Almost Internet with SLiRP and PPP
The pppd package comes with a utility program called chat which performs “expect-send” scripts for dialing modems, performing automated logins, etc. chat is located in pppd-2.1.2d/chat/. The steps for compiling and installing chat are essentially the same as for pppd: copy the makefile, edit to suit your system, make, and then make install as the superuser. The chat manual page, however, needs to be installed by hand; use
install -m 0444 -o root -g man chat.8 /usr/man/man8/
to do this.
Now is a good time to read the manual page for pppd. While it is rather long, the manual page contains some information critical to understanding how to set up pppd, including explanations of several scripts called by pppd. There are several steps involved in properly configuring pppd, and a few more in making it convenient to use:
Creating the system-wide pppd configuration file /etc/ppp/options.
Modifying the network configuration files to work with a PPP connection.
Creating the scripts /etc/ppp/ip-up and /etc/ppp/ip-down to perform any needed actions when the PPP link becomes active and before it is closed, respectively.
Configuring the system logging facility so that messages from pppd are written to the system logs.
Creating scripts to start and stop pppd gracefully.
The system-wide configuration file, /etc/ppp/options, is the most important thing to get right for pppd to work. The file must exist and be readable by the root user, even if you don't plan to store configuration information in it—otherwise, pppd won't start. Unfortunately, there are so many possible options to configure for pppd that it's difficult to build a configuration file from scratch. I have put together an options file template for pppd, which includes each configurable option and explanatory text taken directly from the pppd manual page, and made it freely available for anonymous FTP (see References for locations). I recommend fetching the pppopt.tgz package to use as a starting point for configuration.
A configuration file for pppd looks like this:
## /etc/ppp/options -- config file for pppd # async character map -- 32-bit hex; each bit # is a character that needs to be escaped for # pppd to receive it. 0x00000001 represents # "<\>x00", and 0x80000000 represents "<\>x1f". asyncmap 0 # Use hardware flow control (i.e. RTS/CTS) to # control the flow of data on the serial port. crtscts # Add a default route to the system routing # tables, using the peer as the gateway, when # IPCP negotiation is successfully completed. # This entry is removed when the PPP connection # is broken. defaultroute # Set the MRU [Maximum Receive Unit] value to <n> # for negotiation. pppd will ask the peer to send # packets of no more than <n> bytes. The minimum # MRU value is 128. The default MRU value is 1500. # A value of 296 is recommended for slow links # (40 bytes for TCP/IP header + 256 bytes of data) mru 552 # Disables the default behaviour when no local IP # address is specified, which is to determine (if # possible) the local IP address from the # hostname. With this option, the peer will have # to supply the local IP address during IPCP # negotiation (unless it is specified explicitly on # the command line or in an options file). noipdefault
This file assumes that the modem is set to use hardware flow control (crtscts), that the link between the local machine and the remote one is 8-bit-clean (asyncmap 0), and that the remote machine will tell pppd what the local machine's IP address is (noipdefault). It also tells pppd to add a “default route” to the system routing tables (defaultroute), which is generally what we want for a dial-up Internet connection, and sets the “maximum receive unit”, the largest PPP packet that pppd will accept, to 552 (mru 552).
If you want to use software flow control instead of hardware flow control for your modem, you can use xonxoff instead of crtscts. You also need to add the XON and XOFF characters to the asyncmap option, as follows: the number following asyncmap is a 32-bit hexadecimal number, where each bit represents a character between 0x00 (^@) and 0x1f (^_) which must be “escaped”, or sent as a two-byte sequence to avoid getting swallowed or munged in transmission; asyncmap 000a0000 escapes characters 0x13 (^S) and 0x11 (^Q), the XON/XOFF characters. You will also need to add this asyncmap setting to your SLiRP configuration file on the remote host.
The network configuration files on your Linux system which you need to modify or check are:
/etc/rc.d/rc.inet1 or /etc/rc.net, the network configuration script (it may be called something slightly different, depending on your distribution)
/etc/hosts, the hostname-to-address configuration file
/etc/resolv.conf, the resolver configuration file
Configuration of these files is discussed in detail in the README.linux file that comes with pppd under the heading “General Network Configuration”; however, a few items are important for using pppd with SLiRP:
In /etc/hosts, use the address `10.0.2.15' as the address for your Linux machine; this is the address SLiRP uses by default. For example, my own machine is called “zephyr”, in the fictitious domain “earth”, and the following line appears in my host table after the loopback entry:
10.0.2.15 zephyr.earth zephyr
In order to fill in the nameserver part of /etc/resolv.conf, you need to know the address of the nameserver for the remote host. There are three ways to find out this information, in order from least to most effort:
(1) Use the command nslookup, which will print the name and numeric address of the default nameserver (use exit to exit nslookup);
(2) Read the remote resolver configuration file using the command cat /etc/resolv.conf--it should have nameserver entries just like the ones you need; or
(3) Ask the system administrator, who may or may not be willing to give you that information.
You may wish to perform certain actions when the PPP link opens and to perform others when the PPP link closes down; you can put such actions in scripts called /etc/ppp/ip-up and /etc/ppp/ip-down. For instance, I have configured smail (my mail delivery agent) to send outgoing mail to my Internet account provider, which is only available when my PPP link is up. In my ip-up script, I have a command to send any queued outgoing mail along to the smart-host for delivery.
#!/bin/sh # # /etc/ppp/ip-up -- do net-stuff when ppp is up # send queued outgoing mail over new net connection /usr/sbin/runq
The ip-up and ip-down programs do not have to be shell scripts—they could just as easily be written in Perl, Tcl, or any other scripting language. However, the scripts should be executable, i.e. they should have execute permission set (using
Do not break up the following line:
chmod 0755 /etc/ppp/ip-up /etc/ppp/ip-down
and the first line of the script should be of the format #!path-to-program, containing the complete path to the program that should run the script (e.g., #!/bin/sh for a Bourne shell script, or #!/usr/local/bin/perl for Perl).
pppd sends messages and some debugging information to the system logging facility syslogd. You may wish to configure syslogd so that those messages get logged to a separate log file; to do this you need to become the superuser and modify the syslogd configuration file /etc/syslog.conf. pppd logs to the “daemon” facility, so we add the following line to syslog.conf:
# Log daemon-related messages in a special place daemon.* /var/log/daemon.log
You should put the daemon log in the same place as your other system logs; the Linux Filesystem Standard recommends /var/log. In order to get syslogd to re-read its configuration file, send it a hangup signal using the command kill -HUP pid, where pid is the numeric process id for syslogd as shown in a listing made by a ps ax command. Alternately, use killall -HUP syslogd.
Since it can be a bit tedious trying to start and stop pppd from the command line, I recommend creating two executable scripts called ppp-on and ppp-off. The pppd package comes with sample scripts in pppd-2.1.2d/chat, which you may wish to use as a guide. Simple versions of each are shown in Figure 1 and Figure 2. You should probably install the scripts in the same place as you install pppd (for my system, /usr/local/ppp/bin).
Figure 1. Example ppp-on Script
Figure 2. Example ppp-off Script
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The Death of RoboVM
- BitTorrent Inc.'s Sync
- The US Government and Open-Source Software
- The Humble Hacker?
- Open-Source Project Secretly Funded by CIA
- ACI Worldwide's UP Retail Payments
- New Container Image Standard Promises More Portable Apps
- Canonical and BQ's Aquaris M10 Ubuntu Edition Tablet
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide