www.sixfingeredman.net
..................................................
::. .  .   .     .       .          .

HOWTO--linux cable modem router server firewall

= About

These are some notes describing how I set up our apartment network on a cable modem. Here's what we started with:

- Debian GNU/Linux unstable (2002-09-16), kernel 2.4.18 with devfs and auto module loading - running on an Athlon 700 with 128M RAM - 2 ethernet cards - SVEC 8-port ethernet hub - roadrunner cable modem and service - a bunch of CAT5 cable - 3 laptops (one Debian, one Win ME, one Win 2K)

Our goals: - DHCP for all machines plugged into the hub - NAT for those machines - a secure firewall - www, anonymous ftp, ssh, and smtp services available publically

= Cable Modem Installation

First, you'll probably need to use a Windows machine to configure the RoadRunner modem with the required information. I actually don't know anything about this step because the cable guy did it for us. Anyways, assume you have a properly working modem.

Then we had to run cable from the only cable outlet in the living room into my room. We got 2 50-foot white cables, a splitter, and a box of 100 nails with plastic cable hooks for about $30 at Home Depot. Radio Shack was more expensive. At home, we used one 50-foot length to circuit the living room, ending behind the TV where the splitter went. One branch got the other cable, which runs down the hallway to my room. You should excercise caution in where you put in the nails because they won't hold well if they're just in drywall.

Then I had to install the second ethernet card. I already had the first working, but even if I didn't it's a simple matter. Find out which kernel driver is needed, recompile the kernel if necessary, and if you're using modules put the driver into /etc/modules. The order you load the drivers determines which card becomes eth0 and which eth1, so watch out.

Getting cable modem to work with one box is as simple as turning on dhcp. I'm using the 'ifupdown' package, so I added the following to /etc/network/interfaces:

# cable modem iface eth0 inet dhcp

Then I ran:

ifup eth0

That was easy, wasn't it? At this point my machine is working and I could stop here, but my roommates won't like that.

= LAN part 1

I plugged the hub into the second ethernet card (eth1). I ran cable from the hub to all the places where we want laptops. I wish we had wireless, but we're poor. So, that takes care of the physical side.

The way a router/firewall works in principle is it connects two networks, one on each ethernet card, with each other. In doing so, it is free to do all kinds of filtering and whatnot. That's why we needed two ethernet cards -- if we plugged the cable modem into the hub with everything else, its traffic would get all mixed in with the local network traffic and there'd be no way to filter it or do NAT.

Since our local network is, well, local, we get to make up our own IP addresses. There are three ranges reserved for this (from the IP-Masquerade HOWTO):

10.0.0.0 - 10.255.255.255 | 172.16.0.0 - 172.31.255.255 | 192.168.0.0 - 192.168.255.255

I picked the first because it's easy to remember. A friend of mine has his private networks on 10.1, 10.2, and 10.3. If someday we want to VPN these together to create our own big private network, the addresses can't collide, so he and I agreed that I would get 10.4. My house network then becomes 10.4.1.0, and my computer (the "master" of the network) 10.4.1.1. If someone else in the apartment wanted to join in, we might put them on 10.4.2.0... you get the idea.

This is all arbitrary -- all that matters is that you agree on one scheme and there are no conflicts within the private network. Anyways, to implement my system all I had to do was go back to /etc/network/interfaces and add:

# local network iface eth1 inet static address 10.4.1.1 netmask 255.255.255.0 network 10.4.1.255

Now we could do something similar for each other computer in the network, assigning them static addresses of 10.4.1.2, etc. But then you have to remember which is which, and not give the same IP to two computers, and so on -- so why not use a technology which will handle this for you, DHCP.

= LAN part 2: DHCP

First, I installed the 'dhcp' package. Then, with a bit of help from Jeff, I put the following in /etc/dhcpd.conf:

option domain-name "sixfingeredman.net"; max-lease-time 86400; default-lease-time 86400;

option subnet-mask 255.255.255.0; option broadcast-address 10.4.1.255; option routers 10.4.1.1; option netbios-name-servers 10.4.1.1;

# roadrunner dns option domain-name-servers 24.93.35.62, 24.93.35.63, 24.93.35.33;

subnet 10.4.1.0 netmask 255.255.255.0 { range 10.4.1.100 10.4.1.200; }

'domain-name' is totally optional -- it just means that, if I have something mapped via DNS to foo.sixfingeredman.net, all the computers in the LAN can refer to it as simply foo. The middle options are all determined from how I configured my eth1 (netbios is for WINS). The domain-name-servers came from looking at /etc/resolv.conf, which is automatically set by my dhcp client. So really I'd like the addresses here also dynamically set, but since they almost never change it's safe to hardcode them. Finally the last bit says that computers on the LAN get addresses from 100-200.

Now I turn on DHCP for each laptop, plug it in, reboot the windows boxes, and they're on! Well, they're on the private network anyways. They can talk to each other, and they can talk to my eth1, but they can't talk to my eth0 and therefore can't reach the cable modem and internet.

= NAT

Time for NAT. Jeff sent me this tutorial: http://www.networknewz.com/2002/0424.html, which was very helpful. First thing you have to do is turn on all the right kernel options. In 2.4.18, you have to go into Networking Options, turn on Network Packet Filtering, and then go into IP: Netfilter Configuration and turn on everything (you don't need it all but it doesn't hurt). I'm assuming you've got TCP/IP and everything turned on.

Then you can use the script from that tutorial. I put it in /usr/local/sbin/nat-enable:

#!/bin/bash echo 1 > /proc/sys/net/ipv4/ip_forward

iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT

Then:

sudo nat-enable

If you've got all the right modules, then this should go without errors. Go to one of your other boxes and try and access the net. It should work.

Then I discovered the 'ipmasq' package which does the same thing, but more automatically and probably more securely. You want it to initialize "after network services are started", to be sure that your machine has its DHCP address.

= SAMBA

I'll mention this briefly -- the first thing is to make sure all your machines are on the same workgroup. We agreed on "THENEST". Then it seems to be a matter of trial and error -- I still haven't figured out how to get anonymous access to work from a windows box, and for a while there seemed to be some problem with nmbd which meant that "gwen" didn't work but "10.4.1.1" did. This seemed to resolve itself after restarting the service and the firewall a few times. Strange.

= Firewall

I tried a few different firewall tools and really liked KDE's Guarddog (http://www.simonzone.com/software/guarddog/). This has a clear and easy-to-use zone metaphor which still allows you to create rules of arbitrary complexity.

The tutorial which comes with Guarddog is very good, but I'll hit the high points:

1. Create a zone for the LAN. For me it was "10.4.1.0/24". Connect it both to local and internet. 2. Go through the services and enable the connections you want. From the Internet you want to get WWW, FTP, SSH, ICQ, SMTP, POP3, and probably a bunch of other stuff. They tell you not to select everything but it really can't hurt unless you're super-paranoid about spyware -- these are all outgoing connections. 3. For services from local and LAN you should be more careful. I opened SSH, FTP, WWW, and SMTP from local to everyone. I opened SMB over TCP and Windows Networking just to the LAN. From the LAN I opened nothing to the internet and only SMB and Windows Networking to me. 4. I told it I was getting DHCP info from eth0 and giving it on eth1. 5. Because some web servers use wierd ports (83, 8080, 8083), I created these as user-defined services and opened them from the internet.

Now that's about as air-tight as can be! I love this program. So, you quit, apply changes, and that's it. Ship-shape and Bristol fashion!