Linux, DHCP configuration and IP Masqerade
Anonymous Contributor
Just thought I'd post and thereby document my successful experience
setting up the @Home cable modem, DHCP configuation, and IP
Masquerade.
Let me start off by saying I have no opinion or comment on TCI/AT&T as
a company, cable as a technology or NT vs. Linux as an
internet-sharing server. Except for this one opinion: That cable
really is nice and fast despite the fact that I'm in a high-usage area
(at least, 30 minutes away from Silicon Valley in an area that has had
a cable market for a long time, there should be lots of other users
around me). I've never used DSL though, so I have no basis for
comparison of the 2 technologies.
Now that that's out of the way, here's what I did:
Network schematic: (hint, view this in a fixed-width font :-)
[ NT 4.0 Workstation ]
[ COPPER ]
[ 20.20.20.25 on the LAN ] Coax
| |
| ---- 10BaseT LAN |
| |
| [ Redhat Linux 6 ] { }
Hub-----[ HOMESERV ]---CM======{Internet}
| [ 20.20.20.22 on the LAN ] { }
| |
| |
| Cable Modem
[ Win98 Workstation ]
[ INGOT ]
[ 20.20.20.23 on the LAN ]
(Of course, HOMESERV isn't really named that, it's named the C######-#
hostname assigned by @home. This is important, but I really don't
want to give away my server's hostname, and besides, HOMESERV is
easier to type. :-)
For what it's worth, HOMESERV is only a P-120 with 64MB of RAM, and
even that's overkill from what I've heard, but I had it sitting around
not doing much. The workstations are both mighty beasts, as is
necessary to run an MS operating system, so I sure wasn't going to use
one of them. :-)
BASIC NETWORK CONFIGURATION
---------------------------
HOMESERV has 2 NIC's, a 3c509 and a Netronix RTL8139. (I already had
extra network cards so I didn't need to get one from @home. If you
need information on installing one of those, there's already a
thorough guide on the web.) Note that, throughout this document, I
use eth0 to indicate the ethernet card attached to the LAN and eth1 to
indicate the ethernet card attached to the cable modem. This is only
because eth0 was detected by Linux and eth1 required slightly more
setup, and they happened to be connected that way. Your ethernet
cards could well be reversed.
eth0 (3c509, attached to the LAN)
---------------------------------
Redhat 6 detected my 3com out of the box, so all I had to do was
assign a static LAN IP address to that one, in linuxconf. I assigned
adaptor 1 (hasn't anyone noticed it's spelled "adapter??") the address
20.20.20.22, netmask 255.255.255.0, broadcast 20.20.20.255.
eth1 (rtl8139, attached to the cable modem)
-------------------------------------------
Redhat 6 comes with a driver for this card. I first tried loading it
manually, with insmod rtl8139 . According to some of the
documentation I read, when you do an ifconfig using 2 ethernet cards,
you need to specify IO and IRQ's by using
ifconfig eth1,io=0x6000,irq=11... (get this info from Windows if
possible). I did that, and it worked, but it was superfluous. When
the rtl8139 driver was installed, Linux knew eth1 was the second
network card, and knew therefore where to find it on the bus. (This
may be more important if you have 2 of the same card, and Linux needs
a way to tell the difference between them, or if you have multiple ISA
NIC's.)
This next bit still kind of mystifies me. I'm not sure how, but Linux
figured out that it had to load this driver at bootup. Perhaps
kerneld? I'm no loadable module guru. All I know is when I set this
card up in linuxconf, and specified the driver, rtl8139.o got loaded
at boot time ever after. More on this later.
The first thing I did was try my static IP, acquired (in Windows) by
going to the @home homepage at http://www. (This works because name
resolution automatically attaches your city.region.home.com domain
name. Note also that this is not, to my knowledge, reachable unless
you're actually using your cable modem.) In the support section,
under network configuration, enter your @home user name/password, and
copy down all the information. There, you should find your
"permanent" IP, your gateway (which should be of the form xx.xx.xx.1),
your nameservers (most likely xx.xx.xx.33 and xx.xx.xx.34), and your
domain (..home.com). This information is subject to
being changed occasionally, which is why you want dhcp, but I'm not
there yet. (I've read that in some regions it changes every time you
connect, so you may have to skip the static section and go straight to
dhcp configuration.)
Enter static IP info for eth1
-----------------------------
Enter the information you got from the above-named web site as static
information in linuxconf (under basic host information). It should be
pretty self-explanatory what goes where, but *** for hostname you will
want to enter the SHORT name of your host *** (Cxxxxxx-x rather than
Cxxxx-x.city.region.home.com). Why? DHCP likes it this way. We're
getting there.
There is also a place to put the actual kernel module of your network
card, in my case rtl8139. I THINK this is how it knows to load the
additional module for your network card at boot-time, but don't quote
me.
DNS config
----------
You can, of course, manually edit /etc/resolv.conf, but I prefer to
use RH's bootup scripts if for no other reason than they put pretty
green and red OK's and FAILED's on the screen. Makes me feel special.
Plus it gets logged that way, and logging is a Good Thing. In
linuxconf (still), change your DNS info to what you got off the www
web site, and set the search-domain parameter to the
city.region.home.com thingy.
Quick test
----------
At this point, you should be able to go to a command line and do
insmod
ifconfig eth1 netmask 255.255.255.0 broadcast xx.xx.xx.255
route add default gw xx.xx.xx.1 dev eth1
and be able to see the Internet from your Linux box (not yet from
other boxes). I use ping www.yahoo.com to test my Internet
connection. If that doesn't work, try pinging the IP address of an
Internet site (I can never remember yahoo's). Last but not least,
type ifconfig with no arguments. You should see three devices:
lo, eth0, and eth1. They should all have a line that specifies the IP
address. Then type route and look for a line that says
"default" with a "*" and eth1 in it. If you want, you can put those
three commands into /etc/rc.d/rc.local (or wherever your distro keeps
rc.local) and you're good to go with Cable modem, and you can skip
DHCP and go straight into IP masq'ing. But if you're like me, you
want to do it 100% right, not 90% right, so read on.
MORE ADVANCED: DHCP
-------------------
What's DHCP? Short answer: Dynamic Host Configuration Protocol. A
server listens for broadcasts requesting IP info, and assigns the info
from a list and sends it back to the client, dhcpcd (DHCP Client
Daemon, as opposed to dhcpd, DHCP Daemon, which does the other end).
dhcpcd assigns the retrieved IP info to the adapter in question.
@Home uses this, I guess so they can change your IP address or
whatever if they need to. Doesn't seem to happen very often where I
am.
There's 2 alternatives for DHCP configuration in Linux. I've heard
not-so-great things about pump, and anyway it didn't work, but
unfortunately pump is what Redhat uses out-of-the-box for DHCP. I
went with dhcpcd, and it was a snap, so that's what I recommend.
Supposedly there's a newer version of pump, and it might work better,
but here's how you use dhcpcd.
Installing dhcpcd
-----------------
NOTE: This section contains information on changing scripts which are
needed to boot up your system. If this were an MS operating system,
you would almost certainly lose your ability to get customer support
by doing these things. But it's not, so you're probably cool.
First, you can go online using the 3 commands in the Quick Test
section, and use gnorpm (or whatver RPM tool you like) to find the
most recent dhcpcd package. Download it and install it. I'm not
going to explain how you do this.
Then, go into linuxconf, basic host information and push the dhcp
button on Adaptor eth1.
This sets up eth1 to be dynamically configured by -- you guessed it --
pump. This is where I got annoyed and got medieval on my init
scripts. Not really, I just changed a couple of them: ifup and
ifdown. First, back them up
cp /sbin/ifup /sbin/ifup.redhat
cp /sbin/ifdown /sbin/ifdown.redhat
Then, in the text editor of your choice, change 1 line in each.
[ifup]
In a section that begins
if [ -n "$PUMP" ]; then
look for the following line:
if /sbin/pump -i $DEVICE ; then
Change it to:
if /sbin/dhcpcd -h `hostname` $DEVICE ; then
Note, those are backquotes. This is where it's important that you use
the short hostname in your basic network information. @home looks up
your host info using your short hostname, Cxxxxxxx-x. This command
executes the command 'hostname' which displays your hostname. If your
hostname is long, then it gets passed to @home that way, which gets
confused. There is a variable $HOSTNAME which I thought you could use
here, but you can't, because it isn't set yet at this point in the
boot process.
[ifdown]
This is just the reverse of what we did above, e.g. it shuts down
dhcpcd.
Change
pump -r -i ${DEVICE}
to
dhcpcd -h ${HOSTNAME} ${DEVICE} -k
Note that here we don't use `hostname`. I think the way 'hostname'
works is, if there's a default route, it tries to look up your
hostname on the DNS, and displays it that way. That's no good,
because then you get your long hostname. Since at this point, we're
shutting down, hostname will do the DNS thang, whereas before, when we
were starting up, there was no default route and it always gives the
short hostname because that's all it has. (You might also be able to
use `hostname -s` here, but my way works.)
Quick test
----------
OK, now you're all set to use DHCP! Try it:
ifdown eth1
ifup eth1
and you should be on the Internet. There's also something strangely
satisfying about doing dhcpcd -h HOMESERV eth1 and seeing "Your
Ip address is: .."
At reboot you should see
Starting device eth0 [ OK ]
Starting device eth1 (medium-length pause) [ OK ].
It takes a few seconds to get a response from the DHCP server.
MOST ADVANCED: IP MASQUERADE
----------------------------
What's IP Masquerade (also called IP Forwarding)? Some documentation
makes a distinction between IP Masquerade and NAT (Network Address
Translation) but I think this is sort of bogus. The NAT they're
talking about is when you have, say, 2 externally-visible IP address
and 10 workstations and you want those workstations to share the 2
IP's, so a server switches back and forth 'twixt them. NAT also
applies to 1 IP address though. I think basically the way it works is
when a packet goes out, IP Masq assigns it a port and establishes its
own connection to the destination IP, and then shuffles packets back
and forth from the LAN to the external network using that port. All
you need to know is: 1 internet connection (@home, in this case), 1
external IP address, n computers on your LAN using it. Realistically,
more than 10 workstations is probably too many to put on a single
cable connection if they're all playing q3test, but half a dozen would
certainly be easy. I have 2, occasionally 3 computers on my LAN
sharing the cable connection, and it's a happy camper (and so am I).
Right now you should be pretty stoked because you just got your 2
NIC's installed and your cable modem connecting to the Internet in
Linux. If not, what the hell's wrong with you? Go back and read it
again ;-). Otherwise pat yourself on the back (have a beer, whatever)
and
Get Documentation
-----------------
IP Masquerading is a complex subject, not because it's hard to DO
(with RH6 it's a slam-dunk) but because it's hard to do securely. Or
at least, there's a lotta rules and stuff. You need to read all that
stuff and do it right, or be hackable. But first, go to
http://members.home.net/ipmasq/#resource and get
IP Masquerade mini HOWTO v1.77(or better). This "mini" HOWTO explains
it all more thoroughly than I ever could, even if I had the patience.
(I don't know how you can call an 85-page document "mini", but
whatever. His facts are straight.)
I'm not really gonna tell you how to do this. I'm just gonna tell you
to go to the Configuring IP Forwarding Policies section, and copy the
script in the Linux 2.2.x Kernels section verbatim into
/etc/rc.d/rc.firewall and you're ready to go with IP Masquerading. Do
that, change the IP addresses to those on your LAN, run rc.firewall,
and IP Masquerading is all set up on HOMESERV (just not especially
secure).
Configure Your Workstations
---------------------------
This is pretty easy. I'm assuming your workstations are already
properly set up to be "visible" (ping-able) on the LAN. In a Linux
workstation, which I don't happen to have, you should already know how
to set the default gateway, (hint: route), so set it to HOMESERV's LAN
IP, 20.20.20.22. Set your nameservers to the xx.xx.xx.33 xx.xx.xx.34
nameservers you got from @home's www page.
(Win9x) On INGOT, go to Network Properties, then Properties on the
TCP/IP protocol assigned to your network card (which will be the only
place it says "TCP/IP" unless you still have a modem or some archaic
technology like that using up an adapter slot) and
-In Gateway, add a new gateway as 20.20.20.22.
-In DNS, select the Enable DNS radio button, add 2 DNS servers as
above, set any hostname you want (it won't be externally visible
anyway), and put in your city.region.home.com domain.
(WinNT) On COPPER, go to network properties, go to protocols,
properties for TCP/IP,
-In IP address, pick your ethernet card in the Adapter list box, set
the Default gatway to 20.20.20.22.
-In DNS, do everything you did for INGOT except the radio button.
Quick Test
----------
From COPPER, point a browser to www.redhat.com (I would hate to
advertise the same portal site twice in the same post without getting
some scratch for it). If you got there, you're masq'ed up.
For bonus points
----------------
Post a followup to this message explaining how to set up a DNS server
on your Linux masq server, and how to enable a Bay Networks VPN Client
to traverse the ip masq.
Credit?
-------
Don't really care. I'm posting this as much for myself as for you, so
if I ever need this info again, I know it's archived somewhere on the
net. You can copy all this verbatim into a manual and sell it for all
I care. I'm already married so I don't need to have a contributor
credit in a Linux manual to get chicks ;-).