Hook your LAN up to the Internet with Linux
by John D. Blair and Lou Grinzo
Original article at :
http://www.linux-mag.com/cgi-bin/printer.pl?issue=2000-05&article=networking
Remember the dim and distant past, about five years ago, when networking
was something only big companies and those hopelessly addicted to
computers did? Thanks to plummeting hardware prices, that's all changed
now, and it's common to find LANs (Local Area Networks) in even the
smallest business or home.
There are many advantages to networking your local computers. First,
having a LAN allows you to easily share and centralize data -- no more
swapping disks or sending bulky e-mails when you can just save directly
to any disk on any machine in your network. Second, LANs allow everybody
in a home or office environment to share peripheral components like
printers, scanners, and zip drives. Instead of buying a printer for
every computer, for instance, you can buy one excellent printer for all
the computers, get higher quality output, and save money.
Finally, using Linux, you can hook up your entire LAN to the Internet
through a single connection, save a bundle of money, and still enjoy
excellent performance. All you need is at least one computer running
Linux (the other machines in you LAN can use just about any OS), a
modem, and an Internet service provider. The setup process is
surprisingly easy. In this article, we'll show you how to do it.
Before we dive into the details, it's worth pointing out a few items.
First, we won't cover setting up a modem under Linux, or the basics of
installing a network board, or general networking principles. If you
need help in these areas, see the Web Links sidebar on page 54 for some
of the almost endless Linux documentation that's available on various
networking issues.
Second, in the interest of simplicity we will ignore issues about
security and interaction with other networking software and hardware.
Everything discussed here is based on fresh, stock installations of Red
Hat Linux 6.1, using supported networking hardware. It's possible that
some of the configuration files and directories will be different on
other distributions, or even on earlier versions of Red Hat, but these
differences shouldn't pose great difficulties.
Figure One: Gateway has the only direct connection to the Internet.
Other systems access the net through gateway.
Figure One is a high-level view of the system we'll be describing in
this article. We'll refer frequently to the computers by the names in
the figure (gateway, client1, etc.), and we'll also talk about their
network addresses (192. 168.1.1). If you don't know what network
addresses are, don't panic, we'll get to those shortly.
Finally, remember that a little planning can have a big payback. For
example, decide up-front which of your systems will be the gateway.
Typically, this should be the system that's already set up with an
Internet connection, since it will require the least amount of change.
Also, make sure you have all the needed information from your ISP
(Internet Service Provider), such as the names of the mail and news
servers, and the IP (Internet Protocol) address of the DNS (Domain Name
System) server.
In order to connect your LAN to the Internet, you'll have to know a bit
about how networked computers communicate. Every computer on a network
has a unique IP address ("IP" stands for Internet Protocol), which
consists of four numbers, each one between 0 and 255 (e.g., 127.
16.5.132). Computers and other networking hardware use these addresses
to route information to the right destination.
Each time it receives a packet of data over the Internet, a computer
checks the packet's IP address label to see whether that computer is the
data's intended recipient. If it is, the computer keeps the data; if it
isn't, it forwards the data in the right direction. When operating as a
LAN's gateway, a computer must recognize and catch data packets
addressed to itself and to every other machine on the LAN. It must then
forward packets addressed to the various LAN computers to their proper
destinations while keeping those packets addressed to itself.
ISPs charge more if they have to allocate more than one IP address to
you. Luckily, it's possible to connect an entire LAN to the Internet
through a single IP address. With the type of configuration we'll show
you how to set up, all incoming data is addressed to the gateway and
then forwarded to its proper destination within the network. All
outgoing data uses the gateway's return address, thereby fooling outside
computers into thinking that all traffic from the LAN is coming from a
single computer. This process is called IP masquerading.
To see how IP masquerading works, let's start with the network shown in
Figure One. This network is connected to the Internet through a dial-up
PPP (point-to-point protocol) connection by the Linux system gateway
that uses IP masquerading. If a user on client1 wants to browse a Web
page from webserver, which can be any Web server anywhere on the
internet, IP masquerading can make it all work transparently to client1
and webserver.
When client1 opens a TCP connection by transmitting a packet to
webserver, the data goes first to gateway. Gateway creates a fictional
TCP port number and remembers both it and the real port number
associated with client1's data. Gateway then changes the originating
information in the data packet so that it appears to have come from this
fictional port on gateway itself, then sends the data out into the
Internet. When webserver sends data back, it naturally uses the modified
addressing information from gateway. When the data arrives at gateway,
it's able to use the routing information (including the fictional port
number it assigns to all data from a particular local computer) to
determine which other PC on the LAN should really receive it. Gateway
once again patches the address information in the packet, this time
fooling the local computer into thinking it contacted webserver
directly, and then sends it the data.
Basic LAN Setup
Figure Two: Three blocks of IP addresses are set aside for private
networking. These addresses are used for TCP/IP networks that aren't
directly accessible by any host on the Internet. As far as the Internet
as a whole is concerned, none of these IP addresses even exists.
To set up a LAN so that your systems can talk to one another, you can
assign each computer an IP address, using one of the values that are
reserved for private use. The suggested values are shown in Figure One,
with 192.168.1.1 being the gateway, client1 being 192.168.1.2, etc. The
classes of IP addresses are shown in Figure Two (pg. 54).
To assign a static IP address to a Red Hat 6.1 system, open an X
terminal window and enter the command netcfg. Click on the "Interface"
button on the netcfg interface, and you should see an entry for the
loopback network device, with the address of 127.0.0.1, as well as one
for your Ethernet board, typically called eth0. Click on the entry for
eth0, then click on the "Edit" button to display the configuration
dialog shown in Figure Three (pg. 54).
Figure Three: The netcfg tool makes it very easy for you to set the
static IP address of your network adapter.
In this dialog, enter the IP address that you have chosen for the
system, enter a netmask of 255.255.255.0, and make sure that the option
that allows the interface to start at boot time is selected. You can
then deactivate the interface from the netcfg screen and reactivate it
to make the address change go into effect.
If the activation step makes netcfg hang, as it invariably does on my
systems, you can always cancel the program by clicking on the "close"
button on its window with your right mouse button. After you do this,
the new address should still be in effect. Now, just repeat these steps
for each of your computers using the address you've chosen for each.
To make sure that all of your systems can find one another over the
network, use the ping command from each one. From the gateway system,
enter ping 192.168.1.2, and you should see a series of messages telling
you how long each message took to travel to client1, the system whose
address you passed on the command line. Make sure that you remember to
press ctrl-c to stop pinging, or it will go on forever.
Now it's time to set up the computer that's connected to the Internet so
that it can also serve as a gateway for the rest of your LAN. The first
step requires us to make sure you have a PPP (Point to Point Protocol)
adapter on your gateway system, and that it's set up properly.
Figure Four: Creating a PPP adapter for dial-on-demand usage.
Figure Five: Adding a DNS server address to a configuration.
Run netcfg and, this time, go to the "Interfaces" section. Click on the
"Add" button and then select the "PPP" option from the dialog, which
opens the dialog shown in Figure Four (pg. 56), using the name "ppp0"
for the new adapter. Enter the phone number of your ISP, and click the
"Configure" button. On the configuration dialog, you want to select the
"Communication" button and then configure the "Expect" and "Send"
strings to handle the password prompting and responses you need to use
to log on to your ISP account. If your ISP uses PAP (Password
Authentication Protocol) you can simply enter your account name and
password on the "PAP" section of this same dialog box.
Next click on the "Networking" button and make sure the options
"Activate interface at boot time," "Set default route when making
connection," and "Restart PPP when connection fails" are selected. Click
"Done" to save your changes. Next, click on the "Routing" button and
select the "IPv4" forwarding option. Now click on the "Names" button and
enter the IP address of the DNS server you got from your ISP into the
lower part of the screen, as shown in Figure Five. This is critical,
since it tells your system where it can get name-translation services
that let it map human-friendly names, like
http://www.linux-mag.com, to
the more computer-friendly form of an IP address.
To make PPP work exactly as we'd like, edit the file /etc/ppp/options
and add these three lines at the end:
:10.0.0.1
demand
idle 60
The :10.0.0.1 is a phony address that merely keeps pppd (the PPP daemon
program) happy while it's running until it gets a dynamically assigned
IP address from your ISP. demand configures the PPP link to use
on-demand dialing, so that it will automatically dial in to your ISP
whenever ppp0 needs the connection. idle 60 determines how long, in
seconds, the modem will stay connected while the line is idle before
disconnecting. Since it takes 30 seconds or longer for most dial-up
connections to start, make this delay long enough that it won't drop
your line while you are reading a Web page. Browsing the Web can be slow
enough without redials.
To test your system, do the following from a command line:
cd /etc/sysconfig/network-scripts
./ifdown ppp0
./ifup ppp0
ping ibm.com
This will make sure that pppd isn't running, start it, and then ping
IBM. If everything is working properly the ping command should make your
modem dial and connect to your ISP, and the output of ping should start
appearing. Stop ping with ctrl-c, and your modem should hang up after 60
seconds, or whatever idle value you used in /etc/ ppp/options.
Next we add IP masquerading to gateway, by using a text editor to insert
the following lines into the file /etc/ rc.d/rc.local.
Listing One: Enabling IP Masquerade from a Start-up Script
# remove any existing forwarding rules to be safe
/sbin/ipchains -F forward
# set the default forwarding policy to DENY
/sbin/ipchains -P forward DENY
# turn on IP masquerading for outgoing packets
/sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0
# stop NetBIOS broadcast packets from causing an autodial
/sbin/ipchains -A forward -j DENY -p tcp -s 0.0.0.0/0 137:139
/sbin/ipchains -A forward -j DENY -p udp -s 0.0.0.0/0 137:139
# load some proxy modules into the kernel
MODULES = 'ftp irc raudio'
for SERVICE in $MODULES; do
/sbin/insmod ip_masq_$SERVICE
done
The SERVICE loop in Listing One loads proxy modules, which ensure that
certain protocols, like FTP and Quake, which are normally broken by IP
masquerading, will still work. You can list the masquerading proxy
modules on your system with the command /sbin/modprobe -l | grep
ip_masq.
Setting up a client system on your LAN so it can access the Internet
through your gateway system is very easy -- all you have to do is tell
each system to use your gateway system as its default gateway, and also
provide it with the IP address of the DNS server provided by your ISP.
Run netcfg and enter the DNS server addresses in the bottom box on
the"Hosts" screen. Then, click the "Routing" button and enter the IP
address of your gateway (192.168.1.1 in our example). You should stop
and restart the network interface with the "Deactivate" and "Activate"
buttons in netcfg before closing it down.
If your client machine is running Windows, you can configure it to use
the same static IP address, net mask, DNS server addresses, and gateway
address as we did with the Linux-based client.
There's no configuration needed for most browsers when they run on a
client or the gateway system. This is because the browsers default to
using a direct connection to the Internet. You can simply start Netscape
Navigator or Communicator and it will find what it thinks is the
Internet, which will cause gateway to connect to your ISP, as needed, or
use the existing connection, if there is one.
Figure Six: Use the values provided by your ISP to set the mail-server
addresses in your mail client.
A mail client takes a bit more work, and it's another area where you
have to rely on information from your ISP. For example, when I set up
KMail, the mail client that comes with KDE, I had to enter the values
shown in Figure Six, including my e-mail address and the name of the
SMTP (simple mail transfer protocol) and POP (post office protocol) mail
servers, which in this case happen to be the same, but at some ISPs
they're different.
I've touched on just the barest details of Linux networking in this
article, but you should be able to set up the configuration I've
described without too much trouble. Try to remember that while
networking is probably the most finicky and frustrating part of computer
system configuration, you have a lot of resources in the Linux community
to rely on, including the HOW-TOs listed in the Web Links sidebar (pg.
54).
Figure Seven: Configuring the driver module for a second Ethernet
adapter using linuxconf.
If you're lucky enough to have a cable modem, sharing your one
connection over your entire LAN is all the more interesting, since you
have far more raw speed to spread around. Luckily, setting it up is even
easier than the on-demand dialing. In my case, I have a Time Warner
RoadRunner? subscription, which works effortlessly with Linux, since it
no longer requires an explicit login program. I have my first Ethernet
adapter (which is how a cable modem connects to a PC), eth0, configured
to use DHCP (dynamic host configuration protocol). When I boot the
system it gets an IP address for itself as well as DNS name servers from
my ISP.
My system also has a second Ethernet adapter, which is connected to my
LAN. To make it work like gateway in our example in the main part of
this article, I used netcfg to add a new adapter, eth1, for the second
Ethernet board, and basically configured eth1 as we did ppp0 in the main
article. The hardest part was remembering to use Red Hat's linuxconf
program, as shown in Figure Seven, to set up the proper driver module
for the second adapter.
John Blair is the author of Samba: Integrating Unix and Windows. He can
be reached at
jdblair@brainwell.com.
Linux Magazine (http://www.linux-mag.com) May 2000
Copyright Linux Magazine ©2000
Books RSS
