Ethan's Retrocomputing Corner - Configuring LRP with a Cable Modem
lrp: Setup Guide & Tutorial (DSL or Cable modem)
From: Brian Boonstra <boonstb@cmg.FCNBD.COM>
Date: Wed, 25 Aug 99 14:45:23 -0500
To: Linux Router Project <linux-router@linuxrouter.org>
Subject: [LRP] Setup Guide & Tutorial (DSL or Cable modem), LRP 2.9.4
Hi Folks
The following guide is presented for the last time in email. In the
future, you can find it (slightly better formatted) on the web at
http://www.geocities.com/Athens/Ithaca/9660/lrphowto.html.
- Brian
=============================================================================
The instructions below should give you a reasonable installation INCAPABLE
of running significant services other than sshd. For example, if you want to
add a web server later, you'll have to figure it out.
Instructions:
(1) Make a floppy from the idiot image using dd,
WinImage or rawrite.exe.
(2) Get a kernel and modules from
http://www.linuxrouter.org/modmaker/
and put them on the floppy. Make sure you name
the kernel "linux".
(3) Modify /etc/modules with arguments to your ethernet card(s)
Mine says:
ip_masq_ftp
ip_masq_raudio
ip_masq_quake
8390
ne io=0x240,0x380 irq=11,10
Use whatever utility you must to turn off PNP on
your ethernet cards and set the IO Adresses and
IRQ's manually.
(4) Modify your /etc/network.conf to look something
like the first one below. I have extraneous
comments in mine that you don't need.
(5) Set a root password with the command "passwd root".
(6) Backup. Modifications to other files, like
network_direct.conf, should not be necessary.
If necessary: Installing DHCP
Many cable modem service providers require you to use DHCP -- they
do not provide you with a static IP. Basically, they don't want you running
services. Although it is often possible to "steal" whatever IP they first
assigned you by hardcoding it into your system, they might not like that.
DHCP is easy to install.
(7) Get "dhclient.lrp" from
http://wpkgate.kc.com/lrp/dhclient.lrp
or the USA mirror at
http://wpkgate.kc.com.my.cpwright.com/lrp/dhclient.lrp
(B) Copy "dhclient.lrp" to the floppy.
(9) Put LRP=etc,log,local,modules,dhclient in the
floppy's SYSLINUX.CFG file
(10) Change the line in "/etc/init.d/dhclient" that reads
ifs="eth0 eth1"
to read
ifs="eth0"
(11) Backup. When you reboot, you should see messages from the
dhclient program telling you about its search for config
information. If it gets none, it will eventually timeout,
and the interface won't work.
Checking it out:
(12) Things should be working after a reboot. Try pinging
gatekeeper.dec.com by IP address (you do not yet
have DNS) and also pinging some internal addresses. Run
"ifconfig" and "netstat -n" to see how your configuration
looks.
Optional: Getting DNS and some static hosts.
It is often useful to have DNS lookup, and some static hosts,
available to your router. In particular, commands like "netstat" that try to
lookup the name of a given IP will run much faster, because they avoid the
aggravating wait for DNS to timeout. Also, you can then ping internal and
external hosts by name. Here's how you do it:
(13) Make your /etc/network.conf according to the second
example below. Note that we still don't uncomment
any "HOST" entries, but we do configure some "HOSTS"
entries in order to get static information going.
(14) There is a bug in LRP 2.9.4 -- it is missing the
file /etc/nsswitch.conf. Create it, and make sure
it contains the following text:
hosts: files dns
(15) Backup. When you reboot, you should be able to ping
external hosts, and any internal hosts you specified,
by name.
Optional: Removing unnecessary services for better security.
There is little reason to run most or all of the services that LRP
runs by default. Many of them are sort of unused legacy protocols (or so my
wise friend William tells me). However, be aware that if you want to run a
web or mail server, some of the following instructions are probably BAD
advice.
(16) Turn most services off by commenting out (or removing)
EVERY line in "/etc/inetd.conf". Ignore the warning
at the top of the file that reads:
Packages should modify this file by using update-inetd(8)
(17) Turn off the portmap service. This is done by by commenting
out (or removing) EVERY line in "/etc/init.d/netbase" that
has the word "portmap" in it.
You can do the same with all lines that have the
word "inetd" in them, too.
(18) To save space, delete some unnecessary files. For
example, you no longer need "/usr/sbin/in.telnetd" and
"in.tftpd".
(19) Backup. When you reboot, you should not see "inetd" or
"portmap" in the results of the command
ps ax
If you have a port scanner like "nmap" on another box, and
you use it against your LRP box, you should not see
any ports open.
Optional: Installing sshd.
It's very convenient to remotely access your router, and to copy
files to it without physically moving the floppy. Unfortunately, it is a
security risk to have your router allow telnet and ftp. But you can get the
same functionality in a secure way from "ssh" and its companion "scp".
(A) Get a copy of "sshd.lrp" for 2.9.4 from the archives. I got
it from
ftp://ftp.linuxrouter.org/linux-router/dists/2.9.4/packages/
(B) Copy "sshd.lrp" to the floppy.
(C) Put LRP=etc,log,local,modules,sshd in the
floppy's SYSLINUX.CFG file
(D) Make sshd start automatically. Do NOT uncomment the ssh
line in "/etc/inetd.conf" -- we want this stand-alone
because we don't want to wait for key regeneration every
time we login.
Instead, edit "/etc/init.d/ssh" and make sure the
line reading "exit 0" has been commented out or
deleted.
(E) Make a host key according to the sshd.lrp help file.
(F) Allow root to login remotely. Append the lines
ttyp0
ttyp1
to the file "/etc/securetty". This will give you two
remote logins. If you want more, append similar lines.
(G) Create a "/root/.ssh/authorized_keys" file (note
the dot in ".ssh"). Append the contents of the
"identity.pub" file from accounts on machines you want
to get to the router from. This allows a highly secure
RSA passphrase challenge login.
(H) Backup. When you reboot, you should be able to ssh to the
router, and scp files onto the router, using either the
root password or your passphrase. The commands to
experiment with look like:
ssh -v -l root myrouter
scp -v root@myrouter:/tmp/
Windows users, see the note below for ssh on Windows.
Optional: Installing ssh.
It is often useful to be able to ssh OUT of the router as well as to
ssh IN to the router. For example, I like to be able to get at my Debian
Linux machine from my mother's house. To do that, I first ssh to my router,
and then ssh from the router to my Debian box.
(A) Get a copy of ssh. I got mine from
dists/2.9.4/addons/ssh_1226_1.2-2.tar.gz
on the Linux Router ftp site.
(B) Copy ssh to "usr/local/bin".
(C) Backup. You should now be able to ssh to other machines.
(D) After you ssh to some common machines, backup
again. This allows those machines to get into the
"known_hosts" file so you can avoid warning messages.
Optional: Installing PortSentry
A port sentry can tell you when you are being portscanned. It can
also be configured to block the offending host, though (it is widely
acknowledged) this opens a really big security hole by allowing a Denial of
Service attack. I block the hosts because I am a private entity, but I would
use logging mode only for a commercial installation.
(A) Get "psentry.lrp" from
http://wpkgate.kc.com.my.cpwright.com/lrp/
or
http://wpkgate.kc.com.my/lrp
(B) Copy "psentry.lrp" to the floppy.
(C) Put LRP=etc,log,local,modules,psentry in the
floppy's SYSLINUX.CFG file
(D) Reboot. You should see "portsentry" in the results
of the command
ps ax
If you portscan your router, you will notice that
you get blocked and dropped. You'll have to reboot
to fix that!
(E) Replace the lines
BLOCK_UDP="1"
BLOCK_TCP="1"
in "/etc/portsentry.conf" with
BLOCK_UDP="0"
BLOCK_TCP="0"
to turn off blocking.
(F) Watch "/var/psentry/portsentry.blocked" to see who
gets blocked. I get a lot of machines blocked
for mistakenly hitting my port 161.
Optional: Using an extra big floppy
Some LRP packages are really big. In particular, it is not quite
possible to have sshd, ssh, psentry, and dhcp all on a 1440K floppy.
However, according to the docs I have read, 1680K is 100% MSDOS compatible.
It just uses sectors that Microsoft reserved for undelete info and then never
used. Here is how I handled making one on my Linux box:
(A) Format the floppy with
superformat /dev/fd0 sect=21 cyl=80
(B) Make it bootable
sudo syslinux -s /dev/fd0
(C) Copy all the files from your normal distribution to it.
(D) Modify the SYSLINUX.CFG file on the floppy to read
boot=/dev/fd0u1680.
(E) Make sure it boots and runs as expected.
(F) Copy the extra files you could not fit into 1440K onto
the floppy.
(G) Make sure it boots and runs as expected.
If you want do similar things in Windows, don't try to use rawrite.
It won't work. Instead, get the shareware program WinImage, which does very
well at dealing with large disks.
------------------------------------
------------ Notes -----------------
------------------------------------
Note 1:
There are several decent implementations of ssh for Windows. I use
the excellent commercial program SecureCRT. But you can check out TeraTerm
Pro at
http://hp.vector.co.jp/authors/VA002416/teraterm.html
with its ssh extention TTSSH at
http://www.zip.com.au/~roca/ttssh.html.
The scp program for Windows is hard to find, but I finally managed
to use the slightly buggy one found at
http://bmrc.berkeley.edu/people/chaffee/winntutil.html
Note 2:
Files with the .lrp extension are made with tar and with gzip at
maximum compression. So you can view, modify, and (if you are careful)
resave them on a Unix system with commands like
zcat .lrp | tar xvf -
tar cvf - etc var | gzip -9 > .lrp
and possibly using WinZip-type software on Windows systems by treating them
as files with a .tgz extension.
I do not know if WinZip can recreate the files -- it may be able to
do a normal gzip, but possible not the maximum-compression "gzip -9".
This trick allows you to use a more familiar text editor than the
one found with the LRP distribution.
Here is the way I organize things. I keep a subdirectory called
"LRP" in my home directory. In there, I have copied the files "etc.lrp",
"sshd.lrp", "modules.lrp", "local.lrp", and so on. I have also created
subdirectories of "~/LRP/" named "d-etc/", "d-local/", and so on.For
convenience, I also keep raw images of all my versions of LRP in
"~/LRP/Image.vN".
Let's say I want to work on my "/etc/network.conf". The following
commands will let me work on it, and ensure everything is in sync. Comments
after the "#" symbols:
cd ~/LRP
fdmount # mount the floppy
cp /floppy/etc.lrp etc.lrp # stay in sync with floppy
cd d-etc #"/etc/network.conf" is part of etc.lrp
rm -rf ~/LRP/d-etc/* # Be careful with rm -rf !!!
zcat ../etc.lrp | tar xvf -
cd etc
vi network.conf # edit it here
cd ~/LRP/d-etc
tar cvf - * | gzip -9 > ~/LRP/etc.lrp # recreate .lrp file
cd ~/LRP
cp etc.lrp /floppy/etc.lrp # write the changes to the floppy
fdumount # unmount the floppy
dd if=/dev/fd0 of=~/LRP/Image.v2
I find lines 3, 5 and 6 of this sequence necessary, because
sometimes I make changes on the LRP machine itself, and I certainly want to
keep them! If you NEVER make changes one the LRP box, you can skip these 3
steps.
Because of file permissions issues, when I make changes to a file in
"root.lrp" I usually do it right on the LRP box, and then backup, rather
than making the changes externally as above.
Note 4:
If you know Unix, and want to see exactly what changes in
/etc/network.conf will do to the system, look in /etc/init.d/network. That's
how I eventually worked everything out.
------------------------------------
------------ Files -----------------
------------------------------------
---------------- Begin first network.conf -----------------------
#############################################################################
# Auto configuration bypass (Say NO to use this file)
#############################################################################
DIRECT_SETTINGS_ONLY=NO
#############################################################################
# Default Settings
#############################################################################
VERBOSE=YES
MAX_LOOP=6
# Forward IP's
IPFWDING_KERNEL=YES
IPFWDING_FW=YES
# Set a hostname below...
CONFIG_HOSTNAME=YES
# The hosts and DNS are generally not needed...
# CONFIG_HOSTSFILE=NO
# CONFIG_DNS=NO
#############################################################################
# Interfaces
#############################################################################
IF0_IFNAME=eth0
IF0_IPADDR=24.136.15.51
IF0_NETMASK=255.255.0.0
IF0_BROADCAST=24.136.255.255
# Protect against spoofed IP's...
IF0_IP_SPOOF=YES
IF1_IFNAME=eth1
IF1_IPADDR=192.168.1.1
IF1_NETMASK=255.255.255.0
IF1_BROADCAST=192.168.1.255
# Protect against spoofed IP's...
IF1_IP_SPOOF=YES
#############################################################################
# Hosts
#############################################################################
# Don't need this stuff...
#HOST0_IPADDR=24.136.0.1
#HOST0_GATEWAY_IF=default
#HOST0_GATEWAY_IP=24.136.0.1
#HOST0_IPMASQ=NO
#HOST0_IPMASQ_IF=default
#############################################################################
# Networks
#############################################################################
NET0_NETADDR=24.136.0.0
NET0_NETMASK=$IF0_NETMASK
NET0_GATEWAY_IF=default
NET0_GATEWAY_IP=default
# No need to masq external, legitimate IP's...
NET0_IPMASQ=NO
NET0_IPMASQ_IF=default
NET1_NETADDR=192.168.1.0
NET1_NETMASK=$IF1_NETMASK
NET1_GATEWAY_IF=default
NET1_GATEWAY_IP=default
# Must masq internal illegit IP's...
NET1_IPMASQ=YES
NET1_IPMASQ_IF=default
#############################################################################
# Gateways (Default Routes)
#############################################################################
GW0_IPADDR=24.136.0.1
GW0_IFNAME=$IF0_NAME
GW0_METRIC=1
#############################################################################
# Hostname Requires: CONFIG_HOSTNAME=YES
#############################################################################
HOSTNAME=lobotomy
#############################################################################
# Hosts file (Static domainname entires) Requires: CONFIG_HOSTSFILE=YES
#############################################################################
# IP FQDN hostname alias1 alias2..
#HOSTS0="$IF0_IPADDR $HOSTNAME.21stcentury.net $HOSTNAME mrrtr"
#HOSTS1="192.168.1.22 host2.somewhere.net host2 h2"
#############################################################################
# Domain Search Order and Name Servers Requires: CONFIG_DNS=YES
#############################################################################
# Currently not used....
DOMAINS="21stcentury.net"
DNS0=24.136.0.3
DNS1=24.136.0.2
#############################################################################
# End
#############################################################################
---------------- End first network.conf -----------------------
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
---------------- Begin second network.conf -----------------------
#############################################################################
# Auto configuration bypass (Say NO to use this file)
#############################################################################
DIRECT_SETTINGS_ONLY=NO
#############################################################################
# Default Settings
#############################################################################
VERBOSE=YES
MAX_LOOP=6
# Forward IP's
IPFWDING_KERNEL=YES
IPFWDING_FW=YES
# Set a hostname below...
CONFIG_HOSTNAME=YES
# We now have things working to the point that we can turn these on....
CONFIG_HOSTSFILE=YES
CONFIG_DNS= YES
#############################################################################
# Interfaces
#############################################################################
# Keep the same as above, in first example. Deleted to avoid confusion
#############################################################################
# Hosts
#############################################################################
# Still don't need this stuff...same as above
#############################################################################
# Networks
#############################################################################
# Keep the same as above, in first example. Deleted to avoid confusion
#############################################################################
# Gateways (Default Routes)
#############################################################################
# Keep the same as above, in first example. Deleted to avoid confusion
#############################################################################
# Hostname Requires: CONFIG_HOSTNAME=YES
#############################################################################
# Keep the same as above, in first example. Deleted to avoid confusion
#############################################################################
# Hosts file (Static domainname entires) Requires: CONFIG_HOSTSFILE=YES
#############################################################################
# IP FQDN hostname alias1 alias2..
# The following have now been uncommented to make entries in /etc/hosts
# for internal machines
HOSTS0="$IF0_IPADDR $HOSTNAME.21stcentury.net $HOSTNAME mrrtr"
HOSTS1="192.168.1.10 byron.21stcentury.net byron"
HOSTS2="192.168.1.11 hesse.21stcentury.net hesse h"
HOSTS3="192.168.1.12 poe.21stcentury.net poe"
#############################################################################
# Domain Search Order and Name Servers Requires: CONFIG_DNS=YES
#############################################################################
# This is now used....
DOMAINS="21stcentury.net"
DNS0=24.136.0.3
DNS1=24.136.0.2
#############################################################################
# End
#############################################################################
---------------- End second network.conf -----------------------
_______________________________________________
linux-router maillist - linux-router@linuxrouter.org
http://www.linuxrouter.org/mailman/listinfo/linux-router
To Ethan's Home Page
Last modified:
26 August 1999
Compilation © Copyright 1999, Ethan Dicks
<erd@infinet.com>.
All Rights Reserved.