From: Brian Boonstra <boonstb@cmg.FCNBD.COM> Date: Wed, 25 Aug 99 14:45:23 -0500 To: Linux Router Project <linux-router@linuxrouter.org> Subject: [LRP] Setup Guide & Tutorial (DSL or Cable modem), LRP 2.9.4 Hi Folks The following guide is presented for the last time in email. In the future, you can find it (slightly better formatted) on the web at http://www.geocities.com/Athens/Ithaca/9660/lrphowto.html. - Brian ============================================================================= The instructions below should give you a reasonable installation INCAPABLE of running significant services other than sshd. For example, if you want to add a web server later, you'll have to figure it out. Instructions: (1) Make a floppy from the idiot image using dd, WinImage or rawrite.exe. (2) Get a kernel and modules from http://www.linuxrouter.org/modmaker/ and put them on the floppy. Make sure you name the kernel "linux". (3) Modify /etc/modules with arguments to your ethernet card(s) Mine says: ip_masq_ftp ip_masq_raudio ip_masq_quake 8390 ne io=0x240,0x380 irq=11,10 Use whatever utility you must to turn off PNP on your ethernet cards and set the IO Adresses and IRQ's manually. (4) Modify your /etc/network.conf to look something like the first one below. I have extraneous comments in mine that you don't need. (5) Set a root password with the command "passwd root". (6) Backup. Modifications to other files, like network_direct.conf, should not be necessary. If necessary: Installing DHCP Many cable modem service providers require you to use DHCP -- they do not provide you with a static IP. Basically, they don't want you running services. Although it is often possible to "steal" whatever IP they first assigned you by hardcoding it into your system, they might not like that. DHCP is easy to install. (7) Get "dhclient.lrp" from http://wpkgate.kc.com/lrp/dhclient.lrp or the USA mirror at http://wpkgate.kc.com.my.cpwright.com/lrp/dhclient.lrp (B) Copy "dhclient.lrp" to the floppy. (9) Put LRP=etc,log,local,modules,dhclient in the floppy's SYSLINUX.CFG file (10) Change the line in "/etc/init.d/dhclient" that reads ifs="eth0 eth1" to read ifs="eth0" (11) Backup. When you reboot, you should see messages from the dhclient program telling you about its search for config information. If it gets none, it will eventually timeout, and the interface won't work. Checking it out: (12) Things should be working after a reboot. Try pinging gatekeeper.dec.com by IP address (you do not yet have DNS) and also pinging some internal addresses. Run "ifconfig" and "netstat -n" to see how your configuration looks. Optional: Getting DNS and some static hosts. It is often useful to have DNS lookup, and some static hosts, available to your router. In particular, commands like "netstat" that try to lookup the name of a given IP will run much faster, because they avoid the aggravating wait for DNS to timeout. Also, you can then ping internal and external hosts by name. Here's how you do it: (13) Make your /etc/network.conf according to the second example below. Note that we still don't uncomment any "HOST" entries, but we do configure some "HOSTS" entries in order to get static information going. (14) There is a bug in LRP 2.9.4 -- it is missing the file /etc/nsswitch.conf. Create it, and make sure it contains the following text: hosts: files dns (15) Backup. When you reboot, you should be able to ping external hosts, and any internal hosts you specified, by name. Optional: Removing unnecessary services for better security. There is little reason to run most or all of the services that LRP runs by default. Many of them are sort of unused legacy protocols (or so my wise friend William tells me). However, be aware that if you want to run a web or mail server, some of the following instructions are probably BAD advice. (16) Turn most services off by commenting out (or removing) EVERY line in "/etc/inetd.conf". Ignore the warning at the top of the file that reads: Packages should modify this file by using update-inetd(8) (17) Turn off the portmap service. This is done by by commenting out (or removing) EVERY line in "/etc/init.d/netbase" that has the word "portmap" in it. You can do the same with all lines that have the word "inetd" in them, too. (18)To save space, delete some unnecessary files. For example, you no longer need "/usr/sbin/in.telnetd" and "in.tftpd". (19) Backup. When you reboot, you should not see "inetd" or "portmap" in the results of the command ps ax If you have a port scanner like "nmap" on another box, and you use it against your LRP box, you should not see any ports open. Optional: Installing sshd. It's very convenient to remotely access your router, and to copy files to it without physically moving the floppy. Unfortunately, it is a security risk to have your router allow telnet and ftp. But you can get the same functionality in a secure way from "ssh" and its companion "scp". (A) Get a copy of "sshd.lrp" for 2.9.4 from the archives. I got it from ftp://ftp.linuxrouter.org/linux-router/dists/2.9.4/packages/ (B) Copy "sshd.lrp" to the floppy. (C) Put LRP=etc,log,local,modules,sshd in the floppy's SYSLINUX.CFG file (D) Make sshd start automatically. Do NOT uncomment the ssh line in "/etc/inetd.conf" -- we want this stand-alone because we don't want to wait for key regeneration every time we login. Instead, edit "/etc/init.d/ssh" and make sure the line reading "exit 0" has been commented out or deleted. (E) Make a host key according to the sshd.lrp help file. (F) Allow root to login remotely. Append the lines ttyp0 ttyp1 to the file "/etc/securetty". This will give you two remote logins. If you want more, append similar lines. (G) Create a "/root/.ssh/authorized_keys" file (note the dot in ".ssh"). Append the contents of the "identity.pub" file from accounts on machines you want to get to the router from. This allows a highly secure RSA passphrase challenge login. (H) Backup. When you reboot, you should be able to ssh to the router, and scp files onto the router, using either the root password or your passphrase. The commands to experiment with look like: ssh -v -l root myrouter scp -v root@myrouter:/tmp/ Windows users, see the note below for ssh on Windows. Optional: Installing ssh. It is often useful to be able to ssh OUT of the router as well as to ssh IN to the router. For example, I like to be able to get at my Debian Linux machine from my mother's house. To do that, I first ssh to my router, and then ssh from the router to my Debian box. (A) Get a copy of ssh. I got mine from dists/2.9.4/addons/ssh_1226_1.2-2.tar.gz on the Linux Router ftp site. (B) Copy ssh to "usr/local/bin". (C) Backup. You should now be able to ssh to other machines. (D) After you ssh to some common machines, backup again. This allows those machines to get into the "known_hosts" file so you can avoid warning messages. Optional: Installing PortSentry A port sentry can tell you when you are being portscanned. It can also be configured to block the offending host, though (it is widely acknowledged) this opens a really big security hole by allowing a Denial of Service attack. I block the hosts because I am a private entity, but I would use logging mode only for a commercial installation. (A) Get "psentry.lrp" from http://wpkgate.kc.com.my.cpwright.com/lrp/ or http://wpkgate.kc.com.my/lrp (B) Copy "psentry.lrp" to the floppy. (C) Put LRP=etc,log,local,modules,psentry in the floppy's SYSLINUX.CFG file (D) Reboot. You should see "portsentry" in the results of the command ps ax If you portscan your router, you will notice that you get blocked and dropped. You'll have to reboot to fix that! (E) Replace the lines BLOCK_UDP="1" BLOCK_TCP="1" in "/etc/portsentry.conf" with BLOCK_UDP="0" BLOCK_TCP="0" to turn off blocking. (F) Watch "/var/psentry/portsentry.blocked" to see who gets blocked. I get a lot of machines blocked for mistakenly hitting my port 161. Optional: Using an extra big floppy Some LRP packages are really big. In particular, it is not quite possible to have sshd, ssh, psentry, and dhcp all on a 1440K floppy. However, according to the docs I have read, 1680K is 100% MSDOS compatible. It just uses sectors that Microsoft reserved for undelete info and then never used. Here is how I handled making one on my Linux box: (A) Format the floppy with superformat /dev/fd0 sect=21 cyl=80 (B) Make it bootable sudo syslinux -s /dev/fd0 (C) Copy all the files from your normal distribution to it. (D) Modify the SYSLINUX.CFG file on the floppy to read boot=/dev/fd0u1680. (E) Make sure it boots and runs as expected. (F) Copy the extra files you could not fit into 1440K onto the floppy. (G) Make sure it boots and runs as expected. If you want do similar things in Windows, don't try to use rawrite. It won't work. Instead, get the shareware program WinImage, which does very well at dealing with large disks. ------------------------------------ ------------ Notes ----------------- ------------------------------------ Note 1: There are several decent implementations of ssh for Windows. I use the excellent commercial program SecureCRT. But you can check out TeraTerm Pro at http://hp.vector.co.jp/authors/VA002416/teraterm.html with its ssh extention TTSSH at http://www.zip.com.au/~roca/ttssh.html. The scp program for Windows is hard to find, but I finally managed to use the slightly buggy one found at http://bmrc.berkeley.edu/people/chaffee/winntutil.html Note 2: Files with the .lrp extension are made with tar and with gzip at maximum compression. So you can view, modify, and (if you are careful) resave them on a Unix system with commands like zcat .lrp | tar xvf - tar cvf - etc var | gzip -9 > .lrp and possibly using WinZip-type software on Windows systems by treating them as files with a .tgz extension. I do not know if WinZip can recreate the files -- it may be able to do a normal gzip, but possible not the maximum-compression "gzip -9". This trick allows you to use a more familiar text editor than the one found with the LRP distribution. Here is the way I organize things. I keep a subdirectory called "LRP" in my home directory. In there, I have copied the files "etc.lrp", "sshd.lrp", "modules.lrp", "local.lrp", and so on. I have also created subdirectories of "~/LRP/" named "d-etc/", "d-local/", and so on.For convenience, I also keep raw images of all my versions of LRP in "~/LRP/Image.vN". Let's say I want to work on my "/etc/network.conf". The following commands will let me work on it, and ensure everything is in sync. Comments after the "#" symbols: cd ~/LRP fdmount # mount the floppy cp /floppy/etc.lrp etc.lrp # stay in sync with floppy cd d-etc #"/etc/network.conf" is part of etc.lrp rm -rf ~/LRP/d-etc/* # Be careful with rm -rf !!! zcat ../etc.lrp | tar xvf - cd etc vi network.conf # edit it here cd ~/LRP/d-etc tar cvf - * | gzip -9 > ~/LRP/etc.lrp # recreate .lrp file cd ~/LRP cp etc.lrp /floppy/etc.lrp # write the changes to the floppy fdumount # unmount the floppy dd if=/dev/fd0 of=~/LRP/Image.v2 I find lines 3, 5 and 6 of this sequence necessary, because sometimes I make changes on the LRP machine itself, and I certainly want to keep them! If you NEVER make changes one the LRP box, you can skip these 3 steps. Because of file permissions issues, when I make changes to a file in "root.lrp" I usually do it right on the LRP box, and then backup, rather than making the changes externally as above. Note 4: If you know Unix, and want to see exactly what changes in /etc/network.conf will do to the system, look in /etc/init.d/network. That's how I eventually worked everything out. ------------------------------------ ------------ Files ----------------- ------------------------------------ ---------------- Begin first network.conf ----------------------- ############################################################################# # Auto configuration bypass (Say NO to use this file) ############################################################################# DIRECT_SETTINGS_ONLY=NO ############################################################################# # Default Settings ############################################################################# VERBOSE=YES MAX_LOOP=6 # Forward IP's IPFWDING_KERNEL=YES IPFWDING_FW=YES # Set a hostname below... CONFIG_HOSTNAME=YES # The hosts and DNS are generally not needed... # CONFIG_HOSTSFILE=NO # CONFIG_DNS=NO ############################################################################# # Interfaces ############################################################################# IF0_IFNAME=eth0 IF0_IPADDR=24.136.15.51 IF0_NETMASK=255.255.0.0 IF0_BROADCAST=24.136.255.255 # Protect against spoofed IP's... IF0_IP_SPOOF=YES IF1_IFNAME=eth1 IF1_IPADDR=192.168.1.1 IF1_NETMASK=255.255.255.0 IF1_BROADCAST=192.168.1.255 # Protect against spoofed IP's... IF1_IP_SPOOF=YES ############################################################################# # Hosts ############################################################################# # Don't need this stuff... #HOST0_IPADDR=24.136.0.1 #HOST0_GATEWAY_IF=default #HOST0_GATEWAY_IP=24.136.0.1 #HOST0_IPMASQ=NO #HOST0_IPMASQ_IF=default ############################################################################# # Networks ############################################################################# NET0_NETADDR=24.136.0.0 NET0_NETMASK=$IF0_NETMASK NET0_GATEWAY_IF=default NET0_GATEWAY_IP=default # No need to masq external, legitimate IP's... NET0_IPMASQ=NO NET0_IPMASQ_IF=default NET1_NETADDR=192.168.1.0 NET1_NETMASK=$IF1_NETMASK NET1_GATEWAY_IF=default NET1_GATEWAY_IP=default # Must masq internal illegit IP's... NET1_IPMASQ=YES NET1_IPMASQ_IF=default ############################################################################# # Gateways (Default Routes) ############################################################################# GW0_IPADDR=24.136.0.1 GW0_IFNAME=$IF0_NAME GW0_METRIC=1 ############################################################################# # Hostname Requires: CONFIG_HOSTNAME=YES ############################################################################# HOSTNAME=lobotomy ############################################################################# # Hosts file (Static domainname entires) Requires: CONFIG_HOSTSFILE=YES ############################################################################# # IP FQDN hostname alias1 alias2.. #HOSTS0="$IF0_IPADDR $HOSTNAME.21stcentury.net $HOSTNAME mrrtr" #HOSTS1="192.168.1.22 host2.somewhere.net host2 h2" ############################################################################# # Domain Search Order and Name Servers Requires: CONFIG_DNS=YES ############################################################################# # Currently not used.... DOMAINS="21stcentury.net" DNS0=24.136.0.3 DNS1=24.136.0.2 ############################################################################# # End ############################################################################# ---------------- End first network.conf ----------------------- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5 ---------------- Begin second network.conf ----------------------- ############################################################################# # Auto configuration bypass (Say NO to use this file) ############################################################################# DIRECT_SETTINGS_ONLY=NO ############################################################################# # Default Settings ############################################################################# VERBOSE=YES MAX_LOOP=6 # Forward IP's IPFWDING_KERNEL=YES IPFWDING_FW=YES # Set a hostname below... CONFIG_HOSTNAME=YES # We now have things working to the point that we can turn these on.... CONFIG_HOSTSFILE=YES CONFIG_DNS= YES ############################################################################# # Interfaces ############################################################################# # Keep the same as above, in first example. Deleted to avoid confusion ############################################################################# # Hosts ############################################################################# # Still don't need this stuff...same as above ############################################################################# # Networks ############################################################################# # Keep the same as above, in first example. Deleted to avoid confusion ############################################################################# # Gateways (Default Routes) ############################################################################# # Keep the same as above, in first example. Deleted to avoid confusion ############################################################################# # Hostname Requires: CONFIG_HOSTNAME=YES ############################################################################# # Keep the same as above, in first example. Deleted to avoid confusion ############################################################################# # Hosts file (Static domainname entires) Requires: CONFIG_HOSTSFILE=YES ############################################################################# # IP FQDN hostname alias1 alias2.. # The following have now been uncommented to make entries in /etc/hosts # for internal machines HOSTS0="$IF0_IPADDR $HOSTNAME.21stcentury.net $HOSTNAME mrrtr" HOSTS1="192.168.1.10 byron.21stcentury.net byron" HOSTS2="192.168.1.11 hesse.21stcentury.net hesse h" HOSTS3="192.168.1.12 poe.21stcentury.net poe" ############################################################################# # Domain Search Order and Name Servers Requires: CONFIG_DNS=YES ############################################################################# # This is now used.... DOMAINS="21stcentury.net" DNS0=24.136.0.3 DNS1=24.136.0.2 ############################################################################# # End ############################################################################# ---------------- End second network.conf ----------------------- _______________________________________________ linux-router maillist - linux-router@linuxrouter.org http://www.linuxrouter.org/mailman/listinfo/linux-router