---------------------------------------- EigerStein Ethernet to Ethernet Firewall ---------------------------------------- Written by: Charles Steinkuehler Last Revised: 6/27/00 Disclaimer: This procedure works for me on my test systems. Your results may vary. Please note that I have made absolutely no changes to the default IPCHAINS firewall script. You should examine the firewall setup to determine if it is appropriate and safe in your environment. ---------------------------------------- Useful LRP related links: http://lrp.steinkuehler.net/ http://lrp.c0wz.com/ http://www.linuxrouter.org/ http://www.linuxrouter.sourceforge.net/ http://lrp.ramhb.co.nz/main.htm http://beta-linuxrouter.razorsedge.com/ http://lrp.plain.co.nz/ http://wpkgate.kc.com.my.cpwright.com/lrp/ ---------------------------------------- You might also want to read up on basic linux networking, including IP masquerading and IPCHAINS. There are many FAQs and HOWTOs available online. Remember, LRP is 'real' linux, so most mainstream linux documentation applies directly to your LRP box. Note that Eiger runs kernel 2.2.13, and uses the newer commands (ipchains and ip instead of ipfwdadm and ifconfig) when you are looking up documentation. ---------------------------------------- Things to add: PPPoE disk image - I do not have access to a PPPoE server, so I can't do much to help out here...try to get a static IP or normal DHCP connection from your ISP if possible...you'll be happier in the long run :-) ---------------------------------------- BEFORE YOU GET STARTED: You will need a few things, so try to track them all down before getting started. 1) A machine to run LRP. You need a 486 DX or better (or an FPU), two network cards, a 3 1/2" floppy drive, and 12 Meg RAM (16 Meg RAM recommended). 2) Knowledge about which linux kernel modules your ethernet cards require. The best place to learn about this is section 5 of the Linux Ethernet HOWTO: http://www.linuxdoc.org/HOWTO/Ethernet-HOWTO-5.html 3) A copy of the self-extracting disk image (available where you found this file) 4) A blank 1.44 Meg floppy disk 5) A Windows 95/98/NT/2K machine to extract the disk image SETUP INSTRUCTIONS: ALL VERSIONS: 1) Run the disk image file to create your LRP boot disk. If you need to specify the drive to use (drive A: is used by default), you can run the file from a command prompt and specify the drive (ie 'EigerStein B:') 2) Boot the disk on your LRP machine 3) Log in as root (no password is necessary) 4) You should see a configuration screen. If not, type lrcfg 5) Select menu item 3, then 2, then 1, to edit /etc/modules 6) Uncomment the module(s) needed for your ethernet card(s). All modules listed in the file are already on your LRP disk. If you are using ne.o, ne2k-pci.o, or e2100.o, you will also need to uncomment 8390.o NOTE: If the modules you need are not listed, you will have to add them to your LRP disk. See below. 7) Save the file -w and exit -q 8) Return to the main lrcfg menu 9) IMPORTANT: BACKUP YOUR CHANGES OR THEY WILL BE LOST! 10) Select LRP menu item b, then 5 to backup changes to modules 11) At this point, if you have a dynamic IP address, you're done. Reboot the LRP machine and see the section on configuring your clients. If you have a static IP address, continue on with the next section. STATIC IP ONLY: 1) Exit the lrcfg menu system to get to a command prompt 2) Mount the LRP disk mount -t msdos /dev/fd0u1680 /mnt 3) Edit the syslinux configuration file ae /mnt/syslinux.cfg 4) Remove dhclient from the list of packages to load old: LRP=etc,log,local,modules,dhcpd,dnscache,dhclient new: LRP=etc,log,local,modules,dhcpd,dnscache 5) Save the file -w and exit -q 6) Optional: Delete the dhclient package rm /mnt/dhclient.lrp 7) Unmount the LRP disk umount /mnt 8) Return to the lrcfg menu lrcfg 9) Select menu item 1, then 1 to edit /etc/network.conf 10) Modify the following lines as appropriate for your setup. The values to enter here should have been provided by your ISP. CONFIG_DNS=YES IF_AUTO="eth0 eth1" eth0_IPADDR=your.static.ip.address eth0_MASKLEN=your network mask length (i.e. 24) eth0_BROADCAST=your network broadcast address eth0_DEFAULT_GW=your.network.gateway.address DO NOT CHANGE the eth1 settings EXTERN_DHCP=NO EXTERN_IP=your.static.ip.address Leave DNS0 set to 192.168.1.254 to use the local dnscache Optional: DNS1=your.primary.dns.server DNS2=your.secondary.dns.server IMPORTANT: You have to enter your static IP address in TWO PLACES! Make sure you updated the EXTERN_IP setting. 11) Save the file -w and exit -q 12) Return to the main lrcfg menu 13) IMPORTANT: BACKUP YOUR CHANGES OR THEY WILL BE LOST! 14) Select menu item b, then 2 to backup changes to /etc 15) Reboot 16) You should have a fully functional masquarading firewall. See the section on configuring your client machines. CLIENT CONFIGURATION: Clients that support automatic configuration via DHCP can be automatically configured by your firewall. Just enable DHCP (called 'obtain an IP address automatically' in some windows versions). For clients that cannot use DHCP, you must manually configure their network settings. IP Address = 192.168.1.200 - 192.168.1.253 Subnet Mask = 255.255.255.0 Default Gateway = 192.168.1.254 Primary DNS = 192.168.1.254 Secondary DNS = Your ISP's DNS server NOTE: IP addresses in the range 192.168.1.1 - 192.168.1.199 are assigned by the LRP box to DHCP clients. Addresses 192.168.1.2xx are available for static IP clients, except for the address 192.168.1.254, which is the IP address of the LRP box itself. ETHERNET CONNECTIONS: eth0 = External - Connect to cable-modem, DSL modem, etc. eth1 = Internal - Connect to hub/switch for internal network OK, but which network card is eth0 and which is eth1? Well, it kind of depends. If you have two different types of network cards, eth0 is the card who's driver gets loaded first. If you have two of the same network card (or cards that use the same kernel module), which one is which depends on the device driver. PCI cards are usually ordered by slot ID (which slot is first is motherboard specific). ISA cards have been reported to use all sorts of wacky schemes, including base address, MAC address, command line specification order, and others. I usually don't try to figure out which card is which. Just hook up both cards and boot your LRP system. Log in as root, and exit from the lrcfg menu to a command prompt by pressing 'q'. Now ping an address on the internal network (there doesn't actually have to be a computer with the IP address you are using): ping 192.168.1.1 Leave the ping command running and go around to the back of the computer. You should see the activity light on one of the network cards flashing once a second. The interface with the once-a-second blink is your internal interface (you may have to watch for a while if you are on a cable modem or there is traffic on your internal network). If you guessed right (you had a 50-50 chance), congratulations...otherwise just swap the cables. Hit -c to stop the ping command. OPTIONAL: Set Root Password: You might want to set your root password (type passwd at a command prompt). Remember to backup /etc to your disk or there will be no password the next time you boot. Set dhclient hostname or identifier: Some ISP's require you to send a specific hostname or client identifier before they will give you an IP address. If you need to set this up, edit the file /etc/dhclient.conf (lrcfg menu 3-3-1). There are examples of both hostname and client identifier settings. Uncomment the appropriate line, and change the setting to the value you need to send. Backup dhclient (lrcfg menu b-8) and reboot. Use two floppies for more space: You can hook a second 3 1/2" floppy drive up for more storage. Edit syslinux.cfg on your boot disk and add the second floppy drive to the PKGPATH variable (ie PKGPATH=/dev/fd0u1680,/dev/fd1u1440). Put your new packages on the second floppy, and add the package names to the LRP variable in syslinux.cfg (ie LRP=etc,log,local,modules,newpkg) to load them automatically. NOTES: To 'uncomment' a line, remove the '#' at the beginning of the line. If you get tons of 'martian errors' and your internet connection does not work, you probably have the ethernet connections swapped. If you get occasional 'martian errors' and your internet connection is working, you are probably on a 'party line' network with a lot of other users (like a cable modem network), and someone else on the same segment has a mis-configured machine. See the LRP links above for more information about how you can make these messages go away. ADDING MODULES TO YOUR LRP DISK 1) Get the Eiger LRP kernel tarball (2.2.16-1.tar.gz) 2) Extract the module(s) you need using winzip. IMPORTANT: Check the modules.dep file to see if there are any dependencies for the module you want. You will need to add these modules as well. Alternative: You can download individual kernel modules from my website: http://lrp.steinkuehler.net/kernel/Eiger/ 3) Copy the module(s) to a 1440K standard dos floppy 4) Insert the dos floppy into your LRP machine 5) Get to a command prompt on the LRP machine (login as root, if necessary, and quit from the lrcfg main menu) 6) Mount the dos floppy mount -t msdos /dev/fd0 /mnt 7) Copy the module(s) to /lib/modules cp /mnt/.o /lib/modules 8) Unmount the dos floppy umount /mnt 9) Modify /etc/modules to load your module. You can use ae from the command line, or lrcfg (menu 3-2-1) 10) ADVANCED: You might want to delete some of the unused network modules to save disk space. Any of the modules commented out in /etc/modules are safe to delete. 11) IMPORTANT: BACKUP YOUR CHANGES OR THEY WILL BE LOST! 12) Select LRP menu item b, then 5 to backup changes to modules