Ethan's Retrocomputing Corner - Configuring LRP with a Cable Modem


lrp: Setup Guide & Tutorial (DSL or Cable modem)

From: Brian Boonstra <boonstb@cmg.FCNBD.COM>
Date: Wed, 25 Aug 99 14:45:23 -0500
To: Linux Router Project <linux-router@linuxrouter.org>
Subject: [LRP] Setup Guide & Tutorial (DSL or Cable modem), LRP 2.9.4

Hi Folks

        The following guide is presented for the last time in email.  In the  
future, you can find it (slightly better formatted) on the web at


          http://www.geocities.com/Athens/Ithaca/9660/lrphowto.html.


                                - Brian

=============================================================================

The instructions below should give you a reasonable installation INCAPABLE  
of running significant services other than sshd.  For example, if you want to  
add a web server later, you'll have to figure it out.

Instructions:

        (1) Make a floppy from the idiot image using dd,
                WinImage or rawrite.exe.
        (2) Get a kernel and modules from
                   http://www.linuxrouter.org/modmaker/
                and put them on the floppy. Make sure you name
                the kernel "linux".
        (3) Modify /etc/modules with arguments to your ethernet card(s)
                Mine says:
                  ip_masq_ftp
                  ip_masq_raudio
                  ip_masq_quake
                  8390
                  ne  io=0x240,0x380  irq=11,10
                Use whatever utility you must to turn off PNP on
                your ethernet cards and set the IO Adresses and
                IRQ's manually.
        (4) Modify your /etc/network.conf to look something
                like the first one below.  I have extraneous
                comments in mine that you don't need.
        (5) Set a root password with the command "passwd root".
        (6) Backup.  Modifications to other files, like
                network_direct.conf, should not be necessary.

If necessary: Installing DHCP

        Many cable modem service providers require you to use DHCP -- they  
do not provide you with a static IP.  Basically, they don't want you running  
services.   Although it is often possible to "steal" whatever IP they first  
assigned you by hardcoding it into your system, they might not like that.   
DHCP is easy to install.

        (7) Get "dhclient.lrp" from
                  http://wpkgate.kc.com/lrp/dhclient.lrp
                or the USA mirror at
                  http://wpkgate.kc.com.my.cpwright.com/lrp/dhclient.lrp
        (B) Copy "dhclient.lrp" to the floppy.
        (9) Put LRP=etc,log,local,modules,dhclient in the
                floppy's SYSLINUX.CFG file
        (10) Change the line in "/etc/init.d/dhclient" that reads
                  ifs="eth0 eth1"
                to read
                  ifs="eth0"
        (11) Backup.  When you reboot, you should see messages from the
                dhclient program telling you about its search for config
                information.  If it gets none, it will eventually timeout,
                and the interface won't work.


Checking it out:

        (12) Things should be working after a reboot.  Try pinging
                gatekeeper.dec.com by IP address (you do not yet
                have DNS) and also pinging some internal addresses. Run
                "ifconfig" and "netstat -n" to see how your configuration
                looks.


Optional: Getting DNS and some static hosts.

        It is often useful to have DNS lookup, and some static hosts,  
available to your router.  In particular, commands like "netstat" that try to  
lookup the name of a given IP will run much faster, because they avoid the  
aggravating wait for DNS to timeout.  Also, you can then ping internal and  
external hosts by name.  Here's how you do it:

        (13) Make your /etc/network.conf according to the second
                example below.  Note that we still don't uncomment
                any "HOST" entries, but we do configure some "HOSTS"
                entries in order to get static information going.
        (14) There is a bug in LRP 2.9.4 -- it is missing the
                file /etc/nsswitch.conf.  Create it, and make sure
                it contains the following text:
                  hosts: files dns
        (15) Backup.  When you reboot, you should be able to ping
                external hosts, and any internal hosts you specified,
                by name.


Optional:  Removing unnecessary services for better security.

        There is little reason to run most or all of the services that LRP  
runs by default.  Many of them are sort of unused legacy protocols (or so my  
wise friend William tells me).  However, be aware that if you want to run a  
web or mail server, some of the following instructions are probably BAD  
advice.

        (16) Turn most services off by commenting out (or removing)
                EVERY line in "/etc/inetd.conf".  Ignore the warning
                at the top of the file that reads:
                  Packages should modify this file by using update-inetd(8)
        (17) Turn off the portmap service.  This is done by by commenting
                out (or removing) EVERY line in "/etc/init.d/netbase" that
                has the word "portmap" in it.
                You can do the same with all lines that have the
                word "inetd" in them, too.
        (18)  To save space, delete some unnecessary files.  For
                example, you no longer need "/usr/sbin/in.telnetd" and
                "in.tftpd".
        (19) Backup.  When you reboot, you should not see "inetd" or
                "portmap" in the results of the command
                  ps ax
                If you have a port scanner like "nmap" on another box, and
                you use it against your LRP box, you should not see
                any ports open.



Optional:  Installing sshd.

        It's very convenient to remotely access your router, and to copy  
files to it without physically moving the floppy.  Unfortunately, it is a  
security risk to have your router allow telnet and ftp.  But you can get the  
same functionality in a secure way from "ssh" and its companion "scp".

        (A) Get a copy of "sshd.lrp" for 2.9.4 from the archives.  I got
                it from
                 ftp://ftp.linuxrouter.org/linux-router/dists/2.9.4/packages/
        (B) Copy "sshd.lrp" to the floppy.
        (C) Put LRP=etc,log,local,modules,sshd in the
                floppy's SYSLINUX.CFG file
        (D) Make sshd start automatically.  Do NOT uncomment the ssh
                line in "/etc/inetd.conf" -- we want this stand-alone
                because we don't want to wait for key regeneration every
                time we login.
                Instead, edit "/etc/init.d/ssh" and make sure the
                line reading "exit 0" has been commented out or
                deleted.
        (E) Make a host key according to the sshd.lrp help file.
        (F) Allow root to login remotely.  Append the lines
                  ttyp0
                  ttyp1
                to the file "/etc/securetty".  This will give you two
                remote logins.  If you want more, append similar lines.
        (G)  Create a "/root/.ssh/authorized_keys" file (note
                the dot in ".ssh").  Append the contents of the
                "identity.pub" file from accounts on machines you want
                to get to the router from.  This allows a highly secure
                RSA passphrase challenge login.
        (H) Backup.  When you reboot, you should be able to ssh to the
                router, and scp files onto the router, using either the
                root password or your passphrase.  The commands to
                experiment with look like:
                  ssh -v -l root myrouter
                  scp -v  root@myrouter:/tmp/

        Windows users, see the note below for ssh on Windows.


Optional:  Installing ssh.

        It is often useful to be able to ssh OUT of the router as well as to  
ssh IN to the router.  For example, I like to be able to get at my Debian  
Linux machine from my mother's house.  To do that, I first ssh to my router,  
and then ssh from the router to my Debian box.

        (A) Get a copy of ssh.  I got mine from
                  dists/2.9.4/addons/ssh_1226_1.2-2.tar.gz
                on the Linux Router ftp site.
        (B) Copy ssh to "usr/local/bin".
        (C) Backup.  You should now be able to ssh to other machines.
        (D)  After you ssh to some common machines, backup
                again.  This allows those machines to get into the
                "known_hosts" file so you can avoid warning messages.


Optional:  Installing PortSentry

        A port sentry can tell you when you are being portscanned.  It can  
also be configured to block the offending host, though (it is widely  
acknowledged) this opens a really big security hole by allowing a Denial of  
Service attack.  I block the hosts because I am a private entity, but I would  
use logging mode only for a commercial installation.

        (A) Get "psentry.lrp" from
                  http://wpkgate.kc.com.my.cpwright.com/lrp/
                or
                  http://wpkgate.kc.com.my/lrp
        (B) Copy "psentry.lrp" to the floppy.
        (C) Put LRP=etc,log,local,modules,psentry in the
                floppy's SYSLINUX.CFG file
        (D) Reboot.  You should see "portsentry" in the results
                of the command
                  ps ax
                If you portscan your router, you will notice that
                you get blocked and dropped.  You'll have to reboot
                to fix that!
        (E)  Replace the lines
                  BLOCK_UDP="1"
                  BLOCK_TCP="1"
                in "/etc/portsentry.conf" with
                  BLOCK_UDP="0"
                  BLOCK_TCP="0"
                to turn off blocking.
        (F) Watch "/var/psentry/portsentry.blocked" to see who
                gets blocked.  I get a lot of machines blocked
                for mistakenly hitting my port 161.



Optional:  Using an extra big floppy

        Some LRP packages are really big.  In particular, it is not quite  
possible to have sshd, ssh, psentry, and dhcp all on a 1440K floppy.   
However, according to the docs I have read, 1680K is 100% MSDOS compatible.   
It just uses sectors that Microsoft reserved for undelete info and then never  
used.  Here is how I handled making one on my Linux box:

        (A) Format the floppy with
                  superformat /dev/fd0 sect=21 cyl=80
        (B) Make it bootable
                  sudo syslinux -s /dev/fd0
        (C) Copy all the files from your normal distribution to it.
        (D) Modify the SYSLINUX.CFG file on the floppy to read
                  boot=/dev/fd0u1680.
        (E) Make sure it boots and runs as expected.
        (F) Copy the extra files you could not fit into 1440K onto
                the floppy.
        (G) Make sure it boots and runs as expected.


        If you want do similar things in Windows, don't try to use rawrite.   
It won't work.  Instead, get the shareware program WinImage, which does very  
well at dealing with large disks.


------------------------------------
------------ Notes -----------------
------------------------------------


Note 1:

        There are several decent implementations of ssh for Windows.  I use  
the excellent commercial program SecureCRT.  But you can check out TeraTerm  
Pro at

    http://hp.vector.co.jp/authors/VA002416/teraterm.html

with its ssh extention TTSSH at

    http://www.zip.com.au/~roca/ttssh.html.

        The scp program for Windows is hard to find, but I finally managed  
to use the slightly buggy one found at

    http://bmrc.berkeley.edu/people/chaffee/winntutil.html



Note 2:

        Files with the .lrp extension are made with tar and with gzip at  
maximum compression.  So you can view, modify, and (if you are careful)  
resave them on a Unix system with commands like
            zcat .lrp | tar xvf -
            tar cvf - etc var | gzip -9 > .lrp
and possibly using WinZip-type software on Windows systems by treating them  
as files with a .tgz extension.
        I do not know if WinZip can recreate the files -- it may be able to  
do a normal gzip, but possible not the maximum-compression "gzip -9".
        This trick allows you to use a more familiar text editor than the  
one found with the LRP distribution.

        Here is the way I organize things.  I keep a subdirectory called  
"LRP" in my home directory.  In there, I have copied the files "etc.lrp",  
"sshd.lrp", "modules.lrp", "local.lrp", and so on.  I have also created  
subdirectories of "~/LRP/" named "d-etc/", "d-local/", and so on.For  
convenience, I also keep raw images of all my versions of LRP in  
"~/LRP/Image.vN".

        Let's say I want to work on my "/etc/network.conf".  The following  
commands will let me work on it, and ensure everything is in sync.  Comments  
after the "#" symbols:

            cd ~/LRP
            fdmount             # mount the floppy
            cp /floppy/etc.lrp etc.lrp          # stay in sync with floppy
            cd d-etc            #"/etc/network.conf" is part of etc.lrp
            rm -rf ~/LRP/d-etc/*        # Be careful with rm -rf !!!
            zcat ../etc.lrp | tar xvf -
            cd etc
            vi network.conf     # edit it here
            cd ~/LRP/d-etc
            tar cvf - * | gzip -9 > ~/LRP/etc.lrp       # recreate .lrp file
            cd ~/LRP
            cp etc.lrp /floppy/etc.lrp  # write the changes to the floppy
            fdumount            # unmount the floppy
            dd if=/dev/fd0 of=~/LRP/Image.v2

        I find lines 3, 5 and 6 of this sequence necessary, because  
sometimes I make changes on the LRP machine itself, and I certainly want to  
keep them!  If you NEVER make changes one the LRP box, you can skip these 3  
steps.

        Because of file permissions issues, when I make changes to a file in  
"root.lrp" I usually do it right on the LRP box, and then backup, rather  
than making the changes externally as above.


Note 4:

        If you know Unix, and want to see exactly what changes in  
/etc/network.conf will do to the system, look in /etc/init.d/network.  That's  
how I eventually worked everything out.



------------------------------------
------------ Files -----------------
------------------------------------




----------------  Begin first network.conf  -----------------------

#############################################################################
# Auto configuration bypass  (Say NO to use this file)
#############################################################################
DIRECT_SETTINGS_ONLY=NO

#############################################################################
# Default Settings
#############################################################################

VERBOSE=YES
MAX_LOOP=6

# Forward IP's
IPFWDING_KERNEL=YES
IPFWDING_FW=YES

# Set a hostname below...
CONFIG_HOSTNAME=YES

# The hosts and DNS are generally not needed...
# CONFIG_HOSTSFILE=NO
# CONFIG_DNS=NO

#############################################################################
# Interfaces
#############################################################################

IF0_IFNAME=eth0
IF0_IPADDR=24.136.15.51
IF0_NETMASK=255.255.0.0
IF0_BROADCAST=24.136.255.255
# Protect against spoofed IP's...
IF0_IP_SPOOF=YES

IF1_IFNAME=eth1
IF1_IPADDR=192.168.1.1
IF1_NETMASK=255.255.255.0
IF1_BROADCAST=192.168.1.255
# Protect against spoofed IP's...
IF1_IP_SPOOF=YES

#############################################################################
# Hosts
#############################################################################
# Don't need this stuff...
#HOST0_IPADDR=24.136.0.1
#HOST0_GATEWAY_IF=default
#HOST0_GATEWAY_IP=24.136.0.1
#HOST0_IPMASQ=NO
#HOST0_IPMASQ_IF=default

#############################################################################
# Networks
#############################################################################

NET0_NETADDR=24.136.0.0
NET0_NETMASK=$IF0_NETMASK
NET0_GATEWAY_IF=default
NET0_GATEWAY_IP=default
# No need to masq external, legitimate IP's...
NET0_IPMASQ=NO
NET0_IPMASQ_IF=default


NET1_NETADDR=192.168.1.0
NET1_NETMASK=$IF1_NETMASK
NET1_GATEWAY_IF=default
NET1_GATEWAY_IP=default
# Must masq internal illegit IP's...
NET1_IPMASQ=YES
NET1_IPMASQ_IF=default

#############################################################################
# Gateways (Default Routes)
#############################################################################

GW0_IPADDR=24.136.0.1
GW0_IFNAME=$IF0_NAME
GW0_METRIC=1


#############################################################################
# Hostname                                      Requires: CONFIG_HOSTNAME=YES
#############################################################################
HOSTNAME=lobotomy

#############################################################################
# Hosts file (Static domainname entires)        Requires: CONFIG_HOSTSFILE=YES
#############################################################################
#       IP              FQDN                 hostname alias1 alias2..
#HOSTS0="$IF0_IPADDR    $HOSTNAME.21stcentury.net  $HOSTNAME mrrtr"
#HOSTS1="192.168.1.22   host2.somewhere.net             host2 h2"

#############################################################################
# Domain Search Order and Name Servers          Requires: CONFIG_DNS=YES
#############################################################################

# Currently not used....

DOMAINS="21stcentury.net"

DNS0=24.136.0.3
DNS1=24.136.0.2


#############################################################################
# End
#############################################################################

----------------  End first network.conf  -----------------------


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5



----------------  Begin second network.conf  -----------------------

#############################################################################
# Auto configuration bypass  (Say NO to use this file)
#############################################################################
DIRECT_SETTINGS_ONLY=NO

#############################################################################
# Default Settings
#############################################################################

VERBOSE=YES
MAX_LOOP=6

# Forward IP's
IPFWDING_KERNEL=YES
IPFWDING_FW=YES

# Set a hostname below...
CONFIG_HOSTNAME=YES

# We now have things working to the point that we can turn these on....
CONFIG_HOSTSFILE=YES
CONFIG_DNS= YES

#############################################################################
# Interfaces
#############################################################################

# Keep the same as above, in first example.  Deleted to avoid confusion


#############################################################################
# Hosts
#############################################################################

# Still don't need this stuff...same as above

#############################################################################
# Networks
#############################################################################

# Keep the same as above, in first example.  Deleted to avoid confusion

#############################################################################
# Gateways (Default Routes)
#############################################################################

# Keep the same as above, in first example.  Deleted to avoid confusion


#############################################################################
# Hostname                                      Requires: CONFIG_HOSTNAME=YES
#############################################################################

# Keep the same as above, in first example.  Deleted to avoid confusion

#############################################################################
# Hosts file (Static domainname entires)        Requires: CONFIG_HOSTSFILE=YES
#############################################################################
#       IP              FQDN                 hostname alias1 alias2..

# The following have now been uncommented to make entries in /etc/hosts
# for internal machines

HOSTS0="$IF0_IPADDR     $HOSTNAME.21stcentury.net       $HOSTNAME mrrtr"
HOSTS1="192.168.1.10    byron.21stcentury.net   byron"
HOSTS2="192.168.1.11    hesse.21stcentury.net   hesse h"
HOSTS3="192.168.1.12    poe.21stcentury.net     poe"

#############################################################################
# Domain Search Order and Name Servers          Requires: CONFIG_DNS=YES
#############################################################################

# This is now used....

DOMAINS="21stcentury.net"

DNS0=24.136.0.3
DNS1=24.136.0.2


#############################################################################
# End
#############################################################################


----------------  End second network.conf  -----------------------


_______________________________________________
linux-router maillist  -  linux-router@linuxrouter.org
http://www.linuxrouter.org/mailman/listinfo/linux-router



To Ethan's Home Page

HTML 2.0 Checked! Last modified: 26 August 1999
Compilation © Copyright 1999, Ethan Dicks <erd@infinet.com>. All Rights Reserved.