Linux Means Business: A Case Study of Pakistan On-Line
Pakistan On-Line (POL), http://www.pol.com.pk/, is an Internet Service Provider (ISP) operating in major cities of Pakistan. All of its Points of Presence (POPs) are operating on Slackware Linux, with some minor setup variations on each site. The ISP's local backbone uses fiber optic cable from a local telecom company, Pakistan Telecommunication Company Limited. Cisco routers are used at each POP to manage this backbone. POL has multiple links to the Internet and uses routing algorithms to manage traffic.
Other than Internet access services, the company also provides services for network design, installation, web development and hosting, domain name registration, etc. For remote-access services, POL uses Cisco and Xyplex access services at major POPs and Linux with Rocketport cards at smaller sites. Linux is used on HP Netservers and Compaq machines to provide Internet services like SMTP, POP, DNS, WWW, FTP, Proxy, etc. User authentication is done through a RADIUS server running on a Linux machine. User accounting and billing are done through RADIUS for Cisco remote access servers and Syslogd where Xyplex remote access servers are used. The accounting and billing process is also carried out on Linux through custom software developed in C.
Choosing a network operating system for Internet operations is a very important decision. You need to be certain about the stability of your entire system, as the setup has to serve so many clients around the clock. Nobody can afford a service outage, even for a few minutes. Since we planned to use Intel-based servers, we had to choose between a Windows NT server and Linux. The most important factor was not the cost of the operating system, but the stability of the ISP facility. Our criteria for selecting an operating system depended on the following factors.
Previous experience: we had a very good experience with Linux, as we had already built large Linux-based networks. Some of these are being utililized in a similar environment, and some in educational institutions.
Stability: Linux was well-tested for stability by our staff in operations of different nature for many years. We were quite confident that it would not give us any problems in our operations.
Cost: although the cost of the operating system itself is not a major factor, when you add the other utilities and software required for an ISP, it is something to be considered. Not only is Linux free of cost, but you can also find all the required software for an ISP entirely free on the Internet. This includes mail servers, web servers, FTP and DNS servers that come bundled with Linux, making it a complete Internet solution. Additionally, if any of the available software does not serve a particular purpose, you can easily try one of the many available alternatives. For example, if you feel Sendmail is too complex to administer and have a mixture of UUCP and SMTP services, you can use Smail instead, which is quite easy to administer and a very useful UUCP-to-SMTP gateway.
Ease of administration, customization and support on the Internet is another major issue. If you want support for commercial software, you have to pay someone on a regular basis. Linux is perhaps the only product for which you can get on-line help around the clock from so many experts all over the world without spending a single penny. It is quite fun to go to an IRC channel and join the discussion.
Although commercial operating system vendors are trying to bundle everything with their products, it is simply impossible for any of these to provide a number of utilities comparable to those available on Linux. People have built many tools and utilities for ISP operations in particular. For example, you can find many tools for analyzing web traffic logs, monitor the utilization of your Internet bandwidth, manage user accounts, check security holes, etc.
There is simply no match for the mail servers available on Linux. Using Sendmail, qmail or Smail, you can do anything you wish. If you want to go for ease of use in a mixed UUCP and SMTP environment, use Smail 3.2. If you want a complete, thoroughly tested, comprehensive solution, use Sendmail. If you just want to give support for SMTP, IMAP, virtual domains, etc., use qmail and so on. You are free to make your choices depending upon your environment.
At POL, we have been using Apache from the beginning. We have found the Apache web server excellent where stability and performance is concerned. We have many virtual domains running on a single web server, utilizing only one IP address. Basic configuration and virtual hosting for Apache is quite simple. You can also use SSL, URL caching, and protected user directories with Apache. All of the POL users have their own web pages which are kept in their home directories on the Apache server, and are free to update these pages any time they wish.
The Apache server is of great commercial use, as you can utilize it with databases, ODBC, etc. In fact, we have tested it with mSQL, ODBC and MySQL at Pakistan On-Line. We have found some clients who are interested in co-locating their database server at the POL premises and linking them to the Apache server for on-line databases. We are sure this will be a great success for us here in Pakistan.
Pakistan On-Line is using the Linux kernel features for firewalling, IP masquerading and transparent proxying. We have installed Linux-based firewalls for some of our corporate clients. We have tested both packet filtering and proxy-based firewalls. For a proxy-based firewall, we have used Trusted Information Systems (TIS) Firewall Toolkit (FWTK), which is freely available in source code form on the Internet.
IP masquerading has been useful in environments where IP addresses are very sparse. In fact, this situation prevails in most of the developing countries where we do not have enough IP addresses for corporate clients. IP masquerade plays a very important role in those circumstances where we can use a Linux box to support a virtually unlimited number of computers to connect to the Internet through a single legal IP address.
Some of POL's corporate clients have dozens of computers on their private networks where they need Internet access. It is difficult for us to assign as many IPs to these customers as they want. We use the Linux IP masquerading feature on a computer running Linux, which then acts as gateway for the private LAN. Now the company is free to add as many computers on their private LAN as they want, without consulting the ISP again and again.
This arrangement has been very useful for us and has given POL an edge over other ISPs here. Other ISPs try to provide such a solution based on the Windows NT Server and Microsoft Proxy Server, which are costly for both hardware and software. Also, the NT-based system does not pass through all protocols as transparently as Linux does.
The transparent proxy feature in the Linux kernel is also very useful. We are using the transparent proxy feature with the help of Cisco routers to force all WWW traffic to pass through our proxy server. On the Cisco router, we have extended access lists which redirect all outgoing traffic on port 80 to pass through the Linux server. Another package, tproxyd, has also proven to be very useful in our operations. More information on tproxyd can be obtained from its web site (see Resources). A sample Cisco access list that serves the job might look like this:
interface Ethernet0 ip address 22.214.171.124 255.255.255.0 ip policy route-map proxy-redir ! access-list 101 permit tcp 126.96.36.199 0.0.0.255 any eq www route-map proxy-redir permit 20 match ip address 101 set ip default next-hop 188.8.131.52 !
Now, when the router receives an IP packet with a destination port equal to 80 from any computer on local network 184.108.40.206/24, it redirects this packet to 220.127.116.11, which is a Linux server running as the proxy server. The Linux ipfwadm utility is then used to manage this kind of traffic.
As far as caching is concerned, squid has remained our choice. It provides very good performance as well as stability. This is also used with the transparent proxy feature of Linux to obtain extra benefit. A number of tools for squid which analyze performance and scan logs in graphical format are available on the Internet.
The ISP accounting and billing system is the most important thing, because this is the process that generates money for an ISP. It needs to be very accurate and stable. We have three types of systems that support dial-in users:
Linux-based servers with multiport cards. The login and logout information from these is obtained through syslogd.
Xyplex Max 1640 servers that can send both RADIUS and syslogd information. We are using syslogd information for billing purposes.
Cisco remote access servers, which are sending accounting information to the RADIUS server.
We have developed a billing system in C that gets information from all three types of servers and generates user log files. Any user can see his billing information whenever required. We also use shell scripts for some housekeeping jobs in our billing system. It has proven to be a very good and user-friendly system, and two other small ISPs now use this same billing system.
When you plan a very small ISP site or corporate network with a small number of dial-in users, it may be useful to deploy Linux as a remote access server. This saves a lot of money. We are using Linux with the Comtrol Rocketport multiport PCI adapters for this purpose. One Linux system can support up to four adapters, each with 32 high-speed serial ports. Thus, in total you can have 128 ports available in a single Pentium-based computer with good throughput. Since Rocketport cards have on-board intelligent processors, these do not pose much load on the computer. Now, just by making some changes in the login procedure, you can configure many things. For example, you can set the number of simultaneous logins you will allow for a single login name.
Linux is a very useful and stable operating system for ISP services. It provides a cost-effective, user-friendly, easy-to-configure environment. The number of utilities available for ISP operation and support is excellent. The biggest advantage is that it can be used in almost any environment and provides an edge over your competitors.
Rafeeq ur Rehman (firstname.lastname@example.org) received bachelor's and master's degrees in Electrical and Computer Engineering, respectively, from the University of Engineering and Technology, Lahore, Pakistan. His main areas of interest are computer networks and distributed computing. He has been using Linux since kernel version 0.0.99.