Web Hosting through Linux and DSL
Home
objectives
history

Hardware
overview
675 modem
firewall
hub/lan

Networking
interfaces
dhcp
forwarding
masquerading
dns
zippy

Security
source address verification
tcp wrappers
ipchains

Web Services
mail
web server
proxy services

Contact Us

Ethernet Interfaces

In this reference configuration, one NIC (network interface card) provides connectivity to the Cisco 675 Modem and the other provides communication with the switch/hub.  This configuration is commonly referred to as dual or multi homed.  Two cards are used to force the communication to go through the various layers of network security software.   Consider this setup as sort of a firewall.  Since there are two Ethernet cards, you need to setup two Ethernet interfaces.  You can do this using the linuxconf application to edit the section titled Networking->Basic Client Configuration.

The first interface eth0 provides connectivity to the LAN.  I force this interface to have a static IP address, although, you could use DHCP if you have a server on your LAN that provides DHCP for your LAN.  You will need to use the IP address of this interface as the default gateway for your other LAN clients.  I use a static IP in the 192.168.x.x series.   It can be any non-routable IP you desire.  I set the IP mask to 255.255.255.0 on this interface.

The second interface, eth1, provides connectivity to the Cisco 675/internet or WAN.  Zoomtown using dynamic IP addresses, so set this up as DHCP.  The 675 will provide the IP address for this interface when the machine boots.   See the information on DHCP below for specific changes required on Red Hat 6.1.

DHCP Configuration

Because the eth1 uses DHCP to obtain an IP address, you need to run a DHCP client.  By default, Red Hat 6.1 wants to use some program called pump as the DHCP client.  My setup would always hang when I tried this out-of-the-box setup.  The guy who helped me install the Zoomtown service pointed me toward a program called dhcpcd (it comes with Red Hat as well).  All we had to do was change the /sbin/ifup script to use dhcpcd instead of pump and the process works like a champ.

Take a look at the following changes to the /sbin/ifup script.

if /sbin/pump $PUMPARGS -i $DEVICE ; then

To this:

if /sbin/dhcpcd -r $DEVICE ; then

IP Forwarding

IP Forwarding allows packets from one Ethernet interface to be forwarded to another.  Since our firewall machine is a multi-homed configuration, we need this to get packets from the internal (LAN) interface to the external (WAN) interface.

In the Red Hat 6.1 setup it is as simple as editing /etc/sysconfig/network to have the following entry:

FORWARD_IPV4="yes"

IP Masquerading

As it sounds, IP Masquerading allows packets that originate from the internal (LAN) interface to masquerade as packets from the external (WAN) interface.  This feature of Linux's IP stack is really only needed if you want the machines on your internal network to interoperate with the internet without using a proxy server.  I cover proxy services in more detail in the web services section.

To turn on masquerading, use the following ipchains commands to setup some kernel level IP options:

/sbin/ipchains -M -S 7200 10 60
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 10.0.0.0/8 -j MASQ

I do this in the /etc/rc.d/rc.local script.  You may recognize the ipchains command as one used to secure your network.  In this example, the tool is being used only to enable masquerading.  It does not effect the security of the firewall.

In addition to regular IP masquerading, the Linux ipchains kernel features also let you masquerade PPTP/ipsec traffic.  I just added this to my server so I can access a Windows 2000 VPN solution for my new job.  Rather than plugging my laptop directly into my DMZ, I opted to get the PPTP/ipsec masquerading patches working on my firewall.  Now I have the best of both worlds, I am connected to my LAN behind the protection of my firewall and can gain access to my companies VPN.  For specifics on how to get this to work check the following websites:

Domain Name Services

Since DHCP dynamically sets the gateway and DNS servers when the IP address is established your Linux machine will know how to resolve hostnames.  I use Zoomtown's DNS servers as my DNS entries on all of my internal machines (I do this via my internal DHCP server that serves up addresses to all of the machines on my LAN).  Alternatively, you can create your own DNS server to serve up names local to your network.  As long as it is connected to the internet, the DNS server will forward names it is not the authority for on to the world of DNS servers.  For example, I could have a domain local.the-woods.org which my LAN machines would be members of.  The DNS for this domain would resolve *.local.the-woods.org addresses and addresses like www.redhat.com would get resolved as non-authoritative through a process of referral.

Most providers will not give you a true static routable IP address.  For example, Zoomtown gives you a static non-routable 10.x.x.x. address for your 675, and uses NAT to translate the non-routable IP address to a dynamic routable address when login into their network.  The dynamic DNS providers like tzo.com allow you to register your routable dynamic IP with their DNS servers each time a new one is provided by your ISP.

If you want to host websites or email services, you will need to use Dynamic DNS to allow your address to be mapped to a domain name.  For example, I register the-woods.org and magnus.the-woods.org with tzo.com, each time my machine logs into Zoomtown so that mail can be sent and so you can visit this page!

To get your own domain name, visit Network Solutions.

Zippy

Zippy is indeed our friend (providing you are a Zoomtown subscriber).  This perl script uses various libraries to persist your connection and re-login / re-register your Dynamic DNS entries for you.  This allows your connection to always be active.

I have made a few to zippy.  I ripped out support for things I don't need (YI/Multiple ISP(s), NAT, etc) and made the process cron driven (no more, zippy stopped running, so did my site!).  This scaled down version, zippy2, runs every minute and caches the IP address in a file located in /tmp.  It has been working for some weeks now, so feel free to give it a shot.  You will still need to download various Perl libraries from CPAN to get this running.  This version is for Zoomtown/TZO subscribers only!

You need the following perl modules to get either version of zippy to work:

To build you follow the following steps:

  • gunzip -c [filename.tgz] | tar xf -
  • cd [new directory]
  • perl Makefile.PL
  • make 
  • make test
  • make install

An alternative is to use the CPAN module.  If you know about that you don't need my help!

top

Network Solutions
Register your own domain name

tzo.com
Provides DNS for folks with dynamic IP Addresses

How Tos
Networking
Masquerading
IP Chains
HOW TO Library

Misc
dhcp config
Zippy owner
CPAN Library
 Title Goes Here