LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Home-Network-mini-HOWTO-3.html

584 lines
29 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Red Hat Linux 6.X as an Internet Gateway for a Home Network: Configuring Networking</TITLE>
<LINK HREF="Home-Network-mini-HOWTO-4.html" REL=next>
<LINK HREF="Home-Network-mini-HOWTO-2.html" REL=previous>
<LINK HREF="Home-Network-mini-HOWTO.html#toc3" REL=contents>
</HEAD>
<BODY>
<A HREF="Home-Network-mini-HOWTO-4.html">Next</A>
<A HREF="Home-Network-mini-HOWTO-2.html">Previous</A>
<A HREF="Home-Network-mini-HOWTO.html#toc3">Contents</A>
<HR>
<H2><A NAME="s3">3. Configuring Networking</A> </H2>
<P>OK, by now you have installed Linux on your gateway computer. You may have
even configured one of your networking cards, and set up connectivity to the
Internet. However, we are going to start from scratch and pretend that nothing
is configured at all.
<P>Log in as <CODE>root</CODE>. All the instructions given in this document assume you
are logged in as root.
<P>The Linux kernel refers to your two ethernet cards as <CODE>eth0</CODE> and <CODE>eth1</CODE>, so
that is how I'll be referring to them from now on too. The trouble is, which
one is which? Here's a &quot;simple&quot; way of figuring out, guaranteed to
work at least 50% of the time: lay your computer on the desk with the
motherboard horizontal and the back panel facing you (as you would if you were
going to open it and do some work on it). The leftmost card is <CODE>eth0</CODE> -- you
might want to label it with some masking tape. Now, write down on a piece of
paper the make and model of both <CODE>eth0</CODE> and <CODE>eth1</CODE>.
<P>OK, let's see if <CODE>eth0</CODE> and <CODE>eth1</CODE> are recognized automatically by the kernel.
Type <CODE>ifconfig eth0</CODE> and <CODE>ifconfig eth1</CODE>. In both cases, if the kernel is recognizing
your card, you should see something like this (bearing in mind that the numbers
and whatnot will be different):
<P>
<PRE>
eth0 Link encap: Ethernet HWaddr 00:60:67:4A:02:0A
inet addr:0.0.0.0 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:466 errors:0 dropped:0 overruns:0 frame:0
TX packets:448 errors:0 dropped:0 overruns:0 carrier:0
collisions:85 txqueuelen:100
Interrupt:10 Base address:0xe400
</PRE>
<P>If the kernel is not recognizing your network card you will see something
like this:
<P>
<PRE>
eth0: error fetching interface information: Device not found.
</PRE>
<H2><A NAME="ss3.1">3.1 Configuring a Network Driver</A>
</H2>
<P>If both of your cards were found, skip to the next section. Otherwise,
read this section.
<P>OK, so one or both of your cards are not recognized by the kernel. This
is not a problem, really. What we're going to have to do is tell the kernel
more explicitly how to find your cards. There are lots of twists and turns
here, and I'm not going to cover all of them. Remember, when the going gets
tough, the tough turn to the
<A HREF="http://www.linuxdoc.org/HOWTO/Ethernet-HOWTO.html">Ethernet HOWTO</A>. Here's some summary advice:
<P>
<UL>
<LI><EM>You have a PCI network card.</EM> You are probably sitting pretty, assuming
it is not so new and cutting edge that no drivers exist. You can often find
out a great deal about your network cards (and other things) by reading through
<CODE>/proc/pci</CODE> and noting down makes and models. </LI>
<LI><EM>You have an ISA network card.</EM> It is possible you will have to know the
IO base address and the IRQ the card is operating on. You have manuals, right?
Right? If not, this would be a good time to surf to the manufacturer's web
site and see if they have any online references. Or if you have an old DOS
configuration diskette, boot to DOS and see if there is a setup program which
will read and set the address and IRQ. </LI>
<LI><EM>You have an ISA Plug'n'Play card.</EM> You'll have to learn how to configure
it first -- read the
<A HREF="http://www.linuxdoc.org/HOWTO/Plug-and-Play-HOWTO.html">Plug'n'Play HOWTO</A>. Fortunately, oncee you've configured your card you will
know exactly what the IO base and IRQ are. </LI>
</UL>
<P>Now, since you know what the make and model of <CODE>eth0</CODE> and <CODE>eth1</CODE> are you can
go to the
<A HREF="http://www.linuxdoc.org/HOWTO/Ethernet-HOWTO-5.html">compatibility page</A> of the
<A HREF="http://www.linuxdoc.org/HOWTO/Ethernet-HOWTO.html">Ethernet HOWTO</A> and look up your card. Take note of the recommended driver,
and any information about special options your card may require. Write it down.
<P>It's time to edit a configuration file! The file we will be editing is
<CODE>/etc/conf.modules</CODE>. Open this file up in the text editor of your choice. Because
there are so many possibilities and combinations of things which can go in
this file, I'm going to give my own gateway as an example. I have a PCI 10/100Mb
card based on the VIA Rhine chip, and a plain-jane 10Mb NE2000 ISA clone. I
use the 100Mb card for the internal network and the 10Mb card for the external
connection. My <CODE>/etc/conf.modules</CODE> file looks like this:
<P>
<PRE>
alias parport_lowlevel parport_pc
alias eth0 ne
options ne io=0x300 irq=10
alias eth1 via-rhine
</PRE>
<P>My <CODE>conf.modules</CODE> file is laid out as follows:
<P>
<UL>
<LI>The first line is there to configure my parallel port for printing. You
probably have a similar line. Leave it alone. </LI>
<LI>The second line (<CODE>alias eth0 ne</CODE>) tells the kernel to use the ne driver for
the <CODE>eth0</CODE> device. </LI>
<LI>The third line (<CODE>options ne io=0x300 irq=10</CODE>) tells the ne driver at which
io address and irq interrupt it will find the ISA card at. If you have ISA
cards you will probably have to use this kind of directive, just replace the
driver, io and irq directives with the correct information for your card. </LI>
<LI>The fourth line (<CODE>alias eth1 via-rhine</CODE>) tells the kernel to use the via-rhine
driver for <CODE>eth1</CODE>. Because my <CODE>eth1</CODE> card is a PCI card, I do not need to provide
io or irq information: the PCI subsystem configures the device automatically.</LI>
</UL>
<P>You will want to ensure that you have alias entries in <CODE>conf.modules</CODE> for
both your cards, and correct options lines for all your ISA cards. You may
already have lines in <CODE>conf.modules</CODE> for any ethernet cards you configured during
installation.
<P>When you have finished editing <CODE>conf.modules</CODE>, try <CODE>ifconfig eth0</CODE> and <CODE>ifconfig
eth1</CODE> again. You may have to apply some trial and error if you are messing with
IO addresses and IRQs without a manufacturers manual.
<H3>Two Identical Network Cards </H3>
<P>So, you were really really smart, bought two identical network cards for
your Linux gateway, and now you cannot get them to work together? Do not worry,
getting them to coexist is just a matter of using the correct syntax in <CODE>/etc/conf.modules</CODE>.
For this example, the addresses and IRQ numbers are made up, and I will assume
that you have bought a matched pair of NE2000 clones (a common choice). Your
<CODE>/etc/conf.modules</CODE> file should look like this:
<P>
<PRE>
alias eth0 ne
alias eth1 ne
options ne io=0x330,0x360 irq=7,9
</PRE>
<P>The addressing options are all given on the same line, and the first number
for each addressing type is for <CODE>eth0</CODE>, the second number for <CODE>eth1</CODE>.
<H2><A NAME="ss3.2">3.2 Configuring the Inside Network</A>
</H2>
<P>The &quot;inside network&quot; is the network which all your home/office
machines will talk on. The &quot;outside network&quot; is the big scary internet
on the other side of the Linux box. By and large, the inside network will be
completely insulated from the outside network by the Linux box, which will
operate as a medium strength firewall.
<H3>The Network Device </H3>
<P>Now that your drivers are working and you can see both <CODE>eth0</CODE> and <CODE>eth1</CODE> in
<CODE>ifconfig</CODE> it is time to set up the internal home network. I am assuming that
you are going to put your internal network on <CODE>eth1</CODE> and your external device
on <CODE>eth0</CODE>.
<P>Your internal network is going to be a private network and will therefor
be on a special network reserved for internal networking: <CODE>192.168.1.0</CODE>. This
is a &quot;private Class C network&quot;, in case you want to impress your
friends.
<P>First we need to make sure networking is turned on. Edit the file <CODE>/etc/sysconfig/network</CODE>
and make sure the following lines exist:
<P>
<PRE>
NETWORKING=yes
FORWARD_IPV4=yes
</PRE>
<P>The first line tells Linux that we want the network devices brought up
at boot time. The second line tells Linux to enable IP forwarding. This is
required when we start configuring masquerading in Section 4.
<P><EM>Redhat 6.2 Note:</EM> In order to properly support IP forwarding and masquerading,
Red Hat 6.2 requires changes to the <CODE>/etc/sysctl.conf</CODE> file. Make sure the following
lines exist and are set to the correct values:
<P>
<PRE>
net.ipv4.ip_forward = 1
net.ipv4.ip_always_defrag = 1
</PRE>
<P>All the network interface settings for Red Hat and Red Hat derivatives
are contained in files in the <CODE>/etc/sysconfig/network-scripts</CODE> directory. Enter
that directory, and create a new file <CODE>ifcfg-eth1</CODE>. Put the following into the
<CODE>ifcfg-eth1</CODE> file:
<P>
<PRE>
DEVICE=eth1
IPADDR=192.168.1.1
ONBOOT=yes
</PRE>
<P>This code tells the networking scripts to configure eth1 at boot time and
to give it a particular IP address. Activate your network with the new settings
with the following command: <CODE>/etc/rc.d/init.d/network restart</CODE>
<H3>The DHCP Server </H3>
<P>A DHCP server will automatically configure devices on your internal home
network with IP addresses. This is very useful for people with laptops: they
can simply plug their machines in and be immediately properly configured. If
you do not want a DHCP server on your internal network, just skip to the next
section.
<P>First you need to be sure you have the DHCP server installed. Mount your
Linux CD and install the <CODE>dhcp</CODE> RPM. Now edit the <CODE>/etc/dhcpd.conf</CODE> file and put
the following (and only the following) in it:
<P>
<PRE>
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.60;
default-lease-time 86400;
max-lease-time 86400;
option routers 192.168.1.1;
option ip-forwarding off;
option broadcast-address 192.168.1.255;
option subnet-mask 255.255.255.0;
}
</PRE>
<P>If you are going to set up your Linux box as a caching domain name server,
insert the following option:
<P>
<PRE>
option domain-name-servers 192.168.1.1;
</PRE>
<P>If you know your outside DNS addresses and you are <EM>not</EM> going to use the
Linux box for DNS, insert the following option, where x.x.x.x and y.y.y.y are
IP numbers of the DNS servers:
<P>
<PRE>
option domain-name-servers x.x.x.x, y.y.y.y;
</PRE>
<P>If you are going to run Samba file sharing on the Linux box for your Windows
computers, add the following options to use the Linux box as the default WINS
and browsing server:
<P>
<PRE>
option netbios-name-servers 192.168.1.1;
option netbios-dd-server 192.168.1.1;
option netbios-node-type 8;
option netbios-scope &quot;&quot;;
</PRE>
<P>Configuring Samba and WINS is well beyond the scope of this document. If
you need some pointers, start with the
<A HREF="http://www.linuxdoc.org/HOWTO/SMB-HOWTO.html">SMB HOWTO</A> and go on from there.
<P>There are still a few more steps. Next, edit the <CODE>/etc/rc.d/init.d/dhcpd</CODE>
file and look for the following line:
<P>
<PRE>
/sbin/route add -host 255.255.255.255 dev eth1
</PRE>
<P>Windows DHCP clients require a particular broadcast address in DHCP responses,
and this command forces the Linux TCP/IP stack to produce it. If you cannot
find that line in the file, <EM>add it</EM>. If you <EM>do</EM> find a line like that one, make
sure that the device it references is <CODE>eth1</CODE>.
<P>The next step is to alter the <CODE>/etc/rc.d/init.d/dhcpd</CODE> file to use <CODE>eth1</CODE> as
the default device. Replace the line:
<P>
<PRE>
daemon /usr/sbin/dhcpd
</PRE>
<P>With:
<P>
<PRE>
daemon /usr/sbin/dhcpd eth1
</PRE>
<P>OK, now we are ready to start up DHCP. First start the DHCP server with
the command: <CODE>/etc/rc.d/init.d/dhcpd start</CODE>.
<P>Finally, we have to make sure that the DHCP server will start at re-boot
time. Some RPM packages of the DHCP server do not include directives to ensure
the server starts every time, so we'll make sure it gets started by invoking
the command <CODE>chkconfig dhcpd on</CODE>.
<P>This command causes RedHat to add the dhcp startup script to the various
runlevel directories under <CODE>/etc/rc.d</CODE>. In runlevels 3 and 5 (multiuser console
and multiuser X) the DHCP server is started. In runlevels 0, 1 and 6 (shutdown,
single user and reboot) the DHCP server is stopped.
<H3>The Client Computers </H3>
<P>If you have set DHCP up, configuring your client computers is very easy:
just enable DHCP configuration. For Windows computers, this involves opening
the &quot;Control Panel&quot; and then the &quot;Networking&quot; option. Find
the &quot;TCP/IP&quot; protocol and opt to &quot;Configure&quot; it. Check
the box that says to &quot;Configure TCP/IP address automatically&quot;, apply
your changes, and reboot.
<P>Before you reboot, you might want to type the following command: <CODE>tail -f
/var/log/messages</CODE>. This will watch the Linux system log continuously. If all
goes well, when you reboot your Windows computer, you will see it request an
IP address and see the DHCP server respond. Control-C exits the <CODE>tail -f</CODE> command.
<P>If you have not set up DHCP, configuration is still fairly easy. Again,
open the &quot;Networking&quot; option from the &quot;Control Panel&quot;,
and choose to configure the TCP/IP protocol. You can assign your client computers
any address in the 192.168.1.0 network except 192.168.1.0 (the network address),
192.168.1.255 (the broadcast address) or 192.168.1.1 (your Linux server). Never
give two computers the same IP address. Set the "Gateway" address to 192.168.1.1,
so that outgoing traffic is routed through your Linux gateway.
<P>The
<A HREF="http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html">IP Masquerading HOWTO</A> has very detailed information on client configuration in the
<A HREF="http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-4.html">Configuration Section</A>.
<P>In general, to configure a client computer, either enable DHCP configuration,
or manually assign it an address in the 192.168.1.X network with a gateway
of 192.168.1.1. Let the DNS server be either 192.168.1.1 if you are running
a caching DNS server (see below) or point the DNS at the addresses assigned
by your network provider.
<H3>The DNS Server </H3>
<P>Setting up your Linux box as a caching DNS server will (slightly) improve
your netsurfing speed, because commonly used DNS addresses will get cached
inside your network and not have to be retrieved from the outside.
<P>If you are interesting in doing full blown DNS, there is a great deal of
complexity to be learned. There is a
<A HREF="http://www.linuxdoc.org/HOWTO/DNS-HOWTO.html">DNS HOWTO</A> available, and the book
<A HREF="http://www.oreilly.com/catalog/dns3">DNS and BIND</A> is a good (and
very comprehensive) paper reference.
<P>In order for your client machines to take advantage of the caching server,
they must be configured to use the Linux gateway as their primary DNS server.
The DHCP directives given in section 3.2.2 are one way to accomplish this.
If you are configuring your client computers by hand, you can change the DNS
configurations in the same control tabs you used to set the IP address of the
machine.
<P>To install the DNS server, first install the <CODE>bind</CODE> RPM, then install the
<CODE>caching-nameserver</CODE> RPM. At this point, you are almost ready.
<P>As installed, the caching server will work fine, but if you know the IP
addresses of the internet providers DNS servers you can improve performance
slightly by editing the <CODE>/etc/named.conf</CODE> file and adding the following line
after the <CODE>directory</CODE> line (where x.x.x.x and y.y.y.y are the primary and secondary
DNS servers):
<P>
<PRE>
forwarders { x.x.x.x; y.y.y.y; };
</PRE>
<P>This change makes your DNS server first query the ISPs DNS servers before
traversing the internet in search of a given address. The ISPs servers often
have a rich cache of DNS information and can provide a much faster answer than
your server could.
<P>The <CODE>named</CODE> daemon has had some security problems over the past 12 months,
so it is very important that you have the latest version running, and make
some changes to the default settings to enhance security.
<P>
<OL>
<LI>Check your version of <CODE>bind</CODE> and make sure it is at least 8.2.2. Go to the
<A HREF="ftp://updates.redhat.com">Red Hat Updates</A> or
<A HREF="ftp://ftp.linux-mandrake.com/pub/updates">Mandrake Updates</A> sites to check for the latest version.</LI>
<LI>Restrict access to your name server to just the local network by adding
the line <CODE>allow-query { 192.168.1/24; 127.0.0.1/32; };</CODE> to the <CODE>/etc/named.conf</CODE>
file after the <CODE>forwarders</CODE> line.</LI>
<LI>Avoid running your name server as <CODE>root</CODE>. If your server is running as root,
an exploit of the server will grant the exploiter root privledges. If you run
the server as a powerless user, like <CODE>nobody</CODE>, you can lower the risk of a name
server exploit. To run your name server as <CODE>nobody</CODE>, edit the <CODE>/etc/rc.d/init.d/named</CODE>
file and change the line <CODE>daemon named</CODE> to <CODE>daemon named -u nobody -g nobody</CODE>.</LI>
</OL>
<P>Make sure your DNS server will start at boot time: <CODE>chkconfig named on</CODE>.
Again, this ensures that the server will start in the usual runlevels (3 and
5) at boot time.
<P>OK, now you can start your DNS server: <CODE>/etc/rc.d/init.d/named start</CODE>
<H3>Testing the Inside Network </H3>
<P>Until we configure the outside network, the DNS service will not work (since
it has to communicate with other DNS servers on the internet), but we can test
out the basic internal connectivity with the <CODE>ping</CODE> program.
<P>On one of your client computers, open up a terminal (MSDOS) window, and
type <CODE>ping 192.168.1.1</CODE>. This will send out packets to your Linux computer at
regular intervals, and your Linux computer will reflect the packets back. If
things are working right, you should see a set of packet return times.
<H2><A NAME="ss3.3">3.3 Configuring the Outside Network</A>
</H2>
<P>Now we're ready to configure the outside network. Sometimes this will be
difficult, depending on how well your internet provider supports Linux. If
you have difficulty, there is an
<A HREF="http://www.linuxdoc.org/HOWTO/mini/ADSL.html">ADSL mini-HOWTO</A> which covers ADSL issues in some detail.
If I can find a Cable Modem HOWTO, I will link to it also.
<P>The main problem with most outside connections is <EM>getting an IP address</EM>.
Some internet providers hand out static IP addresses to cable or ADSL subscribers,
and in that case configuration is easy. However, most providers have now moved
to dynamic configuration via (you guessed it) DHCP. This means that your Linux
computer will likely be a DHCP <EM>server</EM> on your <CODE>eth1</CODE> interface, and a DHCP <EM>client</EM>
on your <CODE>eth0</CODE> interface.
<P>Additionally, many providers have taken to providing their services in
specialized non-standard ways which assume their customers will be using Windows.
Some of those cases will be discussed at the end of section 3.3.2.
<H3>With a Static IP </H3>
<P>If your internet provider has assigned you a static IP address, you are
sitting pretty. First, create a new interface configuration file, <CODE>/etc/sysconfig/network-scripts/ifcfg-eth0</CODE>
and put the following in it:
<P>
<PRE>
DEVICE=eth0
IPADDR=x.x.x.x
NETMASK=y.y.y.y
ONBOOT=yes
</PRE>
<P>Just fill in x.x.x.x and y.y.y.y with the values given by your internet
provider. Now edit the <CODE>/etc/resolv.conf</CODE> file and enter the following information:
<P>
<PRE>
search provider_domain_here
nameserver n.n.n.n
nameserver m.m.m.m
</PRE>
<P>The provider_domain should be supplied by your internet provider. Also
enter the primary and secondary DNS servers in the n.n.n.n and m.m.m.m lines.
If you have set up the Linux box as a DNS server, you can add a line before
the other nameserver entries: <CODE>nameserver 127.0.0.1</CODE>. This will make your Linux
server use the caching server before asking the outside servers for DNS information.
<H3>With DHCP </H3>
<P>If your internet provider uses DHCP configuration, you need to create a
new interface configuration file, <CODE>/etc/sysconfig/network-scripts/ifcfg-eth0</CODE>and put the following in it:
<P>
<PRE>
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
</PRE>
<P>Now make sure that the dhcpcd client daemon is installed on your system.
Go to your Linux CD and install the <CODE>dhcpcd</CODE> RPM package.
<P>It's time to test your new network configuration. Just use the command
<CODE>/etc/rc.d/init.d/network restart</CODE>. Now test your outside connection with ping.
Ping a computer on the internet, like <CODE>www.yahoo.com</CODE> and see if anything comes
back.
<H3>Quirks and Anomalies </H3>
<P>Your situation may differ from the very simple situations described above.
Here are some short remarks on the various difficulties and links to more authoritative
resources and addressing them. Thanks to John Mellor for supplying the links
and impetus for adding this section.
<H3>PPP Over Ethernet (PPPoE) </H3>
<P>Several ADSL providers (Bell Atlantic, for example) are now insisting that
their new customers connect to the service using the &quot;PPP over Ethernet&quot;
protocol (PPPoE). To this end, they provide a Windows client program: not very
useful for Linux users. Fortunately, PPPoE is a simple protocol and several
efforts are underway to support it under Linux.
<P>
<UL>
<LI>The
<A HREF="http://www.roaringpenguin.com/pppoe.html">Roaring Penguin PPPoE Client</A> comes highly recommended by reader Kerr First.</LI>
<LI>
<A HREF="http://www.panix.com/~dfoster/prog/linux/pppoe.html">PPPoE on Linux for Bell Sympatico</A></LI>
<LI>PPPoE on Linux for Sympatico (
<A HREF="http://www.carricksolutions.com/pppoe.htm">General Info</A>) (
<A HREF="http://www.carricksolutions.com/linuxpppoe.htm">Linux Info</A>)</LI>
</UL>
<H3>Stupid DHCP Tricks </H3>
<P>One of the favorite tricks network providers play is to tie your service
to a unique hostname, or even a unique network interface card. This is presumably
to keep you from plugging multiple computers into your ethernet port using
a hub (of course, by using Linux and Masquerading you're getting the same effect
with better security and the cable company has no way of knowing!).
<P>If the provider has given you a hostname and insisted that you set your
Windows box with that name in order you use their service, then you'll have
to make sure that your Linux box sends in that hostname when requesting an
address from the DHCP server.
<P>The Red Hat DHCP client is called when you set the BOOTPROTO to dhcp in
the interface configuration file, but it is called without reference to a hostname.
To call the program with a hostname, in Red Hat 6.1, edit the <CODE>/etc/sysconfig/network</CODE>
file, and change the line:
<P><CODE>HOSTNAME=</CODE>
<P>To read this:
<P><CODE>HOSTNAME=your_isp_assigned_name</CODE>
<P>This may not work in some of the Red Hat variants. If it does not work,
check the <CODE>/sbin/ifup</CODE> script and see if the call to dhcpcd and pump include
a -h $HOSTNAME switch. If they do not, add them, so the calls look like
<CODE>/sbin/dhcpcd -i $DEVICE -h $HOSTNAME</CODE> and <CODE>/sbin/pump -i $DEVICE
-h $HOSTNAME</CODE>.
<H3>Road Runner </H3>
<P>The Road Runner cable service has a special login process which must be
run before the server can be used. Fortunately, a detailed
<A HREF="http://usmcug.usm.maine.edu/~kpesce/rr">Linux Road Runner HOWTO</A> is available.
<H3>Looking at the Network Entries </H3>
<P>Now you can admire your work. Type <CODE>ifconfig</CODE> to see all your configured
devices. On my gateway computer, it looks like this:
<P>
<PRE>
eth0 Link encap:Ethernet HWaddr 00:60:67:4A:02:0A
inet addr:24.65.182.43 Bcast:24.65.182.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:487167 errors:0 dropped:0 overruns:0 frame:0
TX packets:467064 errors:0 dropped:0 overruns:0 carrier:0
collisions:89 txqueuelen:100
Interrupt:10 Base address:0xe400
eth1 Link encap:Ethernet HWaddr 00:80:C8:D3:30:2C
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:284112 errors:0 dropped:0 overruns:0 frame:1
TX packets:311533 errors:0 dropped:0 overruns:0 carrier:0
collisions:37938 txqueuelen:100
Interrupt:5 Base address:0xe800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:12598 errors:0 dropped:0 overruns:0 frame:0
TX packets:12598 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
</PRE>
<P>Note that the <CODE>eth0</CODE> interface has a fancy outside IP address, and the <CODE>eth1</CODE>
address has a private internal address.
<P>You can look at the network routes by typing the <CODE>route</CODE> command. On my gateway
computer it looks like this:
<P>
<PRE>
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
255.255.255.255 * 255.255.255.255 UH 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
24.65.182.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 24.65.182.1 0.0.0.0 UG 0 0 0 eth0
</PRE>
<P>Here we can see the outside network is set up, the inside network is set
up, the local device is set up, the special 255.255.255.255 broadcast address
is set up, and the default route is set up to point to the internet providers
gateway. Perfect!
<P>Now you have the outside, and the inside. All the remains is to open the
door between the two. First though, we have to make sure no monsters can get
in from the outside.
<H2><A NAME="ss3.4">3.4 Security</A>
</H2>
<P>One of the drawbacks of being permanently connected to the internet via
ADSL or cable is that your computer is exposed to potential security threats
24 hours a day, 7 days a week. Using Linux as a gateway reduces the risks,
because it hides all your other computers: as far as the rest of the internet
is concerned, only your Linux box is available for connections. This means
that your network is only as secure as your Linux box, so at this point I'll
give a few basic tips to make your box more secure.
<P>First, you need to shut out all the bad guys. To do this, edit the file
<CODE>/etc/hosts.deny</CODE> and make sure it looks just like this:
<P>
<PRE>
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
ALL: ALL
</PRE>
<P>This tells the &quot;TCP wrappers&quot; -- which control 95% of
incoming connections -- to deny all connections from all hosts. That's a pretty
good rule! But, it will also keep you from connecting to your Linux box from
inside your home network, which is annoying, so we will make one exception.
Edit the file <CODE>/etc/hosts.allow</CODE> and make sure it looks just like this:
<P>
<PRE>
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL: 127.0.0.1
ALL: 192.168.1.
</PRE>
<P>This tells the &quot;TCP wrappers&quot; that they can allow connections
to all services from the local device (127.0.0.1) and from your home network
(192.168.1.).
<P>You have now locked the monsters outside, with a strong padlock. If you
want to put up bars and alarm systems, you will have to be alot more sophisticated.
The
<A HREF="http://www.linuxdoc.org/HOWTO/Security-HOWTO.html">Security HOWTO</A> is a good place to start if you want to learn more about securing your
Linux box.
<HR>
<A HREF="Home-Network-mini-HOWTO-4.html">Next</A>
<A HREF="Home-Network-mini-HOWTO-2.html">Previous</A>
<A HREF="Home-Network-mini-HOWTO.html#toc3">Contents</A>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink