading is virtually the same as Net­work Address Translation (NAT), as used by Microsoft’s Internet Connection Sharing (ICS) utility. Fig.15: if you’re using KDE, you can connect to the Internet using the graphical Kppp utility. Unfortunately, you can’t use Kppp for demand dialling. You need this info Before getting down to the nitty-gritty, you’ll need to have all your ISP account information. This includes: your user­name and password, the dial-in telephone number, the IP numbers for the ISP’s nameservers or Domain Name Servers (DNS), and whether your ISP uses PAP (password authentication protocol) or CHAP (challenge authentication protocol) when logging on. Most ISPs use PAP authorisation but don’t sweat it if you don’t know which method your ISP uses – it’s easy to cover both bases. You will also need the name of the proxy server (if used by your ISP) and the names of the mail and news servers. These names are required when setting up Internet Explorer (or Netscape) and any email programs on the client computers. Modem configuration OK, now that the network is running and you have all the account details, let’s hook the Linux box up to the net. First, we have tell Linux which COM port the modem is connected to. In Linux, the four COM ports are designated /dev/ttyS0 to /dev/ttyS3 and these correspond to serial ports COM1 - COM4 respectively under Windows. This means that if your modem is connected to COM2 under Windows, it’s on ttyS1 under Linux. What we have to do is create a link between the relevant serial port and /dev/modem. In Red Hat, this can be done using a utility called “modemtool”. To run it, type modemtool in a terminal window and select the port that your modem is connected to, as shown in Fig.14. Connecting with kppp By far the easiest way of connecting to the net if you Fig.16: clicking the setup button in Kppp (see Fig.15) brings up this dialog box so that you can initially setup all the information for your ISP account. are running KDE is to use the graphical Kppp connection program. Alternatively, for Gnome users, there’s the Red Hat PPP tool (also known as “rp3”). PPP stands for “Pointto-Point Protocol” and is the standard for connecting to the Internet. Another component known as “pppd” is the dialler portion of PPP. To launch Kppp, click K -> Internet -> Kppp, then click the Setup -> New to set up a new account. You’ll need to enter in all the details of your ISP, including the phone number, nameserver (DNS) addresses, your log-in name (or username) and password – see Fig.15. You will also need to choose which serial port the modem is connected to and whether you’re using PAP or a login script. When you’ve filled in all the details, click the Connect button and check that Kppp dials out and makes the connection. You can then set up Netscape Navigator, which June 2001  63 is installed by de­fault, to browse the web and send and receive email. Setting up Netscape Navigator simply involves specifying any proxy servers, as required by your ISP, and setting up your email (and news) accounts. You get to the settings dialog boxes in Netscape by clicking Edit -> Preferences. And while we’re talking about proxy servers, here’s a worthwhile tip. On several occasions, I’ve found that when you attempt to enter proxy server settings into Navigator, it re­turns an error message saying that the proxy server is unknown. The trick is to log onto the Internet first – then when you click OK to save the proxy setup, Netscape can actually find your ISP’s proxy server and will accept the settings. Aaaaaaarghhh!!! Connecting without Kppp Unfortunately, being able to connect to the net using Kppp doesn’t count if you want demand dialling. Instead, you have to first edit a few script files to that you can bring up the link (ie, make the modem dial out and connect) by typing pppd at a terminal window. Once that’s working, you then modify one of the script files so that pppd runs in the background and dials out only on demand. By the way, it’s best to do all your editing under Linux. Don’t try to create the files on a Windows box and copy them across because Linux treats the end of line carriage returns differently. You can edit your files using the Advanced Text Editor (just click the pencil icon on the task bar). The files that we have to edit are as follows: (1) /etc/resolv.conf (2) /etc/ppp/chat-script (3) /etc/ppp/options (4) /etc/ppp/pap-secrets (5) /etc/pppchap-secrets Before starting, make sure you’re logged in as root and that X-Windows is running. You should also make sure that the linux kernel includes ppp support. To check this, type lsmod at a terminal window and check that PPP appears in the list. If it doesn’t, type modprobe ppp to load PPP support. OK, let’s roll up our sleeves and get started. The first step is to add your ISP’s nameserver addresses to the /etc/ re­solv.conf file. Your file should look like this: Script 1: /etc/resolv.conf domain [your ISP’s domain name] nameserver 192.168.54.26 nameserver 192.168.54.37 We’ve used fictitious IP addresses here – you must use the actual IP addresses of your ISP’s nameservers. Replace [your ISP’s domain name] with the correct name – eg, connect.com.au (be sure to leave out the square brackets here and for any other examples below). Nameservers play a vital role when it comes to navigating the Internet. Basically, their job is to translate names into their corresponding IP numbers. This means, for 64  Silicon Chip example, that you can go to the SILICON CHIP website by typing in www.siliconchip.com.au instead of entering in the IP address: 203.43.52.165. OK, so pppd now knows where to do name lookups. We now need to create a dialling script, so that it knows which phone number to dial and what to do if errors are encountered. Assuming your ISP uses PAP (or CHAP) authentication, create a file called /etc/ppp/chat-script and put this into it: Script 2: /etc/ppp/chat-script TIMEOUT 5 ABORT "BUSY" ABORT "NO CARRIER" ABORT "NO DIALTONE" ABORT "ERROR" ABORT "NO ANSWER" TIMEOUT 40 "" ATDT[dialup number] CONNECT "" Replace [dialup number] in the script with your ISP’s phone number (without the brackets). The first line resets pppd after 5 seconds if an “abort” error is encountered. The following “abort” lines are stan­dard Hayes commands – these instruct the modem to abandon the connection attempt if errors are encountered; eg, if the line is busy or there’s no dialtone. If no abort errors are encountered, the timeout is reset to 40 seconds, which should be ample time for the modem to connect and go through the handshaking and log-on routines. You can increase the timeout values if necessary. Some modems may require an initialisation string (look in the manual. If so, you can place "" +++[initialisation string] before the dial-out command line (ie, the line with your ISP’s phone number). If your ISP requires a log-on script, you will have to add the following two lines right at the end of the chat-script file (note: replace [username] and [password] with your own username and password): ogin: [username] ord: [password] Next, we need to place some commands into the /etc/ ppp/options file so that pppd can control the connection. Open this file with a text editor and make it look like this: Line 1 tells pppd to use the chat-script file to make the Script 3: /etc/ppp/options connect "/usr/sbin/chat -v -f /etc/ppp/chat-script" /dev/ttyS1 115200 modem crtscts lock noauth defaultroute noipdefault user [username] idle 600 connection; line 2 defines the serial port that the modem is connected to and the speed (use 115200 for 56Kb modems and 38400 for 33.3Kb modems); line 3 sets up hardware handshaking control (crtscts); line 4 locks the modem to prevent other programs from accessing it; and line 5 prevents pppd from asking the ISP host to authenticate itself (most won’t). Lines 6 & 7 tell pppd to create a default route and to accept IP numbers assigned to the Linux box by your ISP, while line 8 passes your username to the ISP – replace [username] with your real username. Finally, line 8 tells pppd to hang up after 10 minutes of inactivity. You can set the “idle” timeout to any value you like but anything less than 10 minutes can give unwanted hang-ups during periods of inactivity. Authentication During the log-on process, pppd sends your username and password to the ISP so that the connection can be authenticated. This is done by reading either the /etc/ppp/ pap-secrets file (for PAP authentication) or the /etc/ppp/ chap-secrets file (for CHAP authentication). In fact, it’s common practice to define your username and password in both files, so that you don’t have to worry about which of the two authentication protocols is used. You need to add just one line to both the /etc/ppp/ pap-secrets and /etc/ppp/chap-secrets files as follows: Scripts 4: /etc/ppp/pap-secrets & chap-secrets # Secrets for authentication using PAP (CHAP) [username] * [password] Once again, replace [username] and [password] as required (eg, bsmith * red789). Testing the connection OK, let’s see if all this works. Pretend that you’re using a Windows box, reboot, log on as root, go to a terminal screen and type: /usr/sbin/pppd Your modem should immediately dial out and connect to your ISP. Assuming it works, try pinging an address on the Internet (eg, ping www.siliconchip.com.au). Don’t leave the connection up for too long or someone may hack their way into your unprotected machine. We’ll build a firewall shortly. To disconnect, enter this command: killall pppd Dial on demand Now that you can connect by typing pppd at a terminal wind­ow, let’s make it dial on demand. The easiest Starting X Windows Automatically If you didn’t choose the graphical login option during installation and subsequently change your mind, you can make the system boot straight into X Windows by editing the file /etc/inittab with a text editor. Look for the first uncommented line which reads id:3:initdefault: and change the 3 (multiuser) to a 5 (graphical). Conversely, change the 5 to a 3 if your system boots straight into X Windows and you want it to boot to multiuser level. way to do this is to use the “demand” option that’s now included with ppp (since ver­sion 2.3.7). Red Hat 6.2 or later includes this option but users of older Linux versions may have to upgrade. All you have to do is add a few lines to to /etc/ppp/ op­tions file so that it now looks like this: It’s the “demand” statement that tells pppd to dial only Modified Script 3: /etc/ppp/options debug 31 connect "/usr/sbin/chat -v -f /etc/ppp/chat-script" /dev/ttyS1 115200 modem crtscts lock noauth defaultroute noipdefault user [username] 192.168.5.254:192.168.5.1 ipcp-accept-remote ipcp-accept-local demand maxfail 4 idle 600 holdoff 5 on demand (funny, that!). Now, when you type /usr/sbin/ pppd in a terminal window, the modem no longer dials out immediately. Instead, pppd runs in the background and activates the dialler only when Internet access is requested. The two IPs specified in the /etc/ppp/options file are bogus and are replaced by dynamically-assigned IP addresses during the log-on procedure (one for either end of the link). The two “ipcp-accept” lines ensure that pppd accepts the new IP ad­dresses. The “maxfail 4” statement sets the number of unsuccessful connection attempts to four. This prevents the unit from continu­ously dialling out if there is a problem and running up that big phone bill we talked about earlier. If the maxfail value is reached, pppd exits and has to be restarted manually on the Linux box to activate demand dialling again. As before, the “idle 600” statement disconnects the link after 600 seconds (10 minutes) of inactivity, while the “holdoff 5” line makes pppd wait for five seconds before trying to re-establish a link after it disconnects (this does not apply to idle disconnects). You might like to initially set the idle period to a low value (eg, 60), so that it’s easy to check that the line does indeed disconnect after the set period of inactivity. Once you’ve established that it works OK, you can go back and increase the value to 600. By the way, you don’t have to restart pppd after a timeout disconnect. Instead, pppd continues to run in the background, waiting for the next dialling request – which is just what we want. You do, however, have to restart pppd if you issue a dis­connect command from a terminal window. Normally, in an office setup, you’ll simply let the June 2001  65 Script 5: /etc/rc.d/rc.firewall #!/bin/sh # Firewall & Masquerading Script ANY=0.0.0.0/0 # Flush all existing rules /sbin/ipchains -F input /sbin/ipchains -F forward /sbin/ipchains -F output # Set default policy to deny everything /sbin/ipchains -P input DENY /sbin/ipchains -P forward DENY /sbin/ipchains -P output DENY # Enable IP forwarding and defragging protection echo “1” > /proc/sys/net/ipv4/ip_forward echo “1” > /proc/sys/net/ipv4/ip_always_defrag echo “1” > /proc/sys/net/ipv4/ip_dynaddr # Enable IP masquerading timeouts /sbin/ipchains -M -S 7200 10 180 # Enable IP masquerading for the local 192.168.0.x network /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ # Accept all packets on the loopback interface /sbin/ipchains -A input -p all -i lo -j ACCEPT /sbin/ipchains -A output -p all -i lo -j ACCEPT # Allow all traffic on the local network /sbin/ipchains -A input -p all -i eth0 -j ACCEPT /sbin/ipchains -A output -p all -i eth0 -j ACCEPT # Set up rules for Internet (ppp0) traffic # (1) Allow all packets out /sbin/ipchains -A output -p tcp -d $ANY -i ppp0 -j ACCEPT # (2) Accept return packets /sbin/ipchains -A input -p tcp -s $ANY -i ppp0 ! -y -j ACCEPT # (3) Accept incoming ftp-data connections (for outgoing active ftp) /sbin/ipchains -A input -p tcp -s $ANY ftp-data -d $ANY 1024:65535 -i ppp0 -y -j ACCEPT # (4) Allow UDP packets out (necessary for DNS lookups) /sbin/ipchains -A output -p udp -s $ANY -d $ANY -i ppp0 -j ACCEPT # (5) Accept UDP packet responses /sbin/ipchains -A input -p udp -s $ANY -d $ANY -i ppp0 -j ACCEPT # (6) Reject any incoming authorisation requests /sbin/ipchains -A input -p tcp -d $ANY auth -i ppp0 -j REJECT # Allow outgoing and incoming ping /sbin/ipchains -A output -p icmp -s $ANY -d $ANY -i ppp0 -j ACCEPT /sbin/ipchains -A input -p icmp -s $ANY -d $ANY -i ppp0 -j ACCEPT # Block samba housekeeping traffic from triggering pppd autodial /sbin/ipchains -A forward -s $ANY 137:139 -p tcp -j DENY /sbin/ipchains -A forward -s $ANY 137:139 -p udp -j DENY # Support masquerading of FTP file transfers, IRC, RealAudio, etc; uncomment lines to load required modules /sbin/depmod -a /sbin/modprobe ip_masq_ftp continued next page 66  Silicon Chip rc.firewall script – continued /sbin/modprobe ip_masq_raudio # /sbin/modprobe ip_masq_irc # /sbin/modprobe ip_masq_cuseeme # /sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # /sbin/modprobe ip_masq_vdolive # Set telnet, www, smtp, pop3 and FTP for minimum delay /sbin/ipchains -A output -p tcp -d $ANY 80 -t 0x01 0x10 /sbin/ipchains -A output -p tcp -d $ANY 22 -t 0x01 0x10 /sbin/ipchains -A output -p tcp -d $ANY 23 -t 0x01 0x10 /sbin/ipchains -A output -p tcp -d $ANY 21 -t 0x01 0x10 /sbin/ipchains -A output -p tcp -d $ANY 110 -t 0x01 0x10 /sbin/ipchains -A output -p tcp -d $ANY 25 -t 0x01 0x10 # Set ftp-data for maximum throughput /sbin/ipchains -A output -p tcp -d $ANY 20 -t 0x01 0x08 # Log everything else to syslog and drop the packet ipchains -A input -l -j DENY ipchains -A output -s $ANY -d $ANY -l -j DENY connec­tion time out so that you don’t have to continually restart pppd. It’s also a nuisance to have to manually restart pppd each time the machine boots; far better to have it start automatically each time the machine boots. We do that by adding the /usr/sbin/pppd command to the /etc/ rc.d/rc.local file as described later. You can test all this by restarting pppd and then pinging the IP address of your ISP’s primary nameserver (from the Linux box). For example, if your ISP’s primary nameserver is at 192.168.54.26, type: ping 192.168.54.26 Alternatively, you can try pinging a named web address; eg: ping www.yahoo.com The modem should dial out after a brief pause and you should get a response after the connection has been made. Enter <Ctrl> C to stop the pinging and killall pppd to make the modem dis­connect. IP masquerading & building the firewall There is no gateway yet – you can dial out from your Linux box but there’s still no Internet access for the Windows ma­ chines. We’re going to fix that problem right now by turning IP forwarding on and enabling IP Masquerading. IP forwarding is normally disabled by default. There are several ways of turning it on but this method works with any version of Linux. All you have to do is add the following line to a startup script: echo “1” > /proc/sys/net/ipv4/ip_forward In our case, we’ve included this line in a script file called /etc/rc.d/rc.firewall. The command to turn on IP mas­querading is also included in this file, along with all the firewall rules. The file is shown in Script 5. Don’t leave out the “#!/bin/sh” statement at the start of rc.firewall – this invokes the native Linux shell interpreter to process the rest of the script. Save the script and make it Download From Our Website The following script files are available for download from the SILICON CHIP website at www.siliconchip.com.au: • /etc/ppp/chat-script • /etc/ppp/options • /etc/rc.d/rc.firewall executable by issuing the following command at a terminal prompt to change the file’s permissions: chmod 700 /etc/rc.d/rc.firewall This command makes rc.firewall readable, writable and executable by root. How the firewall works There are two approaches to building a firewall: (1) start by allowing everything in and then blocking what we don’t want; or (2) start by blocking everything and then allowing in what we do want. The firewall listed here adopts the latter approach. Basi­ cally, it’s designed to allow only outgoing connections so that you can browse the web, send and receive email and retrieve ftp files, etc. Conversely, it blocks incoming connections to prevent a hacker from using your Linux box as a server or for some other purpose. If you do want to use the Linux box as a server (eg, as an ftp or web server), it’s simply a matter of adding a few addi­tional rules to the firewall script. The firewall begins by flushing all the existing rule ta­bles, then sets the default policy to deny all incoming, outgoing and forwarded IP packets. The first echo command then turns on IP forwarding, while the next line turns on IP defragging (this enhances security). The third echo command is recommended if you receive a dynamic IP address from your ISP – delete this line if you have a permanent Internet connection with a fixed IP address. Next, the script sets the masquerading timeouts and enables IP masquerading for the 192.168.0.x network. The following four rules then tell ipchains to allow all internal packets on the loopback (lo) interface and the local network (eth0), before setting up the rules for Internet traffic (ie, the ppp0 inter­face). There are six rules here. Rule 1 allows all IP (tcp) June 2001  67 Fig.17: typing route -n in a terminal window brings up the routing table. This figure shows what the routing table looks like when the Linux box is connected to the Internet. pack­ets to go out to the Internet, while rule 2 allows the return packets (but only the return packets) back in. The next rule accepts incoming ftp data and is necessary for active ftp connec­tions – you can increase security by commenting this line out (or deleting it) if you use passive mode ftp only. Rules 4 & 5 are necessary for DNS (udp) lookups, while rule 6 tells ipchains to reject unauthorised connections from external sources to the ppp0 interface. The next two rules are necessary to allow outgoing and incoming ping (icmp) requests – comment these rules out if you don’t need this facility. Following this, ipchains is instructed to block local Samba “housekeeping” traffic from unnecessarily triggering autodial. You can leave these lines in place, even if you don’t have Samba set up on the Linux box for file and printer sharing. After that, the firewall loads specialised modules required for various services, such as FTP, IRC, RealAudio, Quake and CuSeeme. It then sets up minimum delays for various services and sets outgoing ftp data transmissions for maximum throughput. Finally, all other incoming and outgoing traffic requests are blocked and logged. This firewall should be quite effective at blocking out any nasties (no guarantees though). If you want something fancier or want to set up your Linux box as a server, take a look at the “IP Masquerading Howto”, the “Ipchains Howto” and the “Security Howto”. Making it happen automatically Want it all to happen automatically at boot-up? That’s easy – just add the following lines to the end of the /etc/ rc.d/rc.local file: # Enable IP masquerading and firewall /etc/rc.d/rc.firewall logger Firewall up # Start pppd for demand dialling /usr/sbin/pppd logger Demand dialling started The rc.local file is executed each time the computer boots, so pppd, IP masquerading, IP forwarding and the firewall are all loaded by default. Now reboot your Linux box and log on as root – you should now have a working gateway. You can test it by launching a web browser on one of your Windows boxes, typing in an address and hitting <Enter>. The modem should dial out after a brief delay and connect. Note that your browser will invariably time out while the modem dials and connects – that’s normal with this type of setup. Give it time to connect, then reload the address and try again – everything will then work normally. In fact, once you’re online, it will seem as though your Windows box is directly connected to the Internet. The Linux gateway will be completely transparent. By the way, you can restart the firewall at any time while logged on as root by typing /etc/rc.d/rc.firewall (this can be handy for testing). You can also check the ipchains rules by typing /sbin/ipchains -L in a terminal window – see Fig.18. Switch off the modem if you run this command while offline, otherwise it will attempt to do a reverse DNS lookup and trigger a dial-out. If the modem is off, the chain input policy rules will scroll quickly through, then nothing more will be shown until the reverse DNS lookup attempt times out. Typing route -n in a terminal window brings up the routing table – see Fig.17. Coming next month Fig.18: you can inspect the ipchains rules by entering the command /sbin/ipchains -L in a terminal window but switch the modem off first to stop unwanted dial-outs. These are the rules for the firewall listed in Script 6. 68  Silicon Chip OK, that’s enough for now. Next month, we’ll show you how to run pppd as a user, as it’s not a good idea to be logged on as root. We’ll also show you how to log the connection and describe how to make it all easy to drive. When it’s all done, you’ll be able to start pppd or hang up the modem by clicking a couple of icons on the desktop or by typing a couple of simple SC command lines.