Adding Features to Dial-Up PPP Service

Mr. Haisley provides some PPP customization scripts for web hosting services.

I operate a small web hosting service, specializing in services for the arts community and for small local businesses. As is customary, I offer a variety of support services to all my clients, including the ability to dial directly to my server and connect to the Internet using the point-to-point protocol (PPP). All services, including PPP access, are provided by a venerable and extremely reliable 486 running the latest production release of the Linux kernel.

Having spent a couple of years helping to build one of Austin's first Internet service providers during the early days of the Internet, I am familiar with the process of using UNIX to find original solutions to unsolved problems. At that time, there were no Portmasters, and dial-up access was provided by UNIX boxes, Digiboards and clever programming. Many solutions and tools which are commonplace today were unknown or only experimental then.

Modern releases of Linux offer a good deal more to work with than did the early non-Linux kernels; nevertheless, when I developed my own dial-up access, I found that while all parts of my dial-up system were available, several functions important to me were not available in the published packages. In particular, I wanted to offer full Internet access as a subscription service. Customers who chose not to subscribe to this service would still have full access via PPP dial up to the file spaces on their local web site using FTP or http. I also needed a way to implement session timeouts based on inactivity. While all my customers are above average in terms of their sense of responsibility in such matters, everyone has attention lapses from time to time, walking away from an on-line session without logging off and hanging up.

The software I found readily available was the excellent mgetty+sendfax package by Gert Doering and the Debian/GNU distribution of pppd. mgetty manages communication with a modem and provides essential login functions, while pppd manages PPP protocol issues. Recent versions of mgetty (I am using mgetty-0.99.2) are capable of detecting incoming attempts at PPP negotiation and, if properly configured, will invoke pppd with a variety of options, passing over to it the responsibility for user authentication.

While this combination is quite flexible, it is not a totally integrated solution. pppd reads and takes setup instructions from user .ppprc files, and my first thought was that setting up a read-only, root-owned .ppprc file for each customer would give me the flexibility I needed to provide the Internet access permissions and limitations I wanted on a per-account basis. Unfortunately, the situation is not quite this simple. Because mgetty runs and invokes pppd as root, the only .ppprc file which pppd reads is ~root/.ppprc. User identification and authentication takes place after the ~/.ppprc file is read—not very useful for my purpose.

Fortunately, pppd provides a very nice open-ended hook in the form of two built-in script calls: ip-up (Listing 1 in the archive file) which is executed immediately after the network control protocol (IPCP) for PPP has come up, and ip-down (Listing 2 in the archive file) which is executed immediately after the link has gone down. Both scripts are provided with the interface name, tty device, speed, local IP address and remote IP address as command parameters, and from these, almost everything one might need to know about a PPP session can be discovered. Both ip-up and ip-down run with a real and effective user ID of root, eliminating any potential problems with user-owned processes executing system commands. Because I could do my per-user configurations from a single script, I could localize all my user information in a single data file.

Proxy ARP

To grant full Internet access to a pppd dial-up client, pppd invokes a technique called proxy ARP. A host using proxy ARP advertises a dial-up client's IP address linked to its own Ethernet interface address. IP traffic destined for the dial-up client is therefore sent to the host, which dutifully forwards it via the PPP interface. pppd can be configured on invocation to set up proxy ARP, either on the command line or in any one of its several configuration files, including the user .ppprc file. Proxy ARP can also be set up “manually” using the arp command to manipulate the kernel's ARP cache. Because none of the pppd configuration files can be used to distinguish one user from another, I chose to set up proxy ARP using a shell invocation of arp in the ip-up Perl script.

Using the arp command to set up proxy ARP requires two pieces of information: the IP address assigned to the dial-up client and the machine address of the Ethernet interface to which packets should be delivered. The dial-up IP address is passed as a parameter to ip-up. The hardware address of the appropriate Ethernet interface can be obtained from a couple of sources, but the easiest way to is to parse the information returned from ifconfig. This address can also be hard coded into the script, since it is not likely to change in the short term.

For ip-up to know whether to set up proxy ARP, it must know the identity of the user for whom it was invoked. Although the identity of the current user is not one of the items provided to ip-up by pppd, the name of the connecting tty device is available and associated with a user name in the system's utmp file. Invoking who provides a conveniently formatted table, which can be parsed to obtain the name of the user currently connected to any tty device. I use the user name as an index into a small flat file, /etc/ppp/proxyarp, which consists of a series of lines of tab-delimited data pairs, each pair consisting of a user name and either a “+” or a “-” indicating whether to set up proxy ARP for that particular user. With this information, ip-up has everything it needs to set up proxy ARP for a session and determine if appropriate to do so.

One “gotcha” which must be addressed in this scheme is ARP caching by the LAN gateway. The Cisco 750 series router which I use is reluctant to provide any information on or means of manipulating its internal ARP cache, and the default timeout (about five minutes) means that any connection made within this timeout period after a previous call will inherit the packet routing of the previous connection. While it is not a serious problem for me if my non-Internet users occasionally get full Internet access, a busy ISP would need to be able to exercise tighter control in this matter.

______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix