584 lines
29 KiB
HTML
584 lines
29 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Red Hat Linux 6.X as an Internet Gateway for a Home Network: Configuring Networking</TITLE>
|
|
<LINK HREF="Home-Network-mini-HOWTO-4.html" REL=next>
|
|
<LINK HREF="Home-Network-mini-HOWTO-2.html" REL=previous>
|
|
<LINK HREF="Home-Network-mini-HOWTO.html#toc3" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Home-Network-mini-HOWTO-4.html">Next</A>
|
|
<A HREF="Home-Network-mini-HOWTO-2.html">Previous</A>
|
|
<A HREF="Home-Network-mini-HOWTO.html#toc3">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s3">3. Configuring Networking</A> </H2>
|
|
|
|
<P>OK, by now you have installed Linux on your gateway computer. You may have
|
|
even configured one of your networking cards, and set up connectivity to the
|
|
Internet. However, we are going to start from scratch and pretend that nothing
|
|
is configured at all.
|
|
<P>Log in as <CODE>root</CODE>. All the instructions given in this document assume you
|
|
are logged in as root.
|
|
<P>The Linux kernel refers to your two ethernet cards as <CODE>eth0</CODE> and <CODE>eth1</CODE>, so
|
|
that is how I'll be referring to them from now on too. The trouble is, which
|
|
one is which? Here's a "simple" way of figuring out, guaranteed to
|
|
work at least 50% of the time: lay your computer on the desk with the
|
|
motherboard horizontal and the back panel facing you (as you would if you were
|
|
going to open it and do some work on it). The leftmost card is <CODE>eth0</CODE> -- you
|
|
might want to label it with some masking tape. Now, write down on a piece of
|
|
paper the make and model of both <CODE>eth0</CODE> and <CODE>eth1</CODE>.
|
|
<P>OK, let's see if <CODE>eth0</CODE> and <CODE>eth1</CODE> are recognized automatically by the kernel.
|
|
Type <CODE>ifconfig eth0</CODE> and <CODE>ifconfig eth1</CODE>. In both cases, if the kernel is recognizing
|
|
your card, you should see something like this (bearing in mind that the numbers
|
|
and whatnot will be different):
|
|
<P>
|
|
<PRE>
|
|
eth0 Link encap: Ethernet HWaddr 00:60:67:4A:02:0A
|
|
inet addr:0.0.0.0 Bcast:0.0.0.0 Mask:255.255.255.255
|
|
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
|
RX packets:466 errors:0 dropped:0 overruns:0 frame:0
|
|
TX packets:448 errors:0 dropped:0 overruns:0 carrier:0
|
|
collisions:85 txqueuelen:100
|
|
Interrupt:10 Base address:0xe400
|
|
|
|
</PRE>
|
|
<P>If the kernel is not recognizing your network card you will see something
|
|
like this:
|
|
<P>
|
|
<PRE>
|
|
eth0: error fetching interface information: Device not found.
|
|
|
|
</PRE>
|
|
<H2><A NAME="ss3.1">3.1 Configuring a Network Driver</A>
|
|
</H2>
|
|
|
|
<P>If both of your cards were found, skip to the next section. Otherwise,
|
|
read this section.
|
|
<P>OK, so one or both of your cards are not recognized by the kernel. This
|
|
is not a problem, really. What we're going to have to do is tell the kernel
|
|
more explicitly how to find your cards. There are lots of twists and turns
|
|
here, and I'm not going to cover all of them. Remember, when the going gets
|
|
tough, the tough turn to the
|
|
<A HREF="http://www.linuxdoc.org/HOWTO/Ethernet-HOWTO.html">Ethernet HOWTO</A>. Here's some summary advice:
|
|
<P>
|
|
<UL>
|
|
<LI><EM>You have a PCI network card.</EM> You are probably sitting pretty, assuming
|
|
it is not so new and cutting edge that no drivers exist. You can often find
|
|
out a great deal about your network cards (and other things) by reading through
|
|
<CODE>/proc/pci</CODE> and noting down makes and models. </LI>
|
|
<LI><EM>You have an ISA network card.</EM> It is possible you will have to know the
|
|
IO base address and the IRQ the card is operating on. You have manuals, right?
|
|
Right? If not, this would be a good time to surf to the manufacturer's web
|
|
site and see if they have any online references. Or if you have an old DOS
|
|
configuration diskette, boot to DOS and see if there is a setup program which
|
|
will read and set the address and IRQ. </LI>
|
|
<LI><EM>You have an ISA Plug'n'Play card.</EM> You'll have to learn how to configure
|
|
it first -- read the
|
|
<A HREF="http://www.linuxdoc.org/HOWTO/Plug-and-Play-HOWTO.html">Plug'n'Play HOWTO</A>. Fortunately, oncee you've configured your card you will
|
|
know exactly what the IO base and IRQ are. </LI>
|
|
</UL>
|
|
<P>Now, since you know what the make and model of <CODE>eth0</CODE> and <CODE>eth1</CODE> are you can
|
|
go to the
|
|
<A HREF="http://www.linuxdoc.org/HOWTO/Ethernet-HOWTO-5.html">compatibility page</A> of the
|
|
<A HREF="http://www.linuxdoc.org/HOWTO/Ethernet-HOWTO.html">Ethernet HOWTO</A> and look up your card. Take note of the recommended driver,
|
|
and any information about special options your card may require. Write it down.
|
|
<P>It's time to edit a configuration file! The file we will be editing is
|
|
<CODE>/etc/conf.modules</CODE>. Open this file up in the text editor of your choice. Because
|
|
there are so many possibilities and combinations of things which can go in
|
|
this file, I'm going to give my own gateway as an example. I have a PCI 10/100Mb
|
|
card based on the VIA Rhine chip, and a plain-jane 10Mb NE2000 ISA clone. I
|
|
use the 100Mb card for the internal network and the 10Mb card for the external
|
|
connection. My <CODE>/etc/conf.modules</CODE> file looks like this:
|
|
<P>
|
|
<PRE>
|
|
alias parport_lowlevel parport_pc
|
|
alias eth0 ne
|
|
options ne io=0x300 irq=10
|
|
alias eth1 via-rhine
|
|
|
|
</PRE>
|
|
<P>My <CODE>conf.modules</CODE> file is laid out as follows:
|
|
<P>
|
|
<UL>
|
|
<LI>The first line is there to configure my parallel port for printing. You
|
|
probably have a similar line. Leave it alone. </LI>
|
|
<LI>The second line (<CODE>alias eth0 ne</CODE>) tells the kernel to use the ne driver for
|
|
the <CODE>eth0</CODE> device. </LI>
|
|
<LI>The third line (<CODE>options ne io=0x300 irq=10</CODE>) tells the ne driver at which
|
|
io address and irq interrupt it will find the ISA card at. If you have ISA
|
|
cards you will probably have to use this kind of directive, just replace the
|
|
driver, io and irq directives with the correct information for your card. </LI>
|
|
<LI>The fourth line (<CODE>alias eth1 via-rhine</CODE>) tells the kernel to use the via-rhine
|
|
driver for <CODE>eth1</CODE>. Because my <CODE>eth1</CODE> card is a PCI card, I do not need to provide
|
|
io or irq information: the PCI subsystem configures the device automatically.</LI>
|
|
</UL>
|
|
<P>You will want to ensure that you have alias entries in <CODE>conf.modules</CODE> for
|
|
both your cards, and correct options lines for all your ISA cards. You may
|
|
already have lines in <CODE>conf.modules</CODE> for any ethernet cards you configured during
|
|
installation.
|
|
<P>When you have finished editing <CODE>conf.modules</CODE>, try <CODE>ifconfig eth0</CODE> and <CODE>ifconfig
|
|
eth1</CODE> again. You may have to apply some trial and error if you are messing with
|
|
IO addresses and IRQs without a manufacturers manual.
|
|
<H3>Two Identical Network Cards </H3>
|
|
|
|
<P>So, you were really really smart, bought two identical network cards for
|
|
your Linux gateway, and now you cannot get them to work together? Do not worry,
|
|
getting them to coexist is just a matter of using the correct syntax in <CODE>/etc/conf.modules</CODE>.
|
|
For this example, the addresses and IRQ numbers are made up, and I will assume
|
|
that you have bought a matched pair of NE2000 clones (a common choice). Your
|
|
<CODE>/etc/conf.modules</CODE> file should look like this:
|
|
<P>
|
|
<PRE>
|
|
alias eth0 ne
|
|
alias eth1 ne
|
|
options ne io=0x330,0x360 irq=7,9
|
|
|
|
</PRE>
|
|
<P>The addressing options are all given on the same line, and the first number
|
|
for each addressing type is for <CODE>eth0</CODE>, the second number for <CODE>eth1</CODE>.
|
|
<H2><A NAME="ss3.2">3.2 Configuring the Inside Network</A>
|
|
</H2>
|
|
|
|
<P>The "inside network" is the network which all your home/office
|
|
machines will talk on. The "outside network" is the big scary internet
|
|
on the other side of the Linux box. By and large, the inside network will be
|
|
completely insulated from the outside network by the Linux box, which will
|
|
operate as a medium strength firewall.
|
|
<H3>The Network Device </H3>
|
|
|
|
<P>Now that your drivers are working and you can see both <CODE>eth0</CODE> and <CODE>eth1</CODE> in
|
|
<CODE>ifconfig</CODE> it is time to set up the internal home network. I am assuming that
|
|
you are going to put your internal network on <CODE>eth1</CODE> and your external device
|
|
on <CODE>eth0</CODE>.
|
|
<P>Your internal network is going to be a private network and will therefor
|
|
be on a special network reserved for internal networking: <CODE>192.168.1.0</CODE>. This
|
|
is a "private Class C network", in case you want to impress your
|
|
friends.
|
|
<P>First we need to make sure networking is turned on. Edit the file <CODE>/etc/sysconfig/network</CODE>
|
|
and make sure the following lines exist:
|
|
<P>
|
|
<PRE>
|
|
NETWORKING=yes
|
|
FORWARD_IPV4=yes
|
|
|
|
</PRE>
|
|
<P>The first line tells Linux that we want the network devices brought up
|
|
at boot time. The second line tells Linux to enable IP forwarding. This is
|
|
required when we start configuring masquerading in Section 4.
|
|
<P><EM>Redhat 6.2 Note:</EM> In order to properly support IP forwarding and masquerading,
|
|
Red Hat 6.2 requires changes to the <CODE>/etc/sysctl.conf</CODE> file. Make sure the following
|
|
lines exist and are set to the correct values:
|
|
<P>
|
|
<PRE>
|
|
net.ipv4.ip_forward = 1
|
|
net.ipv4.ip_always_defrag = 1
|
|
|
|
</PRE>
|
|
<P>All the network interface settings for Red Hat and Red Hat derivatives
|
|
are contained in files in the <CODE>/etc/sysconfig/network-scripts</CODE> directory. Enter
|
|
that directory, and create a new file <CODE>ifcfg-eth1</CODE>. Put the following into the
|
|
<CODE>ifcfg-eth1</CODE> file:
|
|
<P>
|
|
<PRE>
|
|
DEVICE=eth1
|
|
IPADDR=192.168.1.1
|
|
ONBOOT=yes
|
|
|
|
</PRE>
|
|
<P>This code tells the networking scripts to configure eth1 at boot time and
|
|
to give it a particular IP address. Activate your network with the new settings
|
|
with the following command: <CODE>/etc/rc.d/init.d/network restart</CODE>
|
|
<H3>The DHCP Server </H3>
|
|
|
|
<P>A DHCP server will automatically configure devices on your internal home
|
|
network with IP addresses. This is very useful for people with laptops: they
|
|
can simply plug their machines in and be immediately properly configured. If
|
|
you do not want a DHCP server on your internal network, just skip to the next
|
|
section.
|
|
<P>First you need to be sure you have the DHCP server installed. Mount your
|
|
Linux CD and install the <CODE>dhcp</CODE> RPM. Now edit the <CODE>/etc/dhcpd.conf</CODE> file and put
|
|
the following (and only the following) in it:
|
|
<P>
|
|
<PRE>
|
|
subnet 192.168.1.0 netmask 255.255.255.0 {
|
|
range 192.168.1.2 192.168.1.60;
|
|
default-lease-time 86400;
|
|
max-lease-time 86400;
|
|
option routers 192.168.1.1;
|
|
option ip-forwarding off;
|
|
option broadcast-address 192.168.1.255;
|
|
option subnet-mask 255.255.255.0;
|
|
}
|
|
|
|
</PRE>
|
|
<P>If you are going to set up your Linux box as a caching domain name server,
|
|
insert the following option:
|
|
<P>
|
|
<PRE>
|
|
option domain-name-servers 192.168.1.1;
|
|
|
|
</PRE>
|
|
<P>If you know your outside DNS addresses and you are <EM>not</EM> going to use the
|
|
Linux box for DNS, insert the following option, where x.x.x.x and y.y.y.y are
|
|
IP numbers of the DNS servers:
|
|
<P>
|
|
<PRE>
|
|
option domain-name-servers x.x.x.x, y.y.y.y;
|
|
|
|
</PRE>
|
|
<P>If you are going to run Samba file sharing on the Linux box for your Windows
|
|
computers, add the following options to use the Linux box as the default WINS
|
|
and browsing server:
|
|
<P>
|
|
<PRE>
|
|
option netbios-name-servers 192.168.1.1;
|
|
option netbios-dd-server 192.168.1.1;
|
|
option netbios-node-type 8;
|
|
option netbios-scope "";
|
|
|
|
</PRE>
|
|
<P>Configuring Samba and WINS is well beyond the scope of this document. If
|
|
you need some pointers, start with the
|
|
<A HREF="http://www.linuxdoc.org/HOWTO/SMB-HOWTO.html">SMB HOWTO</A> and go on from there.
|
|
<P>There are still a few more steps. Next, edit the <CODE>/etc/rc.d/init.d/dhcpd</CODE>
|
|
file and look for the following line:
|
|
<P>
|
|
<PRE>
|
|
/sbin/route add -host 255.255.255.255 dev eth1
|
|
|
|
</PRE>
|
|
<P>Windows DHCP clients require a particular broadcast address in DHCP responses,
|
|
and this command forces the Linux TCP/IP stack to produce it. If you cannot
|
|
find that line in the file, <EM>add it</EM>. If you <EM>do</EM> find a line like that one, make
|
|
sure that the device it references is <CODE>eth1</CODE>.
|
|
<P>The next step is to alter the <CODE>/etc/rc.d/init.d/dhcpd</CODE> file to use <CODE>eth1</CODE> as
|
|
the default device. Replace the line:
|
|
<P>
|
|
<PRE>
|
|
daemon /usr/sbin/dhcpd
|
|
|
|
</PRE>
|
|
<P>With:
|
|
<P>
|
|
<PRE>
|
|
daemon /usr/sbin/dhcpd eth1
|
|
|
|
</PRE>
|
|
<P>OK, now we are ready to start up DHCP. First start the DHCP server with
|
|
the command: <CODE>/etc/rc.d/init.d/dhcpd start</CODE>.
|
|
<P>Finally, we have to make sure that the DHCP server will start at re-boot
|
|
time. Some RPM packages of the DHCP server do not include directives to ensure
|
|
the server starts every time, so we'll make sure it gets started by invoking
|
|
the command <CODE>chkconfig dhcpd on</CODE>.
|
|
<P>This command causes RedHat to add the dhcp startup script to the various
|
|
runlevel directories under <CODE>/etc/rc.d</CODE>. In runlevels 3 and 5 (multiuser console
|
|
and multiuser X) the DHCP server is started. In runlevels 0, 1 and 6 (shutdown,
|
|
single user and reboot) the DHCP server is stopped.
|
|
<H3>The Client Computers </H3>
|
|
|
|
<P>If you have set DHCP up, configuring your client computers is very easy:
|
|
just enable DHCP configuration. For Windows computers, this involves opening
|
|
the "Control Panel" and then the "Networking" option. Find
|
|
the "TCP/IP" protocol and opt to "Configure" it. Check
|
|
the box that says to "Configure TCP/IP address automatically", apply
|
|
your changes, and reboot.
|
|
<P>Before you reboot, you might want to type the following command: <CODE>tail -f
|
|
/var/log/messages</CODE>. This will watch the Linux system log continuously. If all
|
|
goes well, when you reboot your Windows computer, you will see it request an
|
|
IP address and see the DHCP server respond. Control-C exits the <CODE>tail -f</CODE> command.
|
|
<P>If you have not set up DHCP, configuration is still fairly easy. Again,
|
|
open the "Networking" option from the "Control Panel",
|
|
and choose to configure the TCP/IP protocol. You can assign your client computers
|
|
any address in the 192.168.1.0 network except 192.168.1.0 (the network address),
|
|
192.168.1.255 (the broadcast address) or 192.168.1.1 (your Linux server). Never
|
|
give two computers the same IP address. Set the "Gateway" address to 192.168.1.1,
|
|
so that outgoing traffic is routed through your Linux gateway.
|
|
<P>The
|
|
<A HREF="http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html">IP Masquerading HOWTO</A> has very detailed information on client configuration in the
|
|
<A HREF="http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-4.html">Configuration Section</A>.
|
|
<P>In general, to configure a client computer, either enable DHCP configuration,
|
|
or manually assign it an address in the 192.168.1.X network with a gateway
|
|
of 192.168.1.1. Let the DNS server be either 192.168.1.1 if you are running
|
|
a caching DNS server (see below) or point the DNS at the addresses assigned
|
|
by your network provider.
|
|
<H3>The DNS Server </H3>
|
|
|
|
<P>Setting up your Linux box as a caching DNS server will (slightly) improve
|
|
your netsurfing speed, because commonly used DNS addresses will get cached
|
|
inside your network and not have to be retrieved from the outside.
|
|
<P>If you are interesting in doing full blown DNS, there is a great deal of
|
|
complexity to be learned. There is a
|
|
<A HREF="http://www.linuxdoc.org/HOWTO/DNS-HOWTO.html">DNS HOWTO</A> available, and the book
|
|
<A HREF="http://www.oreilly.com/catalog/dns3">DNS and BIND</A> is a good (and
|
|
very comprehensive) paper reference.
|
|
<P>In order for your client machines to take advantage of the caching server,
|
|
they must be configured to use the Linux gateway as their primary DNS server.
|
|
The DHCP directives given in section 3.2.2 are one way to accomplish this.
|
|
If you are configuring your client computers by hand, you can change the DNS
|
|
configurations in the same control tabs you used to set the IP address of the
|
|
machine.
|
|
<P>To install the DNS server, first install the <CODE>bind</CODE> RPM, then install the
|
|
<CODE>caching-nameserver</CODE> RPM. At this point, you are almost ready.
|
|
<P>As installed, the caching server will work fine, but if you know the IP
|
|
addresses of the internet providers DNS servers you can improve performance
|
|
slightly by editing the <CODE>/etc/named.conf</CODE> file and adding the following line
|
|
after the <CODE>directory</CODE> line (where x.x.x.x and y.y.y.y are the primary and secondary
|
|
DNS servers):
|
|
<P>
|
|
<PRE>
|
|
forwarders { x.x.x.x; y.y.y.y; };
|
|
|
|
</PRE>
|
|
<P>This change makes your DNS server first query the ISPs DNS servers before
|
|
traversing the internet in search of a given address. The ISPs servers often
|
|
have a rich cache of DNS information and can provide a much faster answer than
|
|
your server could.
|
|
<P>The <CODE>named</CODE> daemon has had some security problems over the past 12 months,
|
|
so it is very important that you have the latest version running, and make
|
|
some changes to the default settings to enhance security.
|
|
<P>
|
|
<OL>
|
|
<LI>Check your version of <CODE>bind</CODE> and make sure it is at least 8.2.2. Go to the
|
|
<A HREF="ftp://updates.redhat.com">Red Hat Updates</A> or
|
|
<A HREF="ftp://ftp.linux-mandrake.com/pub/updates">Mandrake Updates</A> sites to check for the latest version.</LI>
|
|
<LI>Restrict access to your name server to just the local network by adding
|
|
the line <CODE>allow-query { 192.168.1/24; 127.0.0.1/32; };</CODE> to the <CODE>/etc/named.conf</CODE>
|
|
file after the <CODE>forwarders</CODE> line.</LI>
|
|
<LI>Avoid running your name server as <CODE>root</CODE>. If your server is running as root,
|
|
an exploit of the server will grant the exploiter root privledges. If you run
|
|
the server as a powerless user, like <CODE>nobody</CODE>, you can lower the risk of a name
|
|
server exploit. To run your name server as <CODE>nobody</CODE>, edit the <CODE>/etc/rc.d/init.d/named</CODE>
|
|
file and change the line <CODE>daemon named</CODE> to <CODE>daemon named -u nobody -g nobody</CODE>.</LI>
|
|
</OL>
|
|
<P>Make sure your DNS server will start at boot time: <CODE>chkconfig named on</CODE>.
|
|
Again, this ensures that the server will start in the usual runlevels (3 and
|
|
5) at boot time.
|
|
<P>OK, now you can start your DNS server: <CODE>/etc/rc.d/init.d/named start</CODE>
|
|
<H3>Testing the Inside Network </H3>
|
|
|
|
<P>Until we configure the outside network, the DNS service will not work (since
|
|
it has to communicate with other DNS servers on the internet), but we can test
|
|
out the basic internal connectivity with the <CODE>ping</CODE> program.
|
|
<P>On one of your client computers, open up a terminal (MSDOS) window, and
|
|
type <CODE>ping 192.168.1.1</CODE>. This will send out packets to your Linux computer at
|
|
regular intervals, and your Linux computer will reflect the packets back. If
|
|
things are working right, you should see a set of packet return times.
|
|
<H2><A NAME="ss3.3">3.3 Configuring the Outside Network</A>
|
|
</H2>
|
|
|
|
<P>Now we're ready to configure the outside network. Sometimes this will be
|
|
difficult, depending on how well your internet provider supports Linux. If
|
|
you have difficulty, there is an
|
|
<A HREF="http://www.linuxdoc.org/HOWTO/mini/ADSL.html">ADSL mini-HOWTO</A> which covers ADSL issues in some detail.
|
|
If I can find a Cable Modem HOWTO, I will link to it also.
|
|
<P>The main problem with most outside connections is <EM>getting an IP address</EM>.
|
|
Some internet providers hand out static IP addresses to cable or ADSL subscribers,
|
|
and in that case configuration is easy. However, most providers have now moved
|
|
to dynamic configuration via (you guessed it) DHCP. This means that your Linux
|
|
computer will likely be a DHCP <EM>server</EM> on your <CODE>eth1</CODE> interface, and a DHCP <EM>client</EM>
|
|
on your <CODE>eth0</CODE> interface.
|
|
<P>Additionally, many providers have taken to providing their services in
|
|
specialized non-standard ways which assume their customers will be using Windows.
|
|
Some of those cases will be discussed at the end of section 3.3.2.
|
|
<H3>With a Static IP </H3>
|
|
|
|
<P>If your internet provider has assigned you a static IP address, you are
|
|
sitting pretty. First, create a new interface configuration file, <CODE>/etc/sysconfig/network-scripts/ifcfg-eth0</CODE>
|
|
and put the following in it:
|
|
<P>
|
|
<PRE>
|
|
DEVICE=eth0
|
|
IPADDR=x.x.x.x
|
|
NETMASK=y.y.y.y
|
|
ONBOOT=yes
|
|
|
|
</PRE>
|
|
<P>Just fill in x.x.x.x and y.y.y.y with the values given by your internet
|
|
provider. Now edit the <CODE>/etc/resolv.conf</CODE> file and enter the following information:
|
|
<P>
|
|
<PRE>
|
|
search provider_domain_here
|
|
nameserver n.n.n.n
|
|
nameserver m.m.m.m
|
|
|
|
</PRE>
|
|
<P>The provider_domain should be supplied by your internet provider. Also
|
|
enter the primary and secondary DNS servers in the n.n.n.n and m.m.m.m lines.
|
|
If you have set up the Linux box as a DNS server, you can add a line before
|
|
the other nameserver entries: <CODE>nameserver 127.0.0.1</CODE>. This will make your Linux
|
|
server use the caching server before asking the outside servers for DNS information.
|
|
<H3>With DHCP </H3>
|
|
|
|
<P>If your internet provider uses DHCP configuration, you need to create a
|
|
new interface configuration file, <CODE>/etc/sysconfig/network-scripts/ifcfg-eth0</CODE>and put the following in it:
|
|
<P>
|
|
<PRE>
|
|
DEVICE=eth0
|
|
BOOTPROTO=dhcp
|
|
ONBOOT=yes
|
|
|
|
</PRE>
|
|
<P>Now make sure that the dhcpcd client daemon is installed on your system.
|
|
Go to your Linux CD and install the <CODE>dhcpcd</CODE> RPM package.
|
|
<P>It's time to test your new network configuration. Just use the command
|
|
<CODE>/etc/rc.d/init.d/network restart</CODE>. Now test your outside connection with ping.
|
|
Ping a computer on the internet, like <CODE>www.yahoo.com</CODE> and see if anything comes
|
|
back.
|
|
<H3>Quirks and Anomalies </H3>
|
|
|
|
<P>Your situation may differ from the very simple situations described above.
|
|
Here are some short remarks on the various difficulties and links to more authoritative
|
|
resources and addressing them. Thanks to John Mellor for supplying the links
|
|
and impetus for adding this section.
|
|
<H3>PPP Over Ethernet (PPPoE) </H3>
|
|
|
|
<P>Several ADSL providers (Bell Atlantic, for example) are now insisting that
|
|
their new customers connect to the service using the "PPP over Ethernet"
|
|
protocol (PPPoE). To this end, they provide a Windows client program: not very
|
|
useful for Linux users. Fortunately, PPPoE is a simple protocol and several
|
|
efforts are underway to support it under Linux.
|
|
<P>
|
|
<UL>
|
|
<LI>The
|
|
<A HREF="http://www.roaringpenguin.com/pppoe.html">Roaring Penguin PPPoE Client</A> comes highly recommended by reader Kerr First.</LI>
|
|
<LI>
|
|
<A HREF="http://www.panix.com/~dfoster/prog/linux/pppoe.html">PPPoE on Linux for Bell Sympatico</A></LI>
|
|
<LI>PPPoE on Linux for Sympatico (
|
|
<A HREF="http://www.carricksolutions.com/pppoe.htm">General Info</A>) (
|
|
<A HREF="http://www.carricksolutions.com/linuxpppoe.htm">Linux Info</A>)</LI>
|
|
</UL>
|
|
<H3>Stupid DHCP Tricks </H3>
|
|
|
|
<P>One of the favorite tricks network providers play is to tie your service
|
|
to a unique hostname, or even a unique network interface card. This is presumably
|
|
to keep you from plugging multiple computers into your ethernet port using
|
|
a hub (of course, by using Linux and Masquerading you're getting the same effect
|
|
with better security and the cable company has no way of knowing!).
|
|
<P>If the provider has given you a hostname and insisted that you set your
|
|
Windows box with that name in order you use their service, then you'll have
|
|
to make sure that your Linux box sends in that hostname when requesting an
|
|
address from the DHCP server.
|
|
<P>The Red Hat DHCP client is called when you set the BOOTPROTO to dhcp in
|
|
the interface configuration file, but it is called without reference to a hostname.
|
|
To call the program with a hostname, in Red Hat 6.1, edit the <CODE>/etc/sysconfig/network</CODE>
|
|
file, and change the line:
|
|
<P><CODE>HOSTNAME=</CODE>
|
|
<P>To read this:
|
|
<P><CODE>HOSTNAME=your_isp_assigned_name</CODE>
|
|
<P>This may not work in some of the Red Hat variants. If it does not work,
|
|
check the <CODE>/sbin/ifup</CODE> script and see if the call to dhcpcd and pump include
|
|
a -h $HOSTNAME switch. If they do not, add them, so the calls look like
|
|
<CODE>/sbin/dhcpcd -i $DEVICE -h $HOSTNAME</CODE> and <CODE>/sbin/pump -i $DEVICE
|
|
-h $HOSTNAME</CODE>.
|
|
<H3>Road Runner </H3>
|
|
|
|
<P>The Road Runner cable service has a special login process which must be
|
|
run before the server can be used. Fortunately, a detailed
|
|
<A HREF="http://usmcug.usm.maine.edu/~kpesce/rr">Linux Road Runner HOWTO</A> is available.
|
|
<H3>Looking at the Network Entries </H3>
|
|
|
|
<P>Now you can admire your work. Type <CODE>ifconfig</CODE> to see all your configured
|
|
devices. On my gateway computer, it looks like this:
|
|
<P>
|
|
<PRE>
|
|
eth0 Link encap:Ethernet HWaddr 00:60:67:4A:02:0A
|
|
inet addr:24.65.182.43 Bcast:24.65.182.255 Mask:255.255.255.0
|
|
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
|
RX packets:487167 errors:0 dropped:0 overruns:0 frame:0
|
|
TX packets:467064 errors:0 dropped:0 overruns:0 carrier:0
|
|
collisions:89 txqueuelen:100
|
|
Interrupt:10 Base address:0xe400
|
|
eth1 Link encap:Ethernet HWaddr 00:80:C8:D3:30:2C
|
|
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
|
|
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
|
RX packets:284112 errors:0 dropped:0 overruns:0 frame:1
|
|
TX packets:311533 errors:0 dropped:0 overruns:0 carrier:0
|
|
collisions:37938 txqueuelen:100
|
|
Interrupt:5 Base address:0xe800
|
|
lo Link encap:Local Loopback
|
|
inet addr:127.0.0.1 Mask:255.0.0.0
|
|
UP LOOPBACK RUNNING MTU:3924 Metric:1
|
|
RX packets:12598 errors:0 dropped:0 overruns:0 frame:0
|
|
TX packets:12598 errors:0 dropped:0 overruns:0 carrier:0
|
|
collisions:0 txqueuelen:0
|
|
|
|
</PRE>
|
|
<P>Note that the <CODE>eth0</CODE> interface has a fancy outside IP address, and the <CODE>eth1</CODE>
|
|
address has a private internal address.
|
|
<P>You can look at the network routes by typing the <CODE>route</CODE> command. On my gateway
|
|
computer it looks like this:
|
|
<P>
|
|
<PRE>
|
|
Kernel IP routing table
|
|
Destination Gateway Genmask Flags Metric Ref Use Iface
|
|
255.255.255.255 * 255.255.255.255 UH 0 0 0 eth1
|
|
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
|
|
24.65.182.0 * 255.255.255.0 U 0 0 0 eth0
|
|
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
|
|
default 24.65.182.1 0.0.0.0 UG 0 0 0 eth0
|
|
|
|
</PRE>
|
|
<P>Here we can see the outside network is set up, the inside network is set
|
|
up, the local device is set up, the special 255.255.255.255 broadcast address
|
|
is set up, and the default route is set up to point to the internet providers
|
|
gateway. Perfect!
|
|
<P>Now you have the outside, and the inside. All the remains is to open the
|
|
door between the two. First though, we have to make sure no monsters can get
|
|
in from the outside.
|
|
<H2><A NAME="ss3.4">3.4 Security</A>
|
|
</H2>
|
|
|
|
<P>One of the drawbacks of being permanently connected to the internet via
|
|
ADSL or cable is that your computer is exposed to potential security threats
|
|
24 hours a day, 7 days a week. Using Linux as a gateway reduces the risks,
|
|
because it hides all your other computers: as far as the rest of the internet
|
|
is concerned, only your Linux box is available for connections. This means
|
|
that your network is only as secure as your Linux box, so at this point I'll
|
|
give a few basic tips to make your box more secure.
|
|
<P>First, you need to shut out all the bad guys. To do this, edit the file
|
|
<CODE>/etc/hosts.deny</CODE> and make sure it looks just like this:
|
|
<P>
|
|
<PRE>
|
|
#
|
|
# hosts.deny This file describes the names of the hosts which are
|
|
# *not* allowed to use the local INET services, as decided
|
|
# by the '/usr/sbin/tcpd' server.
|
|
#
|
|
# The portmap line is redundant, but it is left to remind you that
|
|
# the new secure portmap uses hosts.deny and hosts.allow. In particular
|
|
# you should know that NFS uses portmap!
|
|
ALL: ALL
|
|
|
|
</PRE>
|
|
<P>This tells the "TCP wrappers" -- which control 95% of
|
|
incoming connections -- to deny all connections from all hosts. That's a pretty
|
|
good rule! But, it will also keep you from connecting to your Linux box from
|
|
inside your home network, which is annoying, so we will make one exception.
|
|
Edit the file <CODE>/etc/hosts.allow</CODE> and make sure it looks just like this:
|
|
<P>
|
|
<PRE>
|
|
#
|
|
# hosts.allow This file describes the names of the hosts which are
|
|
# allowed to use the local INET services, as decided
|
|
# by the '/usr/sbin/tcpd' server.
|
|
#
|
|
ALL: 127.0.0.1
|
|
ALL: 192.168.1.
|
|
|
|
</PRE>
|
|
<P>This tells the "TCP wrappers" that they can allow connections
|
|
to all services from the local device (127.0.0.1) and from your home network
|
|
(192.168.1.).
|
|
<P>You have now locked the monsters outside, with a strong padlock. If you
|
|
want to put up bars and alarm systems, you will have to be alot more sophisticated.
|
|
The
|
|
<A HREF="http://www.linuxdoc.org/HOWTO/Security-HOWTO.html">Security HOWTO</A> is a good place to start if you want to learn more about securing your
|
|
Linux box.
|
|
<HR>
|
|
<A HREF="Home-Network-mini-HOWTO-4.html">Next</A>
|
|
<A HREF="Home-Network-mini-HOWTO-2.html">Previous</A>
|
|
<A HREF="Home-Network-mini-HOWTO.html#toc3">Contents</A>
|
|
</BODY>
|
|
</HTML>
|