---------------------------------------- Dachstein Firewall Setup ---------------------------------------- Written by: Charles Steinkuehler Last Revised: Oct 8, 2001 Disclaimer: This procedure works for me on my test systems. Your results may vary. You should examine the firewall setup to determine if it is appropriate and safe in your environment. ---------------------------------------- Useful LEAF related links: http://leaf.sourceforge.net/ http://lrp.steinkuehler.net/ http://lrp.c0wz.com:81/ http://www.linuxrouter.org/ http://wpkgate.kc.com.my.cpwright.com/lrp/ http://lrp.ramhb.co.nz/main.htm http://lrp.plain.co.nz/ ---------------------------------------- You might also want to read up on basic linux networking, including IP masquerading and IPCHAINS. There are many FAQs and HOWTOs available online. Remember, this is 'real' linux, so most mainstream linux documentation applies directly to your LEAF box. Note that Dachstein runs kernel 2.2.19, and uses the newer commands (ipchains and ip instead of ipfwdadm and ifconfig) when you are looking up documentation. ---------------------------------------- ---------------------------------------- BEFORE YOU GET STARTED: ---------------------------------------- You will need a few things, so try to track them all down before getting started. 1) A machine to run LEAF. You need a 486 DX or better (or an FPU), two network cards, a 3 1/2" floppy drive, and 12 Meg RAM (16 Meg RAM recommended). 2) Knowledge about which linux kernel modules your ethernet cards require. The best place to learn about this is section 4 of the Linux Ethernet HOWTO: http://www.linuxdoc.org/HOWTO/Ethernet-HOWTO-4.html 3) A copy of the self-extracting disk image (available where you found this file) 4) A blank 1.44 Meg floppy disk 5) A Windows 95/98/NT/2K machine to extract the disk image ---------------------------------------- !! - WARNING - !! ---------------------------------------- The latest version supports partial backups. This allows you to boot from a CD-ROM drive and backup only your configuration files to a floppy disk. If you use partial backups in a floppy-only system, you will almost certainly create an unusable system and will have to start over from scratch! Resist the temptation...you have been warned! Advanced users: If you understand what you're doing, partial backups can be a powerful tool for upgrading systems, or 'hybrid' systems using multiple media types (CD, hard-disk, flash, etc). ---------------------------------------- SETUP INSTRUCTIONS: ---------------------------------------- ALL VERSIONS: ---------------------------------------- 1) Run the disk image file to create your LEAF boot disk. If you need to specify the drive to use (drive A: is used by default), you can run the file from a command prompt and specify the drive (ie 'Dachstein B:') 2) Boot the disk on your LEAF machine 3) Log in as root (no password is necessary) 4) You should see a configuration screen. If not, type lrcfg 5) Select menu item 3, then 3, then 1, to edit /etc/modules 6) Uncomment the module(s) needed for your ethernet card(s). All modules listed in the file are already on your LEAF disk. If you are using ne.o, ne2k-pci.o, or e2100.o, you will also need to uncomment 8390.o NOTE: If the modules you need are not listed, you will have to add them to your LEAF disk. See below. 7) Save the file -s and exit -q 8) Return to the main lrcfg menu 9) IMPORTANT: BACKUP YOUR CHANGES OR THEY WILL BE LOST! 10) Select menu item b, then 5 to backup changes to modules 11) At this point, if you have a dynamic IP address, you're done. Reboot the LEAF machine and see the section on configuring your clients. If you have a static IP address, continue on with the next section. STATIC IP ONLY: ---------------------------------------- 1) Exit the lrcfg menu system to get to a command prompt 2) Mount the Firewall disk mount -t msdos /dev/fd0u1680 /mnt 3) Edit the syslinux configuration file edit /mnt/syslinux.cfg 4) Remove dhclient from the list of packages to load old: LRP=etc,ramlog,local,modules,dhclient,dhcpd,dnscache,weblet new: LRP=etc,ramlog,local,modules,dhcpd,dnscache,weblet 5) Save the file -s and exit -q 6) Optional: Delete the dhclient package rm /mnt/dhclient.lrp 7) Unmount the LEAF disk umount /mnt 8) Return to the lrcfg menu lrcfg 9) Select menu item 1, then 1 to edit /etc/network.conf 10) Modify the following lines as appropriate for your setup. The values to enter here should have been provided by your ISP. CONFIG_DNS=YES IF_AUTO="eth0 eth1" eth0_IPADDR=your.static.ip.address eth0_MASKLEN=your network mask length (i.e. 24) eth0_DEFAULT_GW=your.network.gateway.address DO NOT CHANGE the eth1 settings EXTERN_DHCP=NO Optional: Firewall uses dnscache Leave DNS0 set to 127.0.0.1 -or- Firewall uses ISP's DNS servers DNS0=your.primary.dns.server DNS1=your.secondary.dns.server NOTE: Internal systems will still use dnscache regardless of this setting 11) Save the file -s and exit -q 12) Return to the main lrcfg menu 13) IMPORTANT: BACKUP YOUR CHANGES OR THEY WILL BE LOST! 14) Select menu item b, then 2 to backup changes to /etc 15) Reboot 16) You should have a fully functional masquarading firewall. See the section on configuring your client machines. ---------------------------------------- CLIENT CONFIGURATION: ---------------------------------------- Clients that support automatic configuration via DHCP can be automatically configured by your firewall. Just enable DHCP (called 'obtain an IP address automatically' in some windows versions). For clients that cannot use DHCP, you must manually configure their network settings. IP Address = 192.168.1.200 - 192.168.1.253 Subnet Mask = 255.255.255.0 Default Gateway = 192.168.1.254 Primary DNS = 192.168.1.254 Secondary DNS = Your ISP's DNS server NOTE: IP addresses in the range 192.168.1.1 - 192.168.1.199 are assigned by the LEAF box to DHCP clients. Addresses 192.168.1.2xx are available for static IP clients, except for the address 192.168.1.254, which is the IP address of the LEAF box itself. ---------------------------------------- ETHERNET CONNECTIONS: ---------------------------------------- eth0 = External - Connect to cable-modem, DSL modem, etc. eth1 = Internal - Connect to hub/switch for internal network OK, but which network card is eth0 and which is eth1? Well, it kind of depends. If you have two different types of network cards, eth0 is the card who's driver gets loaded first. If you have two of the same network card (or cards that use the same kernel module), which one is which depends on the device driver. PCI cards are usually ordered by slot ID (which slot is first is motherboard specific). ISA cards have been reported to use all sorts of wacky schemes, including base address, MAC address, command line specification order, and others. I usually don't try to figure out which card is which. Just hook up both cards and boot your LEAF system. Log in as root, and exit from the lrcfg menu to a command prompt by pressing 'q'. Now ping an address on the internal network (there doesn't actually have to be a computer with the IP address you are using): ping 192.168.1.1 Leave the ping command running and go around to the back of the computer. You should see the activity light on one of the network cards flashing once a second. The interface with the once-a-second blink is your internal interface (you may have to watch for a while if you are on a cable modem or there is traffic on your internal network). If you guessed right (you had a 50-50 chance), congratulations...otherwise just swap the cables. Hit -c to stop the ping command. ---------------------------------------- OPTIONAL: ---------------------------------------- Set Root Password: You might want to set your root password (type passwd at a command prompt). Remember to backup /etc to your disk or there will be no password the next time you boot. Use two floppies for more space: You can hook a second 3 1/2" floppy drive up for more storage. Edit syslinux.cfg on your boot disk and add the second floppy drive to the PKGPATH variable (ie PKGPATH=/dev/fd0u1680,/dev/fd1u1440). Put your new packages on the second floppy, and add the package names to the LEAF variable in syslinux.cfg (ie LRP=etc,ramlog,...weblet,newpkg) to load them automatically. ---------------------------------------- ROUTER STATUS: ---------------------------------------- This distribution comes with a small web-server that allows you to check on current status, monitor current bandwidth usage, read over your log files and other useful things. To access the web server, enter the following URL in a browser on the client network: http://192.168.1.254 ---------------------------------------- NOTES: ---------------------------------------- To 'uncomment' a line, remove the '#' at the beginning of the line. If you get tons of 'martian errors' and your internet connection does not work, you probably have the ethernet connections swapped. If you get occasional 'martian errors' and your internet connection is working, you are probably on a 'party line' network with a lot of other users (like a cable modem network), and someone else on the same segment has a mis-configured machine. See the LEAF links above for more information about how you can make these messages go away. Setting dhclient hostname or identifier: Some ISP's require you to send a specific hostname or client identifier before they will give you an IP address. If you need to set this up, edit the file /etc/dhclient.conf (lrcfg menu 3-4-1). There are examples of both hostname and client identifier settings. Uncomment the appropriate line, and change the setting to the value you need to send. Backup dhclient (lrcfg menu b-6) and reboot. The default editor used is /bin/edit, which is a wrapper for e3, a tiny editor written in assembly. The e3 editor supports several emulation modes, and defaults to Nedit emulation in this distribution. If you would prefer using a different emulation mode, you may manually run the editor using one of the following commands: e3 : the default (Nedit) e3ws : the Wordstar-like version e3em : the Emacs-like version e3pi : the Pico-like version e3vi : the vi-like version e3ne : the NEW Nedit-like version NOTE: You can change between emulation modes while in e3...see the online help -h for details (:h in vi mode) To change the default editor, edit the file /bin/edit, and change the EDITOR= line to your desired editor ---------------------------------------- ADDING MODULES TO YOUR LEAF DISK ---------------------------------------- 1) Get the Dachsetin LEAF kernel tarball (Dachstein-small.tar.gz) 2) Extract the module(s) you need using winzip. IMPORTANT: Check the modules.dep file to see if there are any dependencies for the module you want. You will need to add these modules as well. Alternative: You can download individual kernel modules from my website: http://lrp.steinkuehler.net/files/kernels/Dachstein-small/ 3) Copy the module(s) to a 1440K standard dos floppy 4) Insert the dos floppy into your LEAF machine 5) Get to a command prompt on the LEAF machine (login as root, if necessary, and quit from the lrcfg main menu) 6) Mount the dos floppy mount -t msdos /dev/fd0 /mnt 7) Copy the module(s) to /lib/modules cp /mnt/.o /lib/modules 8) Unmount the dos floppy umount /mnt 9) Modify /etc/modules to load your module. You can use edit from the command line, or lrcfg (menu 3-3-1) 10) ADVANCED: You might want to delete some of the unused network modules to save disk space. Any of the modules commented out in /etc/modules are safe to delete. 11) IMPORTANT: BACKUP YOUR CHANGES OR THEY WILL BE LOST! 12) Select menu item b, then 5 to backup changes to modules