These pages are moving to the @Home server

Setting up a home network

Some notes on creating a home network on Rogers Wave with a Linux PC as a router/gateway and file, print server with Windows 95 clients. Written after many hours contending with "network unavailable" messages on Win95...

The method described uses IP masquerading for external access. All external Internet traffic is channelled through a single ip address (assigned by your ISP) and (if applicable) a single Ethernet card, whose MAC address may be cached in your cable modem. You should not use any external ip address not assigned to you by your ISP, or connect extra devices directly to the Cable Modem or its Ethernet segment.

Using this setup you can:

Sketch

Single Client Configuration

In this configuration, a PC running Linux has two Ethernet cards. One is connected to the Internet via a cable modem (depending on the modem, this cable may or may not have a twist). The other is connected to another PC running Windows 95 with a "twisted" 10BaseT cable. Using this configuration, one can:

These notes apply to RedHat Linux 4.2 and Windows 95 4.00.950B. Other versions may be different

Components

The following software components are involved:

Setting up IP

This is relatively straightforward. Configure the PC with two Ethernet cards and create two entries in /etc/sysconfig/network-scripts/ such as "ifcfg-eth0", "ifcfg-eth1". eth0 should be set up as the external IP connection using the IP address, domain, etc. provided by the cable company. A PPP connection may be used instead. eth0 should be set up as the internal network connection. Since there is no normal route to the internal network, a private domain may be used, such as 192.168.1.0. I used 192.168.2.1, 192.168.2.2 for the internal network nodes. See RFC 1918 (Address Allocation for Private Internets). For example: 
eth0      Link encap:10Mbps Ethernet  HWaddr 00:60:08:3E:59:3D
          inet addr:24.113.41.140  Bcast:24.113.41.255  Mask:255.255.252.0
eth1      Link encap:10Mbps Ethernet  HWaddr 00:60:08:3E:59:DC
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
You may wish to assign names to the internal nodes in Linux /etc/hosts and in Win95 C:\WINDOWS.000\HOSTS, and also in C:\WINDOWS.000\LMHOSTS (for SMB).

As per the HOWTO/NET-3-HOWTO, install ipfwadm and if necessary turn on IP masquerading and IP firewall in the kernel config and build a new kernel. Then use a command like 

  ipfwadm -F -a m -S 192.168.2.0/24 -D 0.0.0.0/0
to enable IP masquerading. I placed this command in /etc/rc.d/rc2.d/S10network. You then need a static route to the internal network, such as 
  Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
  192.168.2.0     *               255.255.255.0   U     0      0        3 eth1
Newer Linux systems use "ipchains" instead of "ipfwadm". I now have: 
/sbin/ipchains -A input -s 192.168.0.0/16 -j DENY -i eth0
/sbin/ipchains -A input -s 169.254.0.0/16 -j DENY -i eth0
/sbin/ipchains -A input -s ! 192.168.0.0/16 -j DENY -i eth1
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.2.0/24 -j MASQ
in /etc/rc.d/rc.local
There may be better ways. This says: deny packets from 192.168 coming from outside, deny from 169.254, deny not from 192.168 from inside, and set up masquerading from 192.168.2.

Optionally, enable the DNS server "named" with its associated configuration file "/etc/named.boot". The DNS servers given by your ISP may be listed as forwarders.

In Windows 95, you need to enable tcp/ip and configure it to use the Linux PC as a gateway, and optionally as a DNS. For example:

ScreenGrab: Network Configuration ScreenGrab: TCP/IP Properties: IP Address

The network card (NIC) driver, TCP/IP, client for Microsoft Networks and File sharing for Microsoft Networks are installed. The local IP address and mask are specified.

ScreenGrab: TCP/IP Properties: DNS ScreenGrab: Network Configuration: gateway

The local hostname is given (should match entries in "hosts" files on both PCs). If DNS is enabled on the Linux PC, it may be given as the primary nameserver. Additional nameservers may be given. The Linux PC should be given as the IP gateway for the Win95 PC.

ScreenGrab: TCP/IP Properties: Bindings ScreenGrab: Network Configuration: Identification

TCP/IP should be bound to the client for Microsoft Networks and file sharing for Microsoft Networks. The NetBIOS computer name for the Win95 PC should in most cases be set the same as its IP name on the local network.

At this point, TCP/IP should be operational. You should be able to ping Windows 95 from Linux, and Linux from Windows 95 ("ping" at MS/DOS prompt). You should be able to telnet from Windows 95 to Linux ("telnet" at MS/DOS prompt). You should also be able to ping and telnet from Windows 95 to the outside world.

Setting up SMB

The SMB service (Samba) on Linux runs two daemons, smbd and nmbd. Both are controlled by /etc/smbd.conf, and generate logfiles in /var/log. nmbd is responsible for network announcements, which are broadcast at frequent intervals. Until an announcement is heard, Windows 95 says that the network is unavailable for browsing. To speed up this process, kill and restart nmbd then select View --> Refresh in the Win95 Local Network browse list. While configuring the network, it is probably wise to run the daemons with debug level 2 (smbd -d 2 ; nmbd -d 2).

On the Linux PC, /etc/smb.conf must be set up. For a multihomed system as described here, a couple of extra lines must be added (see "man smb.conf"). These are "interfaces" and optionally "socket address", which declare additional interfaces and restrict SMB access. I used 

   interfaces = 192.168.2.1/24
   socket address = 192.168.2.1
which match my "eth1" configuration. The socket address entry disables SMB on my external interface, eth0, thus preventing unauthorized access from outside, and making the "shared" access mode less risky. You need to set "netbios name" to the name of the internal interface on the Linux PC, so that it is announced correctly. The workgroup name should match the workgroup name from the Win95 Network Identification dialog.

With "security = shared", a "guest account" may be declared which will be used on Linux for Win95 accesses without a password. The account must exist in /etc/passwd, but need not have a valid Unix password. I used "nobody". This may be used for printing and accessing read-only files, for example. When setting up additional services ([CD-ROM], [tmp], etc.) unique names msut be used; you cannot duplicate the [public] section.

If users give their Unix password, they may access their home directories. You may wish to set the create mode for the same access as the Unix umask value. If "security = user", a valid Unix password is required for all network access.

The program "smbclient" may be used to perform diagnosis on the SMB system. "smbclient -M" may be used to send messages to Win95; run "winpopup" on Win95 first.

Win98 and WinNT

Please notice, however, that if you would like to access Samba shares from Windows98 or WindowsNT-SP3 you may not be able to do so, because Microsoft disabled sending clear text passwords over the network in those environments. A simple workaround is adding 
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP]
"EnablePlainTextPassword"=dword:00000001
for Windows98 systems (reportedly) and 
[HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Rdr\Parameters\]
"EnablePlainTextPassword:REG_DWORD=1"
for NT SP3 systems. For more detail, consult ENCRYPTION.txt and WinNT.txt in the samba documentation (/usr/doc/samba).

Security Warning

Under Win95, passwords may be cached in memory and are accessible to remote administration tools such as Back Orifice. Passwords may also be stored in PWL files, which are less secure than Unix passwd files. Exercise care if untrusted users have access to a Win95 machine using smb.

smbfs

smbfs may be used to mount the Win95 filesystem on Linux. In Win95, right-click a folder then select "Share" to enable sharing. The smbmount command may then be used to mount the filesystem. You will probably need to use the "-c" option to set the clientname to the internal NetBIOS name, e.g. 
  smbmount //daviel-w/C /daviel-w/C -c daviel-u -P xxxx -f 0644 -d 0755
  smbmount //daviel-w/D /daviel-w/D -c daviel-u -n -f 0644 -d 0755
(mount node \\daviel-w service C: (hard drive) with full access using a password, files have Unix permissions "-rw-r--r--", directories have Unix permissions "drwxr-xr-x". Mount node \\daviel-w service D: (CD-ROM) no password, readonly)

ScreenGrab: Network Neighborhood

When the Microsoft Network is configured, declared Linux resources should appear in the Network Neighborhood browse list when a user is logged on.

If desired, Squid may be configured on the Linux PC. In Netscape, the Linux PC may be declared as a proxy, or a proxy.pac file may be set up. This has the additional advantage of handling ftp callback, which otherwise requires special handling with IP masquerading.

Setting up multiple PCs

Using 10baseT or 100baseT Ethernet, you will need a hub (With 10base2 Thinwire, you can daisychain PCs). You need non-twisted cables. See e.g. 3Com's Home Network page for some hub products.

Sketch

Resources:

Other ways of doing this

Andrew Daviel, Nov. 1997
Comments, corrections, etc. - please email me <advax@triumf.ca>