Cover | Table of Contents | Forum | Colophon

Table of Contents

Chapter 1: Introduction to Linux Networking

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Computer networking is all about making computers talk to each other. It is simple to say, but complex to implement. In this Introduction, we'll take a bird's-eye view of Ethernet networking with Linux, and take a look at the various pieces that make it all work: routers, firewalls, switches, cabling, interface hardware, and different types of WAN and Internet services.

A network, whether it is a LAN or WAN, can be thought of as having two parts: computers, and everything that goes between the computers. This book focuses on connectivity: firewalls, wireless access points, secure remote administration, remote helpdesk, remote access for users, virtual private networks, authentication, system and network monitoring, and the rapidly growing new world of Voice over IP services.

We'll cover tasks like networking Linux and Unix boxes, integrating Windows hosts, routing, user identification and authentication, sharing an Internet connection, connecting branch offices, name services, wired and wireless connectivity, security, monitoring, and troubleshooting.

One of the biggest problems for the network administrator is connecting safely to the Internet. What sort of protection do you need? Do you need expensive commercial routers and firewalls? How do you physically connect your LAN to the Internet?

Here are the answers to the first two questions: at a minimum, you need a firewall and a router, and no, you do not need expensive commercial devices. Linux on ordinary PC hardware gives you all the power and flexibility you need for most home and business users.

Shop carefully for your ISP. This is not a place to pinch pennies, because a good provider will more than earn its fees. A bad one will cost you money. You need to be able to depend on them for good service and advice, and to run interference for you with the telcos and any other involved parties. Visit DSLReports (http://dslreports.com)as a starting point; this site contains provider reviews and lots of technical information. An alternative to hosting your own servers is renting rack space in a commercial data center—you'll save money on bandwidth costs, and you won't have to worry about providing backup power and physical security.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Introduction

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Computer networking is all about making computers talk to each other. It is simple to say, but complex to implement. In this Introduction, we'll take a bird's-eye view of Ethernet networking with Linux, and take a look at the various pieces that make it all work: routers, firewalls, switches, cabling, interface hardware, and different types of WAN and Internet services.

A network, whether it is a LAN or WAN, can be thought of as having two parts: computers, and everything that goes between the computers. This book focuses on connectivity: firewalls, wireless access points, secure remote administration, remote helpdesk, remote access for users, virtual private networks, authentication, system and network monitoring, and the rapidly growing new world of Voice over IP services.

We'll cover tasks like networking Linux and Unix boxes, integrating Windows hosts, routing, user identification and authentication, sharing an Internet connection, connecting branch offices, name services, wired and wireless connectivity, security, monitoring, and troubleshooting.

One of the biggest problems for the network administrator is connecting safely to the Internet. What sort of protection do you need? Do you need expensive commercial routers and firewalls? How do you physically connect your LAN to the Internet?

Here are the answers to the first two questions: at a minimum, you need a firewall and a router, and no, you do not need expensive commercial devices. Linux on ordinary PC hardware gives you all the power and flexibility you need for most home and business users.

Shop carefully for your ISP. This is not a place to pinch pennies, because a good provider will more than earn its fees. A bad one will cost you money. You need to be able to depend on them for good service and advice, and to run interference for you with the telcos and any other involved parties. Visit DSLReports (http://dslreports.com)as a starting point; this site contains provider reviews and lots of technical information. An alternative to hosting your own servers is renting rack space in a commercial data center—you'll save money on bandwidth costs, and you won't have to worry about providing backup power and physical security.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 2: Building a Linux Gateway on a Single-Board Computer

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Linux lends itself so readily to hacking on old hardware we often forget it is not always the best hardware to use. While it is good to keep old PCs out of landfills, there are disadvantages to using them as routers and firewalls. They're big, they use a lot of power, and they're noisy, unless you have something of sufficient vintage to run fanless. Old hardware is that much closer to failure, and what do you do if parts fail? Even if you can find new parts, are they worth replacing?

Single-board computers (SBCs), like those made by Soekris Engineering (http://www.soekris.com) and PC Engines (http://www.pcengines.ch/wrap.htm) are great for routers, firewalls, and wireless access points. They're small, quiet, low-power, and sturdy. You'll find information on single-board computers and other small form-factor computers at the LinuxDevices.com Single Board Computer (SBC) Quick Reference Guide (http://www.linuxdevices.com/articles/AT2614444132.html).

This chapter will show you how to install and configure Pyramid Linux (http://metrix.net/) on a Soekris 4521 board. There are many small distributions designed to power routers and firewalls; see for more information on these, and to learn how to build an Internet-connection sharing firewall.

Despite their small size, the Soekris and PC Engines boards are versatile. PC Engines' and similar boards all operate in pretty much the same fashion, so what you learn here applies to all of them. A cool-sounding shortcut for these boards is to call them routerboards.

You might look at the specs of our little 4521 and turn your nose up in scorn:

• 133 MHz AMD ElanSC520 CPU
• 64 MB SDRAM, soldered on board
• 1 Mb BIOS/BOOT Flash
• Two 10/100 Ethernet ports
• CompactFLASH Type I/II socket, 8 MB Flash to 4 GB Microdrive
• 1 DB9 Serial port
• Power, Activity, Error LEDs
• Mini-PCI type III socket
• 2 PC-Card/Cardbus slots
• 8 bit general purpose I/O 14-pins header
• Board size 9.2" x 5.7"
• Option for 5V supply using internal connector
• Power over Ethernet
• Operating temperature 0–60°C

You'll find more raw horsepower in a low-end video card. But don't let the numbers fool you. Combined with a specialized Linux, BSD, or any embedded operating system, these little devices are tough, efficient workhorses that beat the pants off comparable (and usually overpriced and inflexible) commercial routers. You get complete control and customizability, and you don't have to worry about nonsense like hardcoded misconfigurations or secret backdoors that are known to everyone but the end user. These little boards can handle fairly hostile environments, and with the right kind of enclosures can go outside.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Introduction

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Linux lends itself so readily to hacking on old hardware we often forget it is not always the best hardware to use. While it is good to keep old PCs out of landfills, there are disadvantages to using them as routers and firewalls. They're big, they use a lot of power, and they're noisy, unless you have something of sufficient vintage to run fanless. Old hardware is that much closer to failure, and what do you do if parts fail? Even if you can find new parts, are they worth replacing?

Single-board computers (SBCs), like those made by Soekris Engineering (http://www.soekris.com) and PC Engines (http://www.pcengines.ch/wrap.htm) are great for routers, firewalls, and wireless access points. They're small, quiet, low-power, and sturdy. You'll find information on single-board computers and other small form-factor computers at the LinuxDevices.com Single Board Computer (SBC) Quick Reference Guide (http://www.linuxdevices.com/articles/AT2614444132.html).

This chapter will show you how to install and configure Pyramid Linux (http://metrix.net/) on a Soekris 4521 board. There are many small distributions designed to power routers and firewalls; see for more information on these, and to learn how to build an Internet-connection sharing firewall.

Despite their small size, the Soekris and PC Engines boards are versatile. PC Engines' and similar boards all operate in pretty much the same fashion, so what you learn here applies to all of them. A cool-sounding shortcut for these boards is to call them routerboards.

You might look at the specs of our little 4521 and turn your nose up in scorn:

• 133 MHz AMD ElanSC520 CPU
• 64 MB SDRAM, soldered on board
• 1 Mb BIOS/BOOT Flash
• Two 10/100 Ethernet ports
• CompactFLASH Type I/II socket, 8 MB Flash to 4 GB Microdrive
• 1 DB9 Serial port
• Power, Activity, Error LEDs
• Mini-PCI type III socket
• 2 PC-Card/Cardbus slots
• 8 bit general purpose I/O 14-pins header
• Board size 9.2" x 5.7"
• Option for 5V supply using internal connector
• Power over Ethernet
• Operating temperature 0–60°C

You'll find more raw horsepower in a low-end video card. But don't let the numbers fool you. Combined with a specialized Linux, BSD, or any embedded operating system, these little devices are tough, efficient workhorses that beat the pants off comparable (and usually overpriced and inflexible) commercial routers. You get complete control and customizability, and you don't have to worry about nonsense like hardcoded misconfigurations or secret backdoors that are known to everyone but the end user. These little boards can handle fairly hostile environments, and with the right kind of enclosures can go outside.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Getting Acquainted with the Soekris 4521

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You're not familiar with these little boards, and aren't sure where to start. How do you talk to it? What do you do with it?

It's easy. You will need:

• PC running Linux
• Null-modem serial cable
• Minicom installed on the Linux PC

Configure Minicom, connect the two machines, power up the Soekris, and you're ready.

Here are all the steps in detail. First, find out what physical serial ports your Linux box has:

	$ setserial -g /dev/ttyS[0123]
	/dev/ttyS0, UART: 16550A, Port: 0x03f8, IRQ: 4
	/dev/ttyS1, UART: unknown, Port: 0x02f8, IRQ: 3
	/dev/ttyS2, UART: unknown, Port: 0x03e8, IRQ: 4
	/dev/ttyS3, UART: unknown, Port: 0x02e8, IRQ: 3

This PC has only one, which is the one with a UART value. If you have more than one, it will probably take a bit of trial and error to figure out which one is connected to the Soekris board.

Now, set up Minicom:

	# minicom -s
	------[configuration]------
	| Filenames and paths
	| File transfer protocols
	| Serial port setup
	| Modem and dialing
	| Screen and keyboard
	| Save setup as dfl
	| Save setup as..
	| Exit
	| Exit from Minicom
	---------------------------

Select "Serial port setup." Your settings should look just like this, except you need to enter your own serial port address. Soekris boards default to "Bps/Par/Bits 19200 8N1," no flow control:

	-------------------------------------------
	| A -    Serial Device      : /dev/ttyS0
	| B - Lockfile Location     : /var/lock
	| C -   Callin Program      :
	| D -  Callout Program      :
	| E -    Bps/Par/Bits       : 19200 8N1
	| F - Hardware Flow Control : No
	| G - Software Flow Control : No
	|
	|     Change which setting?
	-------------------------------------------

Next, select the "Modem and dialing" option, and make sure the "Init string" and "Reset string" settings are blank. Finally, select "Save setup as dfl" to make this the default, and then "Exit." This takes you back to the main Minicom screen:

	Welcome to minicom 2.1

	OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n
	Compiled on Nov 5 2005, 15:45:44.

	Press CTRL-A Z for help on special keys
	Now power up the Soekris, and you'll see something like this:
	comBIOS ver. 1.15 20021013 Copyright (C) 2000-2002 Soekris Engineering.

	net45xx

	0064 Mbyte Memory                      CPU 80486 133 Mhz

	PXE-M00: BootManage UNDI, PXE-2.0 (build 082)

	Slot   Vend Dev  ClassRev Cmd  Stat CL LT HT Base1    Base2    Int
	-------------------------------------------------------------------
	0:00:0 1022 3000 06000000 0006 2280 00 00 00 00000000 00000000 00
	0:16:0 168C 0013 02000001 0116 0290 10 3C 00 A0000000 00000000 10
	0:17:0 104C AC51 06070000 0107 0210 10 3F 82 A0010000 020000A0 11
	0:17:1 104C AC51 06070000 0107 0210 10 3F 82 A0011000 020000A0 11
	0:18:0 100B 0020 02000000 0107 0290 00 3F 00 0000E101 A0012000 05
	0:19:0 100B 0020 02000000 0107 0290 00 3F 00 0000E201 A0013000 09

	4 Seconds to automatic boot.   Press Ctrl-P for entering Monitor.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Configuring Multiple Minicom Profiles

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You have a laptop set up as a portable serial terminal and all-around networking troubleshooting tool, so you need multiple connection profiles in Minicom to connect to different servers.

As root, set up a new Minicom configuration just like in the previous recipe. Then, instead of selecting "Save as dfl," select "Save as…" and type in the name of your choice, such as pyramid. Now, any user can use this configuration with this command:

	$ minicom pyramid

Ordinary users cannot change the serial port setup settings in Minicom, except for bits per second, and cannot save configurations.

• man 1 minicom

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Installing Pyramid Linux on a Compact Flash Card

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

There you are with your new single-board computer, and it looks very nice, but you're wondering how to get an operating system on it.

The two most common methods are via a Compact Flash (CF) writer, or bootstrapping the operating system from a PXE boot server. This recipe tells how to install Pyramid Linux using the first method. You need:

• A Compact Flash writer
• The Pyramid Linux dd image

The most common CF writers cost around $20 and connect to a USB port. This is the easiest kind to use. Linux automatically recognizes and mounts the device when you plug it in.

A second option is an IDE CF writer. You'll know if you have one of these because they take up an IDE slot on your system and a front drive bay. A system with one of these needs to be booted with the CF card in the reader, or it won't see it.

First, download the latest dd image:

	$ wget http://metrix.net/support/dist/pyramid-1.0b1.img.gz

Next, find the /dev name of your CF card with the fdisk -l command. A USB CF writer looks like this:

	# fdisk -l
	   Device Boot      Start       End     Blocks   Id  System
	/dev/sdb1               1       977     62512    83  Linux

An IDE CF writer looks like this:

	   Device Boot      Start       End     Blocks   Id  System
	/dev/hdc1   *           1       977     62512    83  Linux

Copy the image to your CF card with these commands, using your own correct image and /dev names. Do not use any partition numbers:

	# gunzip -c pyramid-1.0b1.img.gz | dd of=/dev/sdb bs=16k
	3908+0 records in
	3908+0 records out

And that's all there is to it. Now it's ready to go in your routerboard.

This requires a bootable operating system image. You can't just copy files to the Flash card because it needs a boot sector. dd does a byte-by-byte copy, including the boot sector, which most other copy commands cannot do. The maintainers of Pyramid thoughtfully provide a complete image, which makes for a simple installation.

• Pyramid Linux home page: http://pyramid.metrix.net/

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Network Installation of Pyramid on Debian

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You would rather install Pyramid Linux via PXE boot because you have several routerboards to install, or you have onboard nonremovable Compact Flash, or you just prefer to do it this way. Your installation server runs Debian.

No problem, you can do this because the Soekris boards (and PC Engines and all their little cousins) support netbooting. While the HTTP, TFTP, and DHCP services in this recipe can be on different machines, the examples here assume they are all on a single PC. Any PC will do (e.g., a workstation, your special network administrator laptop, anything).

To get started, first download the latest Pyramid dd image or tarball from http://metrix.net/support/dist/ into the directory of your choice:

	$ wget http://metrix.net/support/dist/pyramid-1.0b2.img.gz

Then, you need these services installed:

• DHCPD
• TFTP
• HTTP
• Subversion

You don't need a big old heavyweight HTTP server like Apache. Lighttpd is great for lightweight applications like this. Install them with this command:

	# apt-get install lighttpd lighttpd-doc tftpd-hpa dhcp3-server subversion

Copy this /etc/dhcp3/dhcpd.conf file exactly:

	##/etc/dhcp3/dhcpd.conf
	  subnet 192.168.200.0 netmask 255.255.255.0 {
	  range 192.168.200.100 192.168.200.200;
	  allow booting;
	  allow bootp;

	  next-server 192.168.200.1;
	  filename "PXE/pxelinux.0";

	  max-lease-time 60;
	  default-lease-time 60;
	}

next-server is the IP address of the boot server; it must be 192.168.200.1.

Next, configure tftpd by editing /etc/default/tftpd-hpa like this:

	##/etc/default/tftpd-hpa
	RUN_DAEMON="yes"
	OPTIONS="-a 192.168.200.1:69 -l -s -vv /var/lib/tftpboot/"

Change your working directory to /var/lib/tftpboot and download the PXE environment from Metrix's Subversion repository:

	root@xena:/var/lib/tftpboot # svn export http://pyramid.metrix.net/svn/PXE

This is about a 45 MB download.

Next, inside your httpd document root directory, /var/www, make a symlink to the Pyramid tarball or image you downloaded and name it "os":

	root@xena:/var/www # ln -s /home/carla/downloads/pyramid-1.0b2.tar.gz os

Then, temporarily change the IP address of your installation server with this command:

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Network Installation of Pyramid on Fedora

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You would rather install Pyramid Linux via PXE boot because you have several boards to install, or you have onboard Compact Flash, or you just prefer to do it this way. Your installation server runs Fedora Linux.

No problem, you can do this because the Soekris boards (and PC Engines, and all their little cousins) support netbooting. While the HTTP, TFTP, and DHCP services in this recipe can be on different machines, the examples here assume they are all on a single PC.

To get started, first download the latest Pyramid dd image or tarball from http://metrix.net/support/dist/ into the directory of your choice:

	$ wget http://metrix.net/support/dist/pyramid-1.0b2.img.gz

Then, you need these services installed:

• DHCPD
• TFTP
• HTTP
• Subversion

You don't need a big old heavyweight HTTP server like Apache. Lighttpd is great for lightweight applications like this. Install the necessary packages with this command:

	# yum install dhcp lighttpd tftp-server subversion

Copy this /etc/dhcpd.conf file exactly:

	# dhcpd.conf
	  subnet 192.168.200.0 netmask 255.255.255.0 {
	  range 192.168.200.100 192.168.200.200;

	  allow booting;
	  allow bootp;
	  next-server 192.168.200.1;
	  filename "PXE/pxelinux.0";

	  max-lease-time 60;
	  default-lease-time 60;
	}

next-server is the IP address of the boot server; it must be 192.168.200.1.

Next, configure tftp-server. All you do is change two lines in /etc/xinetd.d/tftp. Make sure they look like this:

	disable = no
	server_args = -svv /tftpboot -a 192.168.200.1:69

Change your working directory to /tftpboot, and download the PXE environment from Metrix's Subversion repository:

	root@penguina:/tftpboot # svn export http://pyramid.metrix.net/svn/PXE

This is about a 45 MB download.

Next, in your httpd root directory, /srv/www/lighttpd/, make a symlink to the Pyramid tarball or image you downloaded and name it "os":

	root@xena:/srv/www/lighttpd# ln -s /home/carla/downloads/pyramid-1.0b2.tar.gz os

Then, start all these services:

	# cd /etc/init.d/
	# xinetd start && lighttpd start && dhcpd start

Finally, connect the serial and Ethernet cables to your Soekris board, and fire up Minicom. Your CF card must be installed. It doesn't matter if a Linux distribution is already installed on it. Power up the board and enter the comBIOS. Enter

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Booting Pyramid Linux

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

OK, so far so good—you have successfully installed Pyramid Linux on your Compact Flash card and plugged it into your Soekris board. Now, how do you log in to Pyramid and get to work?

You now have three ways to communicate with your Soekris board: serial link, Ethernet, and Pyramid's Web interface. The default login is root, password root. Boot up with the serial terminal connected and Minicom running, and you'll see a nice GRUB boot screen:

	   GNU GRUB version 0.95 (639K lower / 64512K upper memory)

	+---------------------------------------------------------------+
	| Metrix                                                        |
	| Shell                                                         |
	|                                                               |
	|                                                               |
	|                                                               |
	|                                                               |
	|                                                               |
	|                                                               |
	+---------------------------------------------------------------+
	     Use the ^ and v keys to select which entry is highlighted.
	     Press enter to boot the selected OS, 'e' to edit the
	     commands before booting, or 'c' for a command-line.

By default, it will boot to Metrix, which is Pyramid Linux. Shell is for fixing filesystem problems—it goes directly to a Bash shell without mounting any filesystems, starting any services, or loading any network drivers.

On the Soekris 4521, eth0 is the Ethernet port immediately to the left of the serial port. Pyramid's default address for eth0 is 192.168.1.1. (If this doesn't work with your LAN addressing, you can easily change it via Minicom.)

SSH is enabled by default, so you can log in over SSH:

	$ ssh root@192.168.1.1

Fire up a web browser on any connected PC, point it to 192.168.1.1, and you'll be greeted by the welcome screen.

A common task you'll boot to the Bash shell for is running the filesystem checker. This command turns on verbosity and answers "yes" to all questions:

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Finding and Editing Pyramid Files

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The web GUI doesn't do everything you want it to, or you just prefer editing text configuration files. Can you edit Pyramid files directly? How do you search for files without nice package-querying tools?

Pyramid is just a stripped-down Ubuntu Linux. If you know your way around an Ubuntu or Debian system (Ubuntu is a Debian derivative), Pyramid should be familiar ground.

Pyramid runs entirely in RAM. It mounts the filesystem read-only to extend the life of your Flash card, and to improve performance. To remount the filesystem read/ write for editing, run this command:

	pyramid:~# /sbin/rw

When you're finished, remount the filesystem read-only:

	pyramid:~# /sbin/ro

You don't have Ubuntu's usual package-management tools for querying your installed packages, like dpkg, apt-cache, apt-get, Adept, or Synaptic. How do you find things? With that old-fashioned standby, the find command. This example searches the entire root filesystem for the file named iptunnel:

	pyramid:~# find / -name iptunnel
	/sbin/iptunnel

If you don't remember the exact filename, you can do wildcard searches:

	pyramid:~# find / -name iptun*
	/sbin/iptunnel
	pyramid:~# find / -name *ptunn*
	/sbin/iptunnel

You can start your search in any directory, like so: find / sbin-name pppd. To search the current directory, use a dot:

	# find . -name foo-config

If you're horrified at the thought of using the find command because you're used to it taking a long time, don't worry—with less than 50 MB to search, all find searches are quick.

• man 1 find

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Hardening Pyramid

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want your little routerboard to be as hardened as you can make it. What steps can you take to make it as secure as possible?

Your first job is to change root's password to something a little less obvious than "root," the default password. Run these commands:

	pyramid:~# /sbin/rw
	pyramid:~# passwd

Then, add an unprivileged user for remote logins over SSH:

	pyramid:~# useradd -m alrac
	pyramid:~# passwd alrac

You'll need to set the setuid bit on the su command so that ordinary users can su to root:

	pyramid:~# chmod +s /bin/su

Next, harden OpenSSH: disable root logins over SSH, disable password logins, and set up public-key authentication. tells how to do all this.

Turn off unnecessary services and network interfaces. If you're not going to use the web interface or SSH login, turn them off. SSH is disabled by changing its startup command to a kill command, like this:

	pyramid:/etc/rc2.d# mv S20ssh K20ssh

The web GUI is disabled by commenting out this line in /etc/inittab:

	# Lighttpd (with FastCGI, SSL and PHP)
	HT:23:respawn:/sbin/lighttpd -f /etc/lighttpd.conf -m /lib -D > /dev/null 2>&1

Pay close attention to your application security. Because this is a multihomed device, configure your applications to use only the interfaces they need to, and allow only authorized users. Keep your user accounts tidy, and don't leave unused ones lying around. Use good strong passwords, written down and stored in a safe place.

Run Netstat locally and Nmap remotely to see what services are listening, and to see what the outside world sees.

When you're finished, don't forget to run /sbin/ro to set the filesystem back to read-only.

That's right, the same old basic steps for any Linux. They work.

• , "Starting and Stopping Linux," in Linux Cookbook, by Carla Schroder (O'Reilly) to learn how to manage services
• , "Managing Users and Groups," in Linux Cookbook
• , "Remote Access," in Linux Cookbook

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Getting and Installing the Latest Pyramid Build

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to try out the latest Pyramid build from Metrix's Subversion repository, instead of the official stable release. It has some features you want, or you want to contribute to the project by testing new builds.

You'll need a PXE boot installation server to make this work. Use the pyramid-export.sh script available from http://pyramid.metrix.net/trac/wiki/GettingPyramid to download the latest build and roll it into a tarball. Then, copy the tarball to your HTTP document root directory, and run the PXE boot installation in the usual way.

It's about a 100 MB download, and Subversion can be slow, so don't be in a hurry.

• Pyramid Linux home page: http://pyramid.metrix.net/

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Adding Additional Software to Pyramid Linux

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Pyramid doesn't come with everything you want; how can you add more software? It doesn't have any of the usual Ubuntu package management tools, nor any package management tools at all, so you're at a bit of a loss.

The process is a bit fiddly, but not that bad. You can add user-space applications, kernel modules, and even customized kernels. You need an Ubuntu liveCD and a PC to run it on. You don't need to install it to a hard drive; just boot it up on any PC, and then copy off any files you want. I know in I said to disable root log-ins over SSH, but for this task, you need to re-enable them, because the Ubuntu liveCD does not include an SSH server.

Suppose you want to install the Fortune program. Fortune displays a random fortune every time you run it, like this:

	$ fortune
	You will gain money by a fattening action.

Fortune comes with a number of different fortune databases, and you can easily create your own custom fortunes. It's a nice way to display a different Message of the Day every time users log in.

First boot up the Ubuntu liveCD. Then, find out what packages you need with the dpkg command:

	ubuntu@ubuntu:~$ dpkg -l| grep fortune
	ii  fortune-mod 1.99.1-3   provides fortune cookies on demand
	ii  fortunes-min 1.99.1-3  Data files containing fortune cookies

Next, find out what files are in the Fortune packages:

	ubuntu@ubuntu:~$ dpkg -L fortune-mod
	/.
	/usr
	/usr/games
	/usr/games/fortune
	/usr/bin
	/usr/bin/strfile
	/usr/bin/unstr
	/usr/share
	/usr/share/man
	/usr/share/man/man6
	/usr/share/man/man6/fortune.6.gz
	/usr/share/man/man1
	/usr/share/man/man1/strfile.1.gz
	/usr/share/doc
	/usr/share/doc/fortune-mod
	/usr/share/doc/fortune-mod/README.Debian
	/usr/share/doc/fortune-mod/copyright
	/usr/share/doc/fortune-mod/changelog.gz
	/usr/share/doc/fortune-mod/README.gz
	/usr/share/doc/fortune-mod/changelog.Debian.gz
	/usr/share/menu
	/usr/share/menu/fortune-mod
	/usr/share/man/man1/unstr.1.gz

The only files you need are the executables and any libraries they depend on. Don't bother with manpages because Pyramid Linux has no manpage viewer. You may omit all documentation and example files to save space.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Adding New Hardware Drivers

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You are using a network interface card (NIC) that is not supported in Pyramid, and you want to install the driver.

You'll need a loadable kernel module. The easy way is to boot up an Ubuntu liveCD, find a module in /lib/modules/[kernel-version]/kernel/drivers/net, and copy it to the same directory on Pyramid:

	ubuntu@ubuntu:~$ scp /lib/modules/2.6.15-26-386/kernel/drivers/net \ root@192.168.1.
	1:/lib/modules/2.6.15.8-metrix/kernel/drivers/net/

Then, on Pyramid, run:

	pyramid:~# update-modules

To immediately load the module for testing use modprobe, like this example using the fake nicdriver.ko module:

	pyramid:~# modprobe nicdriver

Don't use the file extension, just the module name. To load it automatically at boot, place the module in /etc/modules with a comment telling what NIC it belongs to:

	#driver for Foo wireless pcmcia
	nicdriver

What if Ubuntu does not include the module? If it's a Linux kernel module, you'll have to build it from Ubuntu sources, then copy it to Pyramid. Use Ubuntu kernel sources. If it's a vendor module, follow their instructions for installation. But your best option is to use an NIC that is well-supported in the Linux kernel.

• man 8 modprobe
• man 8 lsmod
• man 5 modules
• Appendix C
• , "Patching, Customizing, and Upgrading Kernels," in Linux Cookbook, by Carla Schroder (O'Reilly)

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Customizing the Pyramid Kernel

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to compile a custom kernel with everything built-in instead of hassling with kernel modules. Your little routerboard runs only a limited set of hardware, and it's not something you're going to be updating or modifying a lot. Additionally, this will save a fair amount of storage space on your Compact Flash card.

No problem. You need a build environment on a PC, with kernel sources and build tools. Build your kernel there, then copy it to your Pyramid board. Use Ubuntu kernel sources with Ubuntu patches. Fetch Ubuntu kernel sources and build tools with this command:

	$ sudo apt-get install linux-source linux-kernel-devel

That should get you everything you need.

If you want to start with the existing Pyramid kernel configuration, copy the /proc/config.gz file to your build machine:

	pyramid:/# scp /proc/config.gz carla@192.168.1.10:downloads/

Unpack it using gunzip:

	$ gunzip config.gz

Now you can build a new custom kernel and drop it into place on Pyramid. Remember to update /boot/grub/menu.lst with the new kernel name.

Pyramid consists of mostly unmodified Ubuntu binaries, so sticking with Ubuntu binaries and source files is the safest and easiest method for modifying it. As long as your Ubuntu CD is the same release as your Pyramid installation (Breezy, Dapper, and so forth), you shouldn't experience any compatibility problems.

To see how much space /lib/modules occupies, use the du command:

	pyramid:/# du --si -c /lib/modules/2.6.17.8-metrix
	...
	6.3M    /lib/modules/2.6.17.8-metrix
	6.3M    total

The kernel itself will occupy around 1 MB.

Typically, these little boards are "set it and forget it," so they are good candidates for statically compiled kernels.

• , "Patching, Customizing, and Upgrading Kernels," in Linux Cookbook, by Carla Schroder (O'Reilly)

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Updating the Soekris comBIOS

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The comBIOS on your Soekris board is old, so you have downloaded a newer version. How do you install it? Is it safe? Will you turn your routerboard into a hightech doorstop?

Relax, it's fast and easy. The only risk is if the power fails during the actual installation; if that happens, your board could indeed be rendered useless. The installation takes a few seconds, so the risk is minute.

First, download the updated comBIOS to your PC from http://www.soekris.com/downloads.htm.

Then, upload the file over the serial link to the Soekris board. To do this, enter the comBIOS by pressing Ctrl-P before Pyramid boots. Next, at the BIOS command line, enter the download - command (that's download, space, hyphen). Then, hit Enter.

Next, press Ctrl-A, S (that's Ctrl-A, release, S, release) to bring up Minicom's download menu. Select Xmodem from the list of protocols. Navigate to the upgrade file by using the spacebar to select any directories you want to change to, and then the file itself. (Sometimes it takes a couple of spacebar hits to change to a new directory.) The file is small, but it takes a couple of minutes to upload. You'll see something like .

When the file is finished downloading, and you are back at the BIOS command prompt, type flashupdate:

	> flashupdate
	.Erasing Flash.... Programming Flash......... Verifying Flash.... Done.

	>

Reboot, and that's all there is to it.

You're using both comBIOS and Minicom commands to perform the upload. Press Ctrl-A, Z at any time for Minicom help.

If you get a "Failure executing protocol" error, you need to install lrzsz on the PC that you're running Minicom from.

Figure : Downloading a file using the Xmodem protocol on Minicom

If you are too slow, you'll get a bunch of "Retry 0: NAK on sector" errors, and it will time out. It's rather impatient, so don't dink around.

Read the changelog at http://www.soekris.com/downloads.htm for useful information.

• man 1 minicom

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 3: Building a Linux Firewall

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In this chapter, you'll learn how to build a Linux iptables firewall from scratch. While the recipes are aimed at DSL and cable Internet users, they also work for T1/E1 customers. In fact, a Linux box with a T1 interface card is a great alternative to expensive commercial routers. If you're a normal business user and not an ISP that needs Buicksized routers handling routing tables with hundreds of thousands of entries, then Linux on good-quality x86 hardware will serve your needs just fine.

A Linux border firewall can provide security and share an Internet connection for a whole LAN, which can contain Linux, Windows, Mac, and other PCs. A host firewall protects a single PC. There are a multitude of hardware choices for your fire-wall box, from small single-board computers, to recycled old PCs, to rackmount units. Any Linux distribution contains everything you need to build a sophisticated, configurable, reliable firewall on any hardware.

Definitions and roles get a bit blurry, as an iptables firewall does both packet filtering and routing. You could call it a filtering router.

iptables is the key to making everything work. Having a solid understanding of how iptables works and how to write custom rules will give you mighty network guru powers. Please study Oskar Andreasson's Iptables Tutorial (http://iptables-tutorial.frozentux.net/) and Craig Hunt's TCP/IP Network Administration (O'Reilly) to get a deeper understanding of how iptables and TCP/IP work. Another excellent resource is the Netfilter FAQ (http://www.iptables.org/documentation/index.html). At the least, you should know what headers IP, TCP, UDP, and ICMP packets contain, and the section "Traversing Of Tables and Chains" in the Iptables Tutorial is especially helpful for understanding how packets move through iptables. If you don't understand these things, iptables will always be mysterious.

Firewalls and routers are often combined on the same device, which is often called an Internet gateway. Strictly speaking, a gateway moves traffic between networks that use different protocols, such as NETBEUI and TCP/IP, which is not something we see much anymore. These days, it means any network devices that connect networks.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Introduction

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In this chapter, you'll learn how to build a Linux iptables firewall from scratch. While the recipes are aimed at DSL and cable Internet users, they also work for T1/E1 customers. In fact, a Linux box with a T1 interface card is a great alternative to expensive commercial routers. If you're a normal business user and not an ISP that needs Buicksized routers handling routing tables with hundreds of thousands of entries, then Linux on good-quality x86 hardware will serve your needs just fine.

A Linux border firewall can provide security and share an Internet connection for a whole LAN, which can contain Linux, Windows, Mac, and other PCs. A host firewall protects a single PC. There are a multitude of hardware choices for your fire-wall box, from small single-board computers, to recycled old PCs, to rackmount units. Any Linux distribution contains everything you need to build a sophisticated, configurable, reliable firewall on any hardware.

Definitions and roles get a bit blurry, as an iptables firewall does both packet filtering and routing. You could call it a filtering router.

iptables is the key to making everything work. Having a solid understanding of how iptables works and how to write custom rules will give you mighty network guru powers. Please study Oskar Andreasson's Iptables Tutorial (http://iptables-tutorial.frozentux.net/) and Craig Hunt's TCP/IP Network Administration (O'Reilly) to get a deeper understanding of how iptables and TCP/IP work. Another excellent resource is the Netfilter FAQ (http://www.iptables.org/documentation/index.html). At the least, you should know what headers IP, TCP, UDP, and ICMP packets contain, and the section "Traversing Of Tables and Chains" in the Iptables Tutorial is especially helpful for understanding how packets move through iptables. If you don't understand these things, iptables will always be mysterious.

Firewalls and routers are often combined on the same device, which is often called an Internet gateway. Strictly speaking, a gateway moves traffic between networks that use different protocols, such as NETBEUI and TCP/IP, which is not something we see much anymore. These days, it means any network devices that connect networks.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Assembling a Linux Firewall Box Problem

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to build your own Internet firewall box for your cable or DSL Internet line, on ordinary x86 hardware, using your favorite Linux distribution. You want Internet connection sharing and a firewall, and you need to know what hardware components to use. You already have installation disks, or some other method of installing the operating system.

The Linux distribution you want to use determines your hardware requirements. Some distributions require more horsepower than others, so don't assume you can use some feeble old antique PC without checking. This chapter's Introduction lists a number of specialized firewall distributions.

You'll need these items to build and set up your firewall box:

• A PC with at least two Ethernet interfaces
• A second PC and a crossover cable for testing

You'll connect only the LAN interface until your firewall has been installed and configured.

Go ahead and install your chosen Linux distribution, then follow the recipes in this chapter to configure your network interfaces and firewall.

Install net-tools and Nmap because you will use them a lot in this chapter. They should also be installed on a second PC for testing. Debian users will also need to install the ifrename package.

Repurposing old PCs saves money and keeps them out of landfills. They can be customized any way you like. They also make dandy test-and-practice boxes. The drawbacks are size, noise, power consumption, and the fact that they may not be reliable, just from being old.

An excellent alternative to an old PC is a single-board computer like the PC Engine WRAP boards or Soekris boards. These cost between $150 and $400, depending on which features and accessories you get. They use little power, are small and silent, and very sturdy. (See to learn how to use one of these.)

WRAP and Soekris boards come in several different configurations. You'll need a minimum of two Ethernet ports. You'll need three if you plan to run servers inside a DMZ. Two Ethernet ports plus two PCMCIA slots and a mini-PCI slot will give you the flexibility to mix-and-match wired and wireless in a number of different ways.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Configuring Network Interface Cards on Debian

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You have installed Debian Linux on your firewall box, so you're ready to configure your network interface cards.

In Debian, you'll edit /etc/network/interfaces and /etc/iftab. /etc/iftab is part of the ifrename package.

First, configure the LAN NIC with a static IP address appropriate for your private addressing scheme. Don't use DHCP to assign the LAN address. Configure the WAN interface with the account information given to you by your ISP. These examples show you how to set a static local IP address and a dynamic external address.

Do not connect the WAN interface yet.

In this example, eth0 is the LAN interface, and eth1 is the WAN interface:

	##/etc/network/interfaces

	# The loopback network interface
	auto lo
	iface lo inet loopback

	#lan interface
	auto eth0
	iface eth0 inet static
	     address 192.168.1.26
	     netmask 255.255.255.0
	     network 192.168.1.0
	     broadcast 192.168.1.255

	#wan interface
	auto eth1
	iface eth1 inet dhcp

If your WAN address is a static public routable IP address, configure the WAN interface using the information supplied by your ISP. This should include your ISP's gateway address, and your static IP address and netmask, like this:

	auto eth1
	iface eth1 inet static
	       address 1.2.3.4
	       netmask 255.255.255.0
	       gateway 1.2.3.55

Then, add your ISP's DNS servers to /etc/resolv.conf (don't do this for a DHCP WAN address):

	##/etc/resolv.conf
	nameserver 1.2.3.44
	nameserver 1.2.3.45

There is one more step just for Debian: nail down the interface names with ifrename. First, find the MAC addresses of your interfaces with ifconfig -a:

	$ ifconfig -a
	eth0 Link encap:Ethernet HWaddr 00:0B:6A:EF:7E:8D
	[...]

The MAC address is the HWaddr. Enter your two MAC addresses and interface names in /etc/iftab:

	##/etc/iftab
	eth0 mac 11:22:33:44:55:66
	eth1 mac aa:bb:cc:dd:ee:ff

If /etc/iftab does not exist, you must create it.

The LAN address of your firewall is the gateway address you'll be setting on all of your LAN PCs, so don't complicate your life by using a dynamically assigned address.

Using ifrename is the easiest way to make sure your network cards keep the correct configurations on Debian systems. Usually, interfaces will come up in the same order, and the kernel will assign them the same names, but sometimes this can change (e.g., after a kernel upgrade or adding another network card). Your nice Linux firewall won't work with the network interfaces mixed up, so it is best to nail them down. An additional bonus is you can easily name your interfaces anything you want with

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Configuring Network Interface Cards on Fedora

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You have installed Fedora Linux on your firewall box, and now you're ready to give your network interface cards their final, working configurations.

Fedora gives each network interface a separate configuration file. You'll be editing /etc/sysconfig/network-scripts/ifcfg-eth0 and /etc/sysconfig/network-scripts/ifcfg-eth1.

First, configure the LAN interface with a static IP address appropriate for your private addressing scheme. Don't use DHCP to assign the LAN address.

Configure the WAN interface with the account information given to you by your ISP.

These examples show how to set a static local IP address and a dynamic external IPaddress.

Do not connect the WAN interface yet.

In this example, eth0 is the LAN interface and eth1 is the WAN interface:

	##/etc/sysconfig/network-scripts/ifcfg-eth0
	#use your own MAC address and LAN addresses
	DEVICE=eth0
	HWADDR=11:22:33:44:55:66
	BOOTPROTO=none
	ONBOOT=yes
	NETMASK=255.255.255.0
	IPADDR=192.168.1.23
	NETWORK=192.168.1.0
	USERCTL=no

	##/etc/sysconfig/network-scripts/ifcfg-eth1
	#use your real MAC address
	DEVICE=eth1
	HWADDR=AA:BB:CC:DD:EE:FF
	BOOTPROTO=dhcp
	USERCTL=no

How do you get the MAC addresses and interface names? Run ifconfig -a:

	$ ifconfig -a
	eth0 Link encap:Ethernet HWaddr 00:0B:6A:EF:7E:8D
	[...]

And that's all you need to do, because you'll get all your WAN configurations from your ISP's DHCP server.

If your WAN address is a static IP address, configure the WAN NIC the same way as the LAN address using the information supplied by your ISP. This should include your ISP's gateway address, and your static IP address and netmask. Then, add your ISP's DNS servers to /etc/resolv.conf:

	##/etc/resolv.conf
	nameserver 11.22.33.44
	nameserver 11.22.33.45

Restart networking or reboot, and you're ready for the next steps.

The LAN IP address of your firewall is the gateway address you'll be setting on all of your LAN PCs, so don't complicate your life by using a dynamically assigned address.

Routers typically run headless, without a keyboard or monitor. If your Ethernet-working gets all goofed up, the serial console will save the day. See to learn how to set this up.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Identifying Which NIC Is Which

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You have successfully installed two NICs in your new soon-to-be Linux firewall, but you realize that you don't know how to tell which physical card is eth0 and which one is eth1.

The most reliable way is to connect one at a time to another PC and ping them from the second PC. Once you know which one is which, label them. Using two different interface cards with different drivers also helps to keep them sorted out, though it's not required.

If your needs grow to where you need three or four Ethernet adapters, consider purchasing two-or four-port Ethernet adapters. They are configured and managed in exactly the same way as single-port cards, with the advantages of using fewer PCI slots, and requiring fewer interrupts. They're more expensive because they are designed for server duties, so they are more robust, and come with more features.

Soekris single-board computers can have up to eight 10/100 Ethernet ports.

There is no instant method for identifying which NIC is eth0 or eth1 when you install them for the first time, or afterward. It takes just a couple of minutes to do the ping test and label them, and it will save many hassles down the road.

USB Ethernet adapters are worth considering if you shop carefully and purchase only models with native Linux drivers.