BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Media-One Express, IP Masquerading

Subject: Media-One Express, IP Masquerading
From: richb at pioneer.ci.net (Rich Braun)
Date: Tue, 10 Feb 1998 14:32:41 -0500 (EST)
In-reply-to: <199802101802.NAA12189@granite.corsof.com> from "Jerry Feldman" at Feb 10, 98 01:01:06 pm
Jerry wrote:
>    First, you can use either the Linux or Windows95 system as the
> host. You would need to have a NIC for the cable modem as well as a
> separate NIC for your internal network.

I'm using a competing service, CAI Wireless (http://www.caiwireless.net),
which provides each customer with a dedicated link back to the POP (not
sure if it's secure, but at least in theory my LAN traffic shouldn't leak
out onto others' LAN segments).  I'm not concerned enough about security,
though some might be.

If Media One gives you a static IP address like CAI, then you could duplicate
my setup.  I have a General Instrument Surfboard 1000 unit plugged into
one port of a 5-port hub, and then a couple of Win95 boxes and a Linux
box also plugged into other ports of the hub.  (I provided tenants in
the house with RJ45 jacks to each room, but so far they haven't tried out
the Internet service...)

The Linux box has dhcpd and IP masquerading set up on it.  The single
Ethernet card is assigned two IP addresses:  the primary address is the one
given to me by the ISP, and the alias address is a bogus internal
network address (192.168.x.x).  I set up a dhcpd config file to hand out
addresses in the 192.168.x.x range and to provide name servers (my Linux box
as a cache relay and a couple from the ISP).  Anyone can come over with
their notebook PC, plug it into one of the wall jacks, and use DHCP for
configuration.

This setup could even be adopted by hotels and conference centers, though
I have yet to see any begin to provide this type of service (which would
cost practically nothing compared to what I was charging for fixed T1's
at my old ISP).  Commercial ISP's often set their prices based on the size
of the address block, a practice I consider foolish--you could tie 1000
Ethernet drops into a single IP address using this approach.

  Customer:  "Hi, I'm the telecom manager of Logan Airport.  How much for
    a cable modem hookup?"
  ISP sales rep:  (consults corporate rate sheet) "$100 per month per
    IP address."
  Customer:  "Thanks, I'll take one.  How soon can I get it installed?"
  Sales rep:  "Is Friday OK?"  (thinking:  cool!  I got Logan!)

After months of putting up with periodic crashes running Linux version
2.0.31, I updated it to 2.0.33 and thus far have had a stable system.  You
need a relatively recent kernel (within the last 12 months or so) to run
IP masquerading, and if you want to run on a single Ethernet card, you
need to configure the kernel to support aliases.  Also, you need a recent
copy of ipfwadm.  (I'm running a 2-year-old WGS distribution; if you
have a newer distribution, it might be easier.)

Total time spent getting this up and running was probably 4 hours, spread
across a couple of evenings.  Some of the wizards here can probably get
first-time setups like this done in 1 hour.  (We're all faster, of course,
the 2nd time we do something...)

Attached are my dhcpd.conf, rc.local, and Linux config files--hope this
helps.

-rich

------dhcpd.conf------
# dhcpd.conf
#
# Configuration file for ISC dhcpd
#

# Hosts with more than one interface MUST specify a ``server-identifier'',
# which should be the IP address of the server's primary network interface,
# or if there is no interface that can be described that way, at least an
# interface whose address isn't likely to change.

server-identifier envoy.ci.net;

# option definitions common to all supported networks...
option domain-name "ci.net";
option domain-name-servers envoy.ci.net, toto.pn.com, wizard.pn.com;

# Shared network declaration is used to group subnets which share the same
# physical network together.   The name is specified so that the shared
# network can be referred to in log messages - it serves no other function.

shared-network CI {

# option definitions common to this shared network.
  option subnet-mask 255.255.255.0;
  default-lease-time 86400;
  max-lease-time 1000000;

  subnet 192.168.2.0 netmask 255.255.255.0 {
    range 192.168.2.8 192.168.2.23;
    option broadcast-address 192.168.2.255;
    option routers 192.168.2.1;
  }
}


---------rc.local--------
#!/bin/sh

# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

/usr/sbin/xntpd &

if [ -f /etc/redhat-release ]; then
	R=$(cat /etc/redhat-release)
else
	R="release 3.0.3 (Picasso), Linux Pro 4.0 enhanced version"
fi

arch=$(uname -a)
a="a"
case "_$arch" in
        _a*) a="an";;
        _i*) a="an";;
esac

/sbin/route add 192.168.100.1 eth0
/sbin/route add default gw 192.168.100.1
/sbin/route add 127.0.0.1 lo
/sbin/route add -host 255.255.255.255 dev eth0
# LAN masquerading
/sbin/insmod /lib/modules/`uname -r`/ipv4/ip_alias.o
/sbin/insmod /lib/modules/`uname -r`/ipv4/ip_masq_ftp.o
/sbin/insmod /lib/modules/`uname -r`/ipv4/ip_masq_raudio.o
/sbin/insmod /lib/modules/`uname -r`/ipv4/ip_masq_irc.o
/sbin/ifconfig eth0:0 192.168.2.1
/sbin/route add -net 192.168.2.0 eth0:0
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S 192.168.2.0/24 -D 0.0.0.0/0 -V 192.168.2.1
/sbin/ipfwadm -F -p masquerade
# Daemons
/usr/sbin/dhcpd
/usr/sbin/named
/var/apache/httpd -d /var/apache

----------/usr/src/linux/.config----------
#
# Automatically generated make config: don't edit
#

#
# Code maturity level options
#
# CONFIG_EXPERIMENTAL is not set

#
# Loadable module support
#
CONFIG_MODULES=y
# CONFIG_MODVERSIONS is not set
CONFIG_KERNELD=y

#
# General setup
#
# CONFIG_MATH_EMULATION is not set
CONFIG_NET=y
# CONFIG_MAX_16M is not set
CONFIG_PCI=y
CONFIG_SYSVIPC=y
CONFIG_BINFMT_AOUT=y
CONFIG_BINFMT_ELF=y
CONFIG_KERNEL_ELF=y
# CONFIG_M386 is not set
# CONFIG_M486 is not set
CONFIG_M586=y
# CONFIG_M686 is not set

#
# Floppy, IDE, and other block devices
#
CONFIG_BLK_DEV_FD=y
CONFIG_BLK_DEV_IDE=y

#
# Please see Documentation/ide.txt for help/info on IDE drives
#
# CONFIG_BLK_DEV_HD_IDE is not set
CONFIG_BLK_DEV_IDECD=y
# CONFIG_BLK_DEV_IDETAPE is not set
# CONFIG_BLK_DEV_IDEFLOPPY is not set
# CONFIG_BLK_DEV_IDESCSI is not set
# CONFIG_BLK_DEV_IDE_PCMCIA is not set
CONFIG_BLK_DEV_CMD640=y
# CONFIG_BLK_DEV_CMD640_ENHANCED is not set
CONFIG_BLK_DEV_RZ1000=y
CONFIG_BLK_DEV_TRITON=y
# CONFIG_IDE_CHIPSETS is not set

#
# Additional Block Devices
#
CONFIG_BLK_DEV_LOOP=y
# CONFIG_BLK_DEV_MD is not set
# CONFIG_BLK_DEV_RAM is not set
# CONFIG_BLK_DEV_XD is not set
# CONFIG_BLK_DEV_HD is not set

#
# Networking options
#
CONFIG_FIREWALL=y
CONFIG_NET_ALIAS=y
CONFIG_INET=y
CONFIG_IP_FORWARD=y
CONFIG_IP_MULTICAST=y
# CONFIG_SYN_COOKIES is not set
CONFIG_IP_FIREWALL=y
# CONFIG_IP_FIREWALL_VERBOSE is not set
CONFIG_IP_MASQUERADE=y

#
# Protocol-specific masquerading support will be built as modules.
#
CONFIG_IP_MASQUERADE_ICMP=y
# CONFIG_IP_ALWAYS_DEFRAG is not set
# CONFIG_IP_ACCT is not set
CONFIG_IP_ROUTER=y
CONFIG_NET_IPIP=m
CONFIG_IP_ALIAS=m

#
# (it is safe to leave these untouched)
#
# CONFIG_INET_PCTCP is not set
# CONFIG_INET_RARP is not set
# CONFIG_NO_PATH_MTU_DISCOVERY is not set
CONFIG_IP_NOSR=y
CONFIG_SKB_LARGE=y

#
#  
#
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
# CONFIG_AX25 is not set
# CONFIG_NETLINK is not set

#
# SCSI support
#
# CONFIG_SCSI is not set

#
# Network device support
#
CONFIG_NETDEVICES=y
CONFIG_DUMMY=m
# CONFIG_EQUALIZER is not set
# CONFIG_PLIP is not set
CONFIG_PPP=y

#
# CCP compressors for PPP are only built as modules.
#
# CONFIG_SLIP is not set
# CONFIG_NET_RADIO is not set
CONFIG_NET_ETHERNET=y
CONFIG_NET_VENDOR_3COM=y
# CONFIG_EL1 is not set
# CONFIG_EL2 is not set
CONFIG_EL3=y
# CONFIG_VORTEX is not set
# CONFIG_LANCE is not set
# CONFIG_NET_VENDOR_SMC is not set
CONFIG_NET_ISA=y
# CONFIG_E2100 is not set
# CONFIG_DEPCA is not set
# CONFIG_EWRK3 is not set
# CONFIG_EEXPRESS is not set
# CONFIG_HPLAN_PLUS is not set
# CONFIG_HPLAN is not set
# CONFIG_HP100 is not set
CONFIG_NE2000=y
# CONFIG_SK_G16 is not set
# CONFIG_NET_EISA is not set
# CONFIG_NET_POCKET is not set
# CONFIG_TR is not set
# CONFIG_FDDI is not set
# CONFIG_ARCNET is not set

#
# ISDN subsystem
#
# CONFIG_ISDN is not set

#
# CD-ROM drivers (not for SCSI or IDE/ATAPI drives)
#
# CONFIG_CD_NO_IDESCSI is not set

#
# Filesystems
#
# CONFIG_QUOTA is not set
CONFIG_MINIX_FS=y
# CONFIG_EXT_FS is not set
CONFIG_EXT2_FS=y
# CONFIG_XIA_FS is not set
CONFIG_FAT_FS=y
CONFIG_MSDOS_FS=y
# CONFIG_VFAT_FS is not set
# CONFIG_UMSDOS_FS is not set
CONFIG_PROC_FS=y
CONFIG_NFS_FS=m
CONFIG_SMB_FS=m
# CONFIG_SMB_WIN95 is not set
CONFIG_ISO9660_FS=y
# CONFIG_HPFS_FS is not set
# CONFIG_SYSV_FS is not set
# CONFIG_UFS_FS is not set

#
# Character devices
#
CONFIG_SERIAL=y
# CONFIG_DIGI is not set
# CONFIG_CYCLADES is not set
# CONFIG_STALDRV is not set
# CONFIG_RISCOM8 is not set
CONFIG_PRINTER=y
# CONFIG_SPECIALIX is not set
# CONFIG_MOUSE is not set
# CONFIG_UMISC is not set
# CONFIG_QIC02_TAPE is not set
# CONFIG_FTAPE is not set
# CONFIG_APM is not set
# CONFIG_WATCHDOG is not set
# CONFIG_RTC is not set

#
# Sound
#
# CONFIG_SOUND is not set

#
# Kernel hacking
#
# CONFIG_PROFILE is not set
References:
- Media-One Express, IP Masquerading
  - From: gaf at corsof.com (Jerry Feldman)
Prev by Date: Media-One Express, IP Masquerading
Next by Date: Media-One Express, IP Masquerading
Previous by thread: Media-One Express, IP Masquerading
Next by thread: Media-One Express, IP Masquerading
Index(es):
- Date
- Thread

BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.
Boston Linux & Unix / webmaster@blu.org