Next Previous Contents

8. Configuring Linux

After you have wired up the ANT and you're getting the sync signal, then you're ready to configure your Linux System and verify your connection to your ISP. Although I will refer to a Linux System, you can connect any type of 10baseT device to the ANT. This includes a router, hub, PC, or any other system that you wish to use.

Caution! Before you connect to your ISP, make sure you understand all security issues of having a direct connection to the Internet via ADSL. Depending on your ISP, most outside uses can access your systems, and you should setup any firewalls, deactivate ports/services, and setup any passwords prior to connecting your machine to the world. Read the Security-HOWTO if you need a good overview on this subject.

8.1 Install and Connect the NIC card

Install your NIC card in your Linux machine, configure the kernel, etc., etc. See the various Linux references for doing this. See the Ethernet-HOWTO for more information.

Connect the RJ45 cable between the NIC and the ANT. Note A gotcha here is that some ANTs are already wired as a 10baseT crossover, and require a direct Category 5 cable for a direct connection to a NIC, rather than a crossover cable. I lost around 12 hours figuring this one out, so don't make the same mistake - make sure you read the instructions first.

8.2 Configure the Ethernet Interface

Configure the IP address, Subnet Mask, Default Gateway, and DNS server information. Each Linux Distribution (RH, debian, Slackware, S.U.S.E.) has a different way of doing this, so check on your particulars. You can also do this manually using the ifconfig and route commands. See the NET3-HOWTO for information for more information.

Once your system is configured, see if you can ping to the your default gateway address provided by the ISP. If the ping is successful, the you should see around 20 ms roundtrip delay for this connection. Congratulations, you're connected to the Net!

8.3 Setting up a Router

Depending on your local setup, you should consider some other issues. These include a firewall setup, and any associated configurations. For my setup, shown in Figure 3, I use an old i486 machine configured as a firewall/router between the ADSL connection and the rest of my machines. I use private IP addresses on my Private LAN subnet, and have configured my router to provide IP Masquerading and Firewalling between the LAN and Internet connection. See the IP_Masquerading-HOWTO, and Firewall-HOWTO for more information. My experience is that Linux provides superior routing/firewalling performance , and is much cheap than a commercial router, if you find an old 386/486 machine that you may be using as a doorstop somewhere.

Figure 3: My  SOHO Network Setup

          
<-Private Subnet-->         <-Public Subnet->    <-ADSL Line--------->
                                     |
                                X----|      
                                     |      
     X------|                   X----|     |----|            
            |      |--------|        |     |ADSL|            Internet
            |      | Linux  |        |-----|ANT |----------> Service 
     X------|------| System |--------|     |    |            Provider
            |    E1|(Router)|E0      |     |----|            Router
            |      |--------|        |                       
     X------|        IP_Masq      10baseT
                   IP_Firewall     Hub 

What I did is setup a router (Linux RH 5.0 on a i486) with two Ethernet interfaces. One interface routes to the ISP subnet/gateway, and the other interface supports a class private network address (i.e. 192.168.2.x). Using the private network address behind your router allows some additional security because it is not directly addressable from outside your ISP. You have to explicitly masquerade your private addresses in order to connect to the Internet.

Caution Make sure your kernel is complied with IP forwarding and the IP forwarding is turned on. You can check this by

cat /proc/sys/net/ipv4/ip_forward
The value is "1" for on, and "0" for off. You can change this value by echoing the desired value into this file.
(e.g.) echo 1 > /proc/sys/net/ipv4/ip_forward
Will turn forwarding on.

8.4 Setting up a Firewall/Masquerading

If you have a direct connection to the Internet, then you want to also turn on Firewall Administration and Masquerading. Figure 4 shows a picture of this.

Caution!  I also need to stress that this configuration is only part of the things that need to be performed to create a secure environment. Other considerations include turning off ftp, telnet, and other services on the Router, and ensuring all password, login, etc. configurations are correctly setup for your environment. Make sure you read the Security-HOWTO.

Figure 4: Firewall/Masquerading for ADSL

       |-------|       |-------|     |-X
======X| ADSL  |=------| Linux |-----|
ADSL   |  ANT  |     E0|       |E1   |-X   Private Network
Line   |-------|       |-------|     |     (e.g. 192.168.2.x)
               <------->             |...
             ISP Subnet or host
            (Public Net Address)

The kernel for the Linux router is complied for IP forwarding/masquerading, and has the "ipfwadm" (IP firewall software) installed with the following options:

file: /etc/rc.d/rc.firewall (called by rc.sysinit in RH5.0)

echo "Setting up the firewall"
#
# From the "Firewall-HOWTO"
#
# flushes all setting
#
ipfwadm -F -f
#
# set the firewall
#
ipfwadm -F -p deny
#
# allow any machine with address 192.168.2.x to masquerade.
#
ipfwadm -F -a accept -m -S 192.168.2.0/24 -D 0.0.0.0/0
#
# allow the domain name server to work (udp 53)
#
ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 192.168.2.0/24
ipfwadm -F -p masquerade
#
# the rest just list out the options for your enjoyment
#
ipfwadm -F -l
ipfwadm -O -l
ipfwadm -I -l

You need to be careful, as some application will still not work without special modules (namely ftp, real audio, and some others). Check the ipfwadm documentation for more information. I found this pretty easy to set up.

Additionally, using the private network addressing scheme is cheap, and gives an administrator complete flexibility in setting up their local LAN. The drawback is that Masquerading has a limit on the number of private hosts that it can reasonably support, and that some IP applications that pass the host address in their data fields will not work, but this tends to be a limited number.


Next Previous Contents