Getting in the Fast Lane
All of the newer Linux kernels include support for IP masquerading, which allows a group of computers on a network to access the Internet using a specified computer's Internet address. All connections from the computers must go through a specified IP masquerading “host”, or server. This server functions as the gateway machine and can be used as a DNS machine, if you set up a DNS server. With route and ipfwadm, you can set up a simple but effective packet routing scheme to deliver packets to the appropriate client machines. The prerequisites for such a setup are as follows:
One Linux server
Client machine(s) running a network-capable OS
One or two Ethernet cards, depending on the type of your router
The standard Linux network package; see your distribution documentation for details.
I am assuming that you have Ethernet support for your client machines already. If your client machines are Linux and you haven't yet set up the Ethernet cards, read the documentation and do it—all of the drivers are most likely already working.
For the server, the first step of setting up a network is setting up the Ethernet hardware. This is relatively simple: recompile the kernel or compile a module to include support for your card or cards. In the case that your card is supported by the Linux kernel, as root compile support into the kernel by typing make menuconfig at the top of the Linux source tree and use the menus to configure support. More information on how to recompile a kernel is available at the Linux Kernel HOWTO, located at http://sunsite.unc.edu/linux/HOWTO/Kernel-HOWTO.html.
In the kernel setup program, under “Code Maturity Level Options”, check the “Prompt for development and/or incomplete code/drivers” box, so that you will be given the option of using IP masquerading. Also, in the “Networking Options” section, check the following: Network Firewalls, Network aliasing, TCP/IP networking, IP forwarding/gatewaying, IP multicasting, IP firewalling, IP accounting, IP masquerading and IP tunneling. Although IP masquerading is experimental, it is fairly stable and must be included.
If your card (such as the EtherExpress Pro 10 PCI card from Intel) isn't supported in the kernel or support is broken, you can download and make a module for your card. A great resource for Ethernet card information on Linux is at the Linux Ethernet HOWTO, at http://sunsite.unc.edu/linux/HOWTO/Ethernet-HOWTO.html. At the Ethernet HOWTO, you should find complete information about your card and how to use it under Linux. Another great resource is Donald Becker's Ethernet drivers page, found at http://cesdis.gsfc.nasa.gov/pub/linux/linux.html. This page has drivers (many written by Mr. Becker) for many cards, including some that are in alpha stage. Be aware that many of the alpha drivers are perfectly usable and many are completely unusable. To find out, check the Ethernet HOWTO for support status. You can also read the actual source of the module, which should include instruction on installation and compilation near the top or bottom. Install the Ethernet card module into the /lib/modules/2.0.xx/net file and put the following lines into one of your startup scripts:
depmod -a modprobe drivername
Note that the modprobe drivername does not include the “.o” at the end of the file name. It isn't necessary, so you shouldn't put it in; modprobe knows how to handle the loading of the module. To see if you've loaded the module into memory, type lsmod at the prompt. If you see a listing for your card, the module is loaded. Troubleshooting steps can also be found at the Linux Ethernet HOWTO. It's an excellent resource that should not be missed when setting up Ethernet cards.
If your cable modem or other high bandwidth device doesn't support being plugged into a hub or coax network, the simple solution is to buy a cheap NE2000 clone for the device and keep it separate from the other parts of the network. Yes, that's right, you'll have two Ethernet cards in your server computer. The number one problem concerning multiple Ethernet card support is the order in which the cards get detected. This is important, since Linux addresses the Ethernet cards in numerical order, depending on the order detected during the boot process. If you know the IRQs or the I/O addresses of your Ethernet cards (it may be settable on board or via software), you can add this line to the top of your lilo.conf file:
append = "ether=irq,ioadd,eth0 ether=irq,ioadd,eth1"
This line tells the kernel which Ethernet devices to assign to which I/O or irq combinations. For example, if you have a 3Com 3c509b on irq 10 and memory address 0x300 and you wish that card to be eth0, you add this line to the very top of your lilo.conf file:
append = "ether=10,0x300,eth0"For additional Ethernet cards, you just add another ether=x,x,ethx after the first one inside the append quotes, as shown in the previous example. This is the easiest method of getting the kernel to assign the proper devices to the correct cards. All modern Ethernet cards come with software or jumpers that let you set the irq and memory addresses. If they don't, look in your computer's BIOS or, if you have another OS such as Win95, look in the system settings for the mapped address. To check that the Ethernet card was properly detected, simply type cat /proc/interrupts and see if your card is listed there.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The Death of RoboVM
- BitTorrent Inc.'s Sync
- The US Government and Open-Source Software
- The Humble Hacker?
- Open-Source Project Secretly Funded by CIA
- ACI Worldwide's UP Retail Payments
- New Container Image Standard Promises More Portable Apps
- AdaCore's SPARK Pro
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide